mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #5019 from MicrosoftDocs/master
Publish 4/6/2021 10:30 AM PT
This commit is contained in:
Tina Burden
GitHub
commit
05d7ad507e
@ -1,8 +1,8 @@
|
||||
---
|
||||
---
|
||||
title: Manage connections from Windows 10 operating system components to Microsoft services
|
||||
description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
|
||||
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
|
||||
ms.reviewer:
|
||||
ms.reviewer:
|
||||
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
@ -19,30 +19,30 @@ ms.date: 12/1/2020
|
||||
|
||||
# Manage connections from Windows 10 operating system components to Microsoft services
|
||||
|
||||
**Applies to**
|
||||
**Applies to**
|
||||
|
||||
- Windows 10 Enterprise, version 1607 and newer
|
||||
- Windows Server 2016
|
||||
- Windows Server 2019
|
||||
|
||||
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
|
||||
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
|
||||
|
||||
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
|
||||
|
||||
>[!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
|
||||
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
|
||||
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
|
||||
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
|
||||
> - It is recommended that you restart a device after making configuration changes to it.
|
||||
> - It is recommended that you restart a device after making configuration changes to it.
|
||||
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
|
||||
|
||||
> [!Warning]
|
||||
> [!Warning]
|
||||
> - If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
|
||||
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
|
||||
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
|
||||
> - During update or upgrade of Windows, egress traffic may occur.
|
||||
|
||||
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md)
|
||||
To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
|
||||
|
||||
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
|
||||
|
||||
@ -55,8 +55,8 @@ The following sections list the components that make network connections to Micr
|
||||
The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
|
||||
|
||||
|
||||
| Setting | UI | Group Policy | Registry |
|
||||
| - | :-: | :-: | :-: |
|
||||
| Setting | UI | Group Policy | Registry |
|
||||
| - | :-: | :-: | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
|
||||
| [2. Cortana and Search](#bkmk-cortana) | |  |  |
|
||||
| [3. Date & Time](#bkmk-datetime) |  |  |  |
|
||||
@ -73,41 +73,41 @@ The following table lists management options for each setting, beginning with Wi
|
||||
| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
|
||||
| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
|
||||
| [16. OneDrive](#bkmk-onedrive) | |  |  |
|
||||
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
|
||||
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
|
||||
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
|
||||
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
|
||||
| [18.1 General](#bkmk-general) |  |  |  |
|
||||
| [18.2 Location](#bkmk-priv-location) |  |  |  |
|
||||
| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
|
||||
| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
|
||||
| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
|
||||
| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
|
||||
| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
|
||||
| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
|
||||
| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
|
||||
| [18.2 Location](#bkmk-priv-location) |  |  |  |
|
||||
| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
|
||||
| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
|
||||
| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
|
||||
| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
|
||||
| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
|
||||
| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
|
||||
| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
|
||||
| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
|
||||
| [18.11 Email](#bkmk-priv-email) |  |  |  |
|
||||
| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
|
||||
| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
|
||||
| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
|
||||
| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
|
||||
| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
|
||||
| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
|
||||
| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
|
||||
| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
|
||||
| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
|
||||
| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
|
||||
| [18.11 Email](#bkmk-priv-email) |  |  |  |
|
||||
| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
|
||||
| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
|
||||
| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
|
||||
| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
|
||||
| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
|
||||
| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
|
||||
| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
|
||||
| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
|
||||
| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
|
||||
| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
|
||||
| [18.22 Activity History](#bkmk-act-history) |  | |  |
|
||||
| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
|
||||
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
|
||||
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
|
||||
| [20. Storage Health](#bkmk-storage-health) | |  |  |
|
||||
| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
|
||||
| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
|
||||
| [22. Teredo](#bkmk-teredo) | |  |  |
|
||||
| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) | |  |  |
|
||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
|
||||
| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) | |  |  |
|
||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
|
||||
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
|
||||
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
|
||||
| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
|
||||
| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
|
||||
| [29. Windows Update](#bkmk-wu) | |  |  |
|
||||
|
||||
|
||||
@ -115,8 +115,8 @@ The following table lists management options for each setting, beginning with Wi
|
||||
|
||||
See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience.
