From df47d6f9754f36d3730c40589116aec4241d5d73 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Mon, 12 Aug 2019 10:02:56 -0700 Subject: [PATCH 01/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index e2fa73f5c7..638772beb5 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -22,7 +22,7 @@ You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.mi To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic. From 166d25674cb96d7bfe43bfa7bfd941dfd6da589e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Mon, 12 Aug 2019 10:04:36 -0700 Subject: [PATCH 02/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a7aec9de77..5d7cd54345 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,7 +31,7 @@ Learn about the network connections that Windows components make to Microsoft in If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. @@ -47,7 +47,7 @@ We are always striving to improve our documentation and welcome your feedback. Y ## Management options for each setting -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections. +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all of these connections. ### Settings for Windows 10 Enterprise edition From 7eeee193d51027b5f354046e764584f3388f3b81 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Tue, 20 Aug 2019 18:08:57 -0700 Subject: [PATCH 03/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5d7cd54345..b614a71c09 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1584,7 +1584,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. >[!IMPORTANT] >**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903** >1. Ensure Windows and Windows Defender are fully up to date. ->2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**. +>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** From 53a6fb228576034f2aa5efc0c26eac92e5e88b63 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 16:54:49 -0700 Subject: [PATCH 04/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b614a71c09..bc2559f780 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,15 +25,17 @@ ms.date: 05/16/2019 - Windows Server 2016 - Windows Server 2019 -If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro. +Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro using UI, Group Policies and Registry settings. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. +Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. + +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we *strongly* recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. + +To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. @@ -1260,7 +1262,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co ### 18.16 Feedback & diagnostics -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To change how frequently **Windows should ask for my feedback**: @@ -1623,7 +1625,7 @@ You can stop downloading **Definition Updates**: - **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates** -You can turn off **Malicious Software Reporting Tool diagnostic data**: +You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**: - Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**. @@ -1882,6 +1884,12 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0. +|**Allowed traffic endpoints** | +| --- | +|activation-v2.sls.microsoft.com/*| +|crl.microsoft.com/pki/crl/*| +|ocsp.digicert.com/*| +|www.microsoft.com/pkiops/*| To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). From 55d0bf850edb3c5973042c2466ccf3bec8273ea6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:05:56 -0700 Subject: [PATCH 05/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ponents-to-microsoft-services-using-MDM.md | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 638772beb5..ab00e59a78 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.localizationpriority: medium author: medgarmedgar ms.author: v-medgar -ms.date: 7/9/2019 +ms.date: 8/21/2019 --- # Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server @@ -18,7 +18,17 @@ ms.date: 7/9/2019 - Windows 10 Enterprise 1903 version and newer -You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. +Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro using MDM/CSP and custom OMA URIs policies. + +If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. + +Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. + +Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. + +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we *strongly* recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. + +You can use Microsoft Intune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. @@ -26,12 +36,13 @@ You can configure diagnostic data at the Security/Basic level, turn off Windows Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic. -For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). +For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). +Note that the Get Help and Give us Feedback links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com. -The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist). +The endpoints for the MDM Allowed Traffic are in the [Allowed Traffic](#bkmk-mdm-allowedtraffic). ### Settings for Windows 10 Enterprise edition 1903 and newer @@ -150,7 +161,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value: 1. **\\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\** -### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations +### Allowed traffic for Microsoft Intune / MDM configurations |**Allowed traffic endpoints** | | --- | From 49d29186173e145ba2a4ce85454badc82222cdd6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:06:26 -0700 Subject: [PATCH 06/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bc2559f780..72969b2ae6 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -14,7 +14,7 @@ ms.author: dansimp manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 05/16/2019 +ms.date: 08/21/2019 --- # Manage connections from Windows operating system components to Microsoft services From a0e6ccdc75b4e2