|
||||
|
||||
| Setting | UI | Group Policy | Registry |
|
||||
| - | :-: | :-: | :-: |
|
||||
| Setting | UI | Group Policy | Registry |
|
||||
| - | :-: | :-: | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
|
||||
| [2. Cortana and Search](#bkmk-cortana) | |  |  |
|
||||
| [3. Date & Time](#bkmk-datetime) |  |  |  |
|
||||
@ -140,8 +140,8 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
|
||||
See the following table for a summary of the management settings for Windows Server 2016 Server Core.
|
||||
|
||||
| Setting | Group Policy | Registry |
|
||||
| - | :-: | :-: |
|
||||
| Setting | Group Policy | Registry |
|
||||
| - | :-: | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  |  |
|
||||
| [3. Date & Time](#bkmk-datetime) |  |  |
|
||||
| [6. Font streaming](#font-streaming) |  |  |
|
||||
@ -156,7 +156,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
See the following table for a summary of the management settings for Windows Server 2016 Nano Server.
|
||||
|
||||
| Setting | Registry |
|
||||
| - | :-: |
|
||||
| - | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  |
|
||||
| [3. Date & Time](#bkmk-datetime) |  |
|
||||
| [22. Teredo](#bkmk-teredo) |  |
|
||||
@ -166,7 +166,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
|
||||
See the following table for a summary of the management settings for Windows Server 2019.
|
||||
|
||||
| Setting | UI | Group Policy | Registry |
|
||||
| Setting | UI | Group Policy | Registry |
|
||||
| - | :-: | :-: | :-: |
|
||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
|
||||
| [2. Cortana and Search](#bkmk-cortana) | |  |  |
|
||||
@ -188,33 +188,33 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
| [18.1 General](#bkmk-general) |  |  |  |
|
||||
| [18.2 Location](#bkmk-priv-location) |  |  |  |
|
||||
| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
|
||||
| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
|
||||
| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
|
||||
| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
|
||||
| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
|
||||
| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
|
||||
| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
|
||||
| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
|
||||
| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
|
||||
| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
|
||||
| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
|
||||
| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
|
||||
| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
|
||||
| [18.11 Email](#bkmk-priv-email) |  |  |  |
|
||||
| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
|
||||
| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
|
||||
| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
|
||||
| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
|
||||
| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
|
||||
| [18.11 Email](#bkmk-priv-email) |  |  |  |
|
||||
| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
|
||||
| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
|
||||
| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
|
||||
| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
|
||||
| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
|
||||
| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
|
||||
| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
|
||||
| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
|
||||
| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
|
||||
| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
|
||||
| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
|
||||
| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
|
||||
| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
|
||||
| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
|
||||
| [18.22 Activity History](#bkmk-act-history) |  | |  |
|
||||
| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
|
||||
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
|
||||
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
|
||||
| [20. Storage Health](#bkmk-storage-health) | |  |  |
|
||||
| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
|
||||
| [22. Teredo](#bkmk-teredo) | |  |  |
|
||||
| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) | |  |  |
|
||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
|
||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
|
||||
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
|
||||
| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
|
||||
| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
|
||||
@ -260,8 +260,8 @@ On Windows Server 2016 Nano Server:
|
||||
|
||||
- Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
|
||||
|
||||
>[!NOTE]
|
||||
>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
|
||||
> [!NOTE]
|
||||
> CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
|
||||
|
||||
### <a href="" id="bkmk-cortana"></a>2. Cortana and Search
|
||||
|
||||
@ -288,36 +288,36 @@ You can also apply the Group Policies using the following registry keys:
|
||||
| Don't search the web or display web results in Search| HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search<br/>REG_DWORD: ConnectedSearchUseWeb <br/>Value: 0 |
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
|
||||
|
||||
1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
|
||||
1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
|
||||
|
||||
2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
|
||||
2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
|
||||
|
||||
3. On the **Rule Type** page, click **Program**, and then click **Next**.
|
||||
3. On the **Rule Type** page, click **Program**, and then click **Next**.
|
||||
|
||||
4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
|
||||
4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
|
||||
|
||||
5. On the **Action** page, click **Block the connection**, and then click **Next**.
|
||||
5. On the **Action** page, click **Block the connection**, and then click **Next**.
|
||||
|
||||
6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
|
||||
6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
|
||||
|
||||
7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
|
||||
7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
|
||||
|
||||
8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
|
||||
8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
|
||||
|
||||
9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
|
||||
9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
|
||||
|
||||
- For **Protocol type**, choose **TCP**.
|
||||
- For **Protocol type**, choose **TCP**.
|
||||
|
||||
- For **Local port**, choose **All Ports**.
|
||||
- For **Local port**, choose **All Ports**.
|
||||
|
||||
- For **Remote port**, choose **All ports**.
|
||||
- For **Remote port**, choose **All ports**.
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_SZ registry setting named **{0DE40C8E-C126-4A27-9371-A27DAB1039F7}** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules** and set it to a value of **v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\searchUI.exe|Name=Block outbound Cortana|**
|
||||
- Create a new REG_SZ registry setting named **{0DE40C8E-C126-4A27-9371-A27DAB1039F7}** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules** and set it to a value of **v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\searchUI.exe|Name=Block outbound Cortana|**
|
||||
|
||||
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.
|
||||
|
||||
@ -338,7 +338,7 @@ After that, configure the following:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to **0 (zero)**.
|
||||
- Create a new REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to **0 (zero)**.
|
||||
|
||||
|
||||
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
|
||||
@ -412,10 +412,10 @@ To turn off Insider Preview builds for Windows 10:
|
||||
- Create a new REG_DWORD registry setting named **AllowBuildPreview** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a **value of 0 (zero)**
|
||||
|
||||
|
||||
|
||||
### <a href="" id="bkmk-ie"></a>8. Internet Explorer
|
||||
|
||||
> [!NOTE]
|
||||
>When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
|
||||
> When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
|
||||
|
||||
| Policy | Description |
|
||||
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
|
||||
@ -458,11 +458,11 @@ To turn off the home page:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_SZ registry setting named **Start Page** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **about:blank**
|
||||
- Create a new REG_SZ registry setting named **Start Page** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **about:blank**
|
||||
|
||||
-and -
|
||||
|
||||
- Create a new REG_DWORD registry setting named **HomePage** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Control Panel** with a **1 (one)**
|
||||
- Create a new REG_DWORD registry setting named **HomePage** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Control Panel** with a **1 (one)**
|
||||
|
||||
|
||||
To configure the First Run Wizard:
|
||||
@ -471,7 +471,7 @@ To configure the First Run Wizard:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_DWORD registry setting named **DisableFirstRunCustomize** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **1 (one)**
|
||||
- Create a new REG_DWORD registry setting named **DisableFirstRunCustomize** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **1 (one)**
|
||||
|
||||
|
||||
To configure the behavior for a new tab:
|
||||
@ -480,7 +480,7 @@ To configure the behavior for a new tab:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_DWORD registry setting named **NewTabPageShow** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\TabbedBrowsing** with a **0 (zero)**
|
||||
- Create a new REG_DWORD registry setting named **NewTabPageShow** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\TabbedBrowsing** with a **0 (zero)**
|
||||
|
||||
|
||||
### <a href="" id="bkmk-ie-activex"></a>8.1 ActiveX control blocking
|
||||
@ -489,11 +489,11 @@ ActiveX control blocking periodically downloads a new list of out-of-date Active
|
||||
|
||||
You can turn this off by:
|
||||
|
||||
- **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
|
||||
- **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
|
||||
|
||||
-or-
|
||||
|
||||
- Changing the REG_DWORD registry setting **HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to **0 (zero)**.
|
||||
- Changing the REG_DWORD registry setting **HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to **0 (zero)**.
|
||||
|
||||
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
|
||||
|
||||
@ -501,19 +501,19 @@ For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie1
|
||||
|
||||
You can turn off License Manager related traffic by setting the following registry entry:
|
||||
|
||||
- Add a REG_DWORD value named **Start** to **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the **value to 4**
|
||||
- Add a REG_DWORD value named **Start** to **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the **value to 4**
|
||||
|
||||
- The value 4 is to disable the service. Here are the available options to set the registry:
|
||||
- The value 4 is to disable the service. Here are the available options to set the registry:
|
||||
|
||||
- **0x00000000** = Boot
|
||||
- **0x00000000** = Boot
|
||||
|
||||
- **0x00000001** = System
|
||||
- **0x00000001** = System
|
||||
|
||||
- **0x00000002** = Automatic
|
||||
- **0x00000002** = Automatic
|
||||
|
||||
- **0x00000003** = Manual
|
||||
- **0x00000003** = Manual
|
||||
|
||||
- **0x00000004** = Disabled
|
||||
- **0x00000004** = Disabled
|
||||
|
||||
### <a href="" id="live-tiles"></a>10. Live Tiles
|
||||
|
||||
@ -523,7 +523,7 @@ To turn off Live Tiles:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
|
||||
- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
|
||||
|
||||
In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
|
||||
|
||||
@ -567,8 +567,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
|
||||
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.<br /> **Set to Enabled** |
|
||||
| Configure Password Manager | Choose whether employees can save passwords locally on their devices. <br /> **Set to Disabled** |
|
||||
| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions. <br /> **Set to Disabled** |
|
||||
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
|
||||
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> **Set to Disabled** |
|
||||
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
|
||||
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> **Set to Disabled** |
|
||||
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> **Enabled** and **Set this to <<about:blank>>** |
|
||||
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> **Set to: Enable** |
|
||||
| Allow Microsoft Compatibility List | Choose whether to use the Microsoft Compatibility List in Microsoft Edge. <br /> **Set to: Disabled** |
|
||||
@ -644,11 +644,11 @@ To turn off OneDrive in your organization:
|
||||
|
||||
-and-
|
||||
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OneDrive** with a **value of 1 (one)**
|
||||
- Create a REG_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OneDrive** with a **value of 1 (one)**
|
||||
|
||||
|
||||
### <a href="" id="bkmk-preinstalledapps"></a>17. Preinstalled apps
|
||||
@ -660,9 +660,9 @@ To remove the News app:
|
||||
- Right-click the app in Start, and then click **Uninstall**.
|
||||
|
||||
-or-
|
||||
>[!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> If you have any issues with these commands, restart the system and try the scripts again.
|
||||
>
|
||||
|
||||
- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
|
||||
|
||||
-and-
|
||||
@ -933,7 +933,7 @@ To turn off **Location for this device**:
|
||||
- Click the **Change** button in the UI.
|
||||
|
||||
-or-
|
||||
|
||||
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
|
||||
|
||||
-or-
|
||||
@ -943,7 +943,7 @@ To turn off **Location for this device**:
|
||||
To turn off **Allow apps to access your location**:
|
||||
|
||||
- Turn off the feature in the UI.
|
||||
|
||||
|
||||
-or-
|
||||
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
|
||||
@ -952,7 +952,7 @@ To turn off **Allow apps to access your location**:
|
||||
|
||||
- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
|
||||
|
||||
|
||||
|
||||
To turn off **Location history**:
|
||||
|
||||
- Erase the history using the **Clear** button in the UI.
|
||||
@ -1035,15 +1035,15 @@ To turn off **Let apps access my notifications**:
|
||||
|
||||
### <a href="" id="bkmk-priv-speech"></a>18.6 Speech
|
||||
|
||||
In the **Speech** area, you can configure the functionality as such:
|
||||
In the **Speech** area, you can configure the functionality as such:
|
||||
|
||||
To turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services:
|
||||
|
||||
- Toggle the Settings -> Privacy -> Speech -> **Online speech recognition** switch to **Off**
|
||||
- Toggle the Settings -> Privacy -> Speech -> **Online speech recognition** switch to **Off**
|
||||
|
||||
-or-
|
||||
|
||||
- **Disable** the Group Policy: **Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow users to enable online speech recognition services**
|
||||
- **Disable** the Group Policy: **Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow users to enable online speech recognition services**
|
||||
|
||||
-or-
|
||||
|
||||
@ -1052,12 +1052,11 @@ To turn off dictation of your voice, speaking to Cortana and other apps, and to
|
||||
|
||||
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models:
|
||||
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
|
||||
|
||||
- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
|
||||
|
||||
|
||||
### <a href="" id="bkmk-priv-accounts"></a>18.7 Account info
|
||||
@ -1076,8 +1075,7 @@ To turn off **Let apps access my name, picture, and other account info**:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
|
||||
|
||||
- Create a REG_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
|
||||
|
||||
|
||||
To turn off **Choose the apps that can access your account info**:
|
||||
@ -1112,7 +1110,7 @@ To turn off **Let apps access my calendar**:
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**.
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
|
||||
@ -1180,15 +1178,15 @@ To turn off **Choose apps that can read or send messages**:
|
||||
|
||||
- Turn off the feature in the UI for each app.
|
||||
|
||||
**To turn off Message Sync**
|
||||
**To turn off Message Sync**
|
||||
|
||||
- Create a REG_DWORD registry setting named **AllowMessageSync** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Messaging** and set the **value to 0 (zero)**.
|
||||
|
||||
- Create a REG_DWORD registry setting named **AllowMessageSync** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Messaging** and set the **value to 0 (zero)**.
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging**
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging**
|
||||
|
||||
- Set the **Allow Message Service Cloud Sync** to **Disable**.
|
||||
- Set the **Allow Message Service Cloud Sync** to **Disable**.
|
||||
|
||||
### <a href="" id="bkmk-priv-phone-calls"></a>18.13 Phone calls
|
||||
|
||||
@ -1238,7 +1236,7 @@ In the **Other Devices** area, you can choose whether devices that aren't paired
|
||||
|
||||
To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
|
||||
|
||||
- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
|
||||
- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
|
||||
|
||||
-or-
|
||||
|
||||
@ -1263,7 +1261,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
|
||||
|
||||
### <a href="" id="bkmk-priv-feedback"></a>18.16 Feedback & diagnostics
|
||||
|
||||
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
|
||||
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
|
||||
|
||||
To change how frequently **Windows should ask for my feedback**:
|
||||
|
||||
@ -1314,7 +1312,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
|
||||
|
||||
> [!NOTE]
|
||||
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
|
||||
|
||||
|
||||
|
||||
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
|
||||
|
||||
@ -1334,7 +1332,7 @@ To turn off tailored experiences with relevant tips and recommendations by using
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG_DWORD registry setting named **DisableTailoredExperiencesWithDiagnosticData** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of **1**
|
||||
- Create a REG_DWORD registry setting named **DisableTailoredExperiencesWithDiagnosticData** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
|
||||
|
||||
|
||||
### <a href="" id="bkmk-priv-background"></a>18.17 Background apps
|
||||
@ -1388,7 +1386,7 @@ To turn this off:
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**. Set the **Select a setting** box to **Force Deny**.
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**. Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
|
||||
@ -1414,50 +1412,50 @@ To turn this off:
|
||||
|
||||
### <a href="" id="bkmk-priv-ink"></a>18.21 Inking & Typing
|
||||
|
||||
In the **Inking & Typing** area you can configure the functionality as such:
|
||||
In the **Inking & Typing** area you can configure the functionality as such:
|
||||
|
||||
To turn off Inking & Typing data collection:
|
||||
|
||||
- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Improve inking and typing** and turn it to **Off**
|
||||
- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Improve inking and typing** and turn it to **Off**
|
||||
|
||||
-OR-
|
||||
|
||||
|
||||
**Disable** the Group Policy: **Computer Configuration > Administrative Templates > Windows Components > Text Input > Improve inking and typing recognition**
|
||||
|
||||
|
||||
-and-
|
||||
|
||||
|
||||
**Disable** the Group Policy: **User Configuration > Administrative Templates > Control Panel > Regional and Language Options > Handwriting personalization > Turn off automatic learning**
|
||||
|
||||
|
||||
-OR-
|
||||
|
||||
- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization** to a **value of 1 (one)**
|
||||
|
||||
-and-
|
||||
|
||||
|
||||
- Set **RestrictImplicitInkCollection** registry REG_DWORD setting in **HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization** to a **value of 1 (one)**
|
||||
|
||||
|
||||
### <a href="" id="bkmk-act-history"></a>18.22 Activity History
|
||||
In the **Activity History** area, you can choose turn Off tracking of your Activity History.
|
||||
In the **Activity History** area, you can choose turn Off tracking of your Activity History.
|
||||
|
||||
To turn this Off in the UI:
|
||||
|
||||
- Turn **Off** the feature in the UI by going to Settings -> Privacy -> Activity History and **un-checking** the **Store my activity history on this device** AND **unchecking** the **Send my activity History to Microsoft** checkboxes
|
||||
- Turn **Off** the feature in the UI by going to Settings -> Privacy -> Activity History and **un-checking** the **Store my activity history on this device** AND **unchecking** the **Send my activity History to Microsoft** checkboxes
|
||||
|
||||
-OR-
|
||||
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Enables Activity Feed**
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Enables Activity Feed**
|
||||
|
||||
-and-
|
||||
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Allow publishing of User Activities**
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Allow publishing of User Activities**
|
||||
|
||||
-and-
|
||||
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** > named **Allow upload of User Activities**
|
||||
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** > named **Allow upload of User Activities**
|
||||
|
||||
-OR-
|
||||
|
||||
|
||||
- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
|
||||
|
||||
-and-
|
||||
@ -1467,14 +1465,14 @@ To turn this Off in the UI:
|
||||
-and-
|
||||
|
||||
- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
|
||||
|
||||
|
||||
### <a href="" id="bkmk-voice-act"></a>18.23 Voice Activation
|
||||
|
||||
In the **Voice activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
|
||||
In the **Voice activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
|
||||
|
||||
To turn this Off in the UI:
|
||||
|
||||
- Turn **Off** the feature in the UI by going to **Settings -> Privacy -> Voice activation** and toggle **Off** the **Allow apps to use voice activation** AND also toggle **Off** the **Allow apps to use voice activation when this device is locked**
|
||||
- Turn **Off** the feature in the UI by going to **Settings -> Privacy -> Voice activation** and toggle **Off** the **Allow apps to use voice activation** AND also toggle **Off** the **Allow apps to use voice activation when this device is locked**
|
||||
|
||||
-OR-
|
||||
|
||||
@ -1486,7 +1484,7 @@ To turn this Off in the UI:
|
||||
|
||||
|
||||
-OR-
|
||||
|
||||
|
||||
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoice** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**
|
||||
|
||||
-and-
|
||||
@ -1494,7 +1492,6 @@ To turn this Off in the UI:
|
||||
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
|
||||
|
||||
|
||||
|
||||
### <a href="" id="bkmk-spp"></a>19. Software Protection Platform
|
||||
|
||||
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
|
||||
@ -1517,11 +1514,11 @@ Enterprise customers can manage their Windows activation status with volume lice
|
||||
|
||||
**For Windows Server 2016:**
|
||||
|
||||
- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
|
||||
- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
|
||||
|
||||
>[!NOTE]
|
||||
>Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
|
||||
>The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
|
||||
> [!NOTE]
|
||||
> Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016; the **NoAcquireGT** value needs to be set instead.
|
||||
> The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
|
||||
|
||||
### <a href="" id="bkmk-storage-health"></a>20. Storage health
|
||||
|
||||
@ -1542,7 +1539,7 @@ You can control if your settings are synchronized:
|
||||
|
||||
-or-
|
||||
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**.
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**.
|
||||
|
||||
-or-
|
||||
|
||||
@ -1553,14 +1550,14 @@ To turn off Messaging cloud sync:
|
||||
> [!NOTE]
|
||||
> There is no Group Policy corresponding to this registry key.
|
||||
|
||||
- Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**.
|
||||
- Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**.
|
||||
|
||||
### <a href="" id="bkmk-teredo"></a>22. Teredo
|
||||
|
||||
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](/previous-versions/windows/it-pro/windows-vista/cc722030(v=ws.10)).
|
||||
|
||||
>[!NOTE]
|
||||
>If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
|
||||
> [!NOTE]
|
||||
> If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
|
||||
|
||||
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
|
||||
|
||||
@ -1571,14 +1568,14 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
|
||||
|
||||
### <a href="" id="bkmk-wifisense"></a>23. Wi-Fi Sense
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-hotspots) for more details.
|
||||
> [!IMPORTANT]
|
||||
> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
|
||||
|
||||
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
|
||||
|
||||
To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
|
||||
|
||||
- Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
|
||||
- Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
|
||||
|
||||
-or-
|
||||
|
||||
@ -1593,12 +1590,12 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr
|
||||
|
||||
### <a href="" id="bkmk-defender"></a>24. Windows Defender
|
||||
|
||||
You can disconnect from the Microsoft Antimalware Protection Service.
|
||||
You can disconnect from the Microsoft Antimalware Protection Service.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
|
||||
>1. Ensure Windows and Windows Defender are fully up to date.
|
||||
>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
|
||||
> [!IMPORTANT]
|
||||
> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
|
||||
> 1. Ensure Windows and Windows Defender are fully up to date.
|
||||
> 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
|
||||
|
||||
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
|
||||
|
||||
@ -1638,7 +1635,7 @@ You can stop downloading **Definition Updates**:
|
||||
|
||||
-and-
|
||||
|
||||
- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
|
||||
- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
|
||||
|
||||
|
||||
You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
|
||||
@ -1646,7 +1643,7 @@ You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
|
||||
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
|
||||
|
||||
> [!NOTE]
|
||||
> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
|
||||
> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
|
||||
|
||||
|
||||
You can turn off **Enhanced Notifications** as follows:
|
||||
@ -1655,7 +1652,7 @@ You can turn off **Enhanced Notifications** as follows:
|
||||
|
||||
-or-
|
||||
|
||||
- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**.
|
||||
- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**.
|
||||
|
||||
-or-
|
||||
|
||||
@ -1666,7 +1663,7 @@ You can turn off **Enhanced Notifications** as follows:
|
||||
|
||||
To disable Windows Defender SmartScreen:
|
||||
|
||||
In Group Policy, configure:
|
||||
In Group Policy, configure:
|
||||
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled**
|
||||
|
||||
@ -1695,7 +1692,7 @@ In Group Policy, configure:
|
||||
|
||||
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or Group Policy.
|
||||
|
||||
If you're running Windows 10, version 1607 or later, you need to:
|
||||
If you're running Windows 10, version 1607 or later, you need to:
|
||||
|
||||
- **Enable** the following Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
|
||||
|
||||
@ -1714,7 +1711,7 @@ If you're running Windows 10, version 1607 or later, you need to:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_DWORD registry setting named **NoLockScreen** in **HKEY_Local_Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a **value of 1 (one)**
|
||||
- Create a new REG_DWORD registry setting named **NoLockScreen** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a **value of 1 (one)**
|
||||
|
||||
|
||||
-AND-
|
||||
@ -1732,27 +1729,27 @@ If you're running Windows 10, version 1607 or later, you need to:
|
||||
|
||||
- Apply the Group Policies:
|
||||
|
||||
- **Enable** the **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image and logon image** Group Policy.
|
||||
- **Enable** the **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image and logon image** Group Policy.
|
||||
- Add **C:\\windows\\web\\screen\\lockscreen.jpg** as the location in the **Path to local lock screen image** box.
|
||||
|
||||
- Check the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
|
||||
|
||||
> [!NOTE]
|
||||
> This will only take effect if the policy is applied before the first logon.
|
||||
> If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device,
|
||||
> you can **Enable** the **Do not display the lock screen** policy under **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization**
|
||||
> This will only take effect if the policy is applied before the first logon.
|
||||
> If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device,
|
||||
> you can **Enable** the **Do not display the lock screen** policy under **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization**
|
||||
>
|
||||
> Alternatively, you can create a new REG_SZ registry setting named **LockScreenImage** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization**
|
||||
> with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG_DWORD registry setting named **LockScreenOverlaysDisabled** in
|
||||
> Alternatively, you can create a new REG_SZ registry setting named **LockScreenImage** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization**
|
||||
> with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG_DWORD registry setting named **LockScreenOverlaysDisabled** in
|
||||
> **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **1 (one)**.
|
||||
>
|
||||
> The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
|
||||
> The Group Policy for the **LockScreenOverlaysDisabled** registry key is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
|
||||
|
||||
|
||||
\-AND-
|
||||
|
||||
|
||||
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
|
||||
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
|
||||
|
||||
-or-
|
||||
|
||||
@ -1766,10 +1763,9 @@ If you're running Windows 10, version 1607 or later, you need to:
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY_LOCAL_MACHINE\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
|
||||
|
||||
|
||||
This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
|
||||
- Create a new REG_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
|
||||
|
||||
This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
|
||||
|
||||
If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
|
||||
|
||||
@ -1846,7 +1842,7 @@ For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimi
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **99 (Ninety-nine)**.
|
||||
- Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **99 (Ninety-nine)**.
|
||||
|
||||
|
||||
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
|
||||
@ -1866,23 +1862,23 @@ You can turn off Windows Update by setting the following registry entries:
|
||||
|
||||
-and-
|
||||
|
||||
- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
|
||||
- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
|
||||
|
||||
-and-
|
||||
|
||||
- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
|
||||
- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
|
||||
|
||||
-and-
|
||||
|
||||
- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
|
||||
- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
|
||||
|
||||
-and-
|
||||
|
||||
- Add a REG_DWORD value named **UseWUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\WindowsUpdate\\AU** and set the value to 1.
|
||||
- Add a REG_DWORD value named **UseWUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\WindowsUpdate\\AU** and set the **value to 1 (one)**.
|
||||
|
||||
-OR-
|
||||
|
||||
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
|
||||
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
|
||||
|
||||
-and-
|
||||
|
||||
@ -1890,11 +1886,11 @@ You can turn off Windows Update by setting the following registry entries:
|
||||
|
||||
-and-
|
||||
|
||||
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
|
||||
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
|
||||
|
||||
-and-
|
||||
|
||||
- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
|
||||
- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
|
||||
|
||||
|
||||
You can turn off automatic updates by doing the following. This is not recommended.
|
||||
@ -1904,18 +1900,17 @@ You can turn off automatic updates by doing the following. This is not recommend
|
||||
|
||||
For China releases of Windows 10 there is one additional Regkey to be set to prevent traffic:
|
||||
|
||||
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
|
||||
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**.
|
||||
|
||||
|
||||
|
||||
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
|
||||
|
||||
|Allowed traffic endpoints|
|
||||
| --- |
|
||||
|Allowed traffic endpoints|
|
||||
| --- |
|
||||
|activation-v2.sls.microsoft.com/*|
|
||||
|crl.microsoft.com/pki/crl/*|
|
||||
|ocsp.digicert.com/*|
|
||||
|www.microsoft.com/pkiops/*|
|
||||
|
||||
|
||||
To learn more, see [Device update management](/windows/client-management/mdm/device-update-management) and [Configure Automatic Updates by using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
|
||||
To learn more, see [Device update management](/windows/client-management/mdm/device-update-management) and [Configure Automatic Updates by using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
|
||||
|
||||
@ -101,4 +101,8 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
|
||||
|
||||
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
|
||||
|
||||
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
|
||||
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
|
||||
|
||||
## Additional resources and information
|
||||
|
||||
Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection).
|
||||
|
||||
@ -40,6 +40,11 @@ There are many types of malware, including:
|
||||
- [Unwanted software](unwanted-software.md)
|
||||
- [Worms](worms-malware.md)
|
||||
|
||||
Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
|
||||
## Additional resources and information
|
||||
|
||||
- Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
|
||||
|
||||
- Learn more about [Windows security](../../index.yml).
|
||||
|
||||
- Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection).
|
||||
|
||||
Learn more about [Windows security](../../index.yml).
|
||||
Loading…
x
Reference in New Issue
Block a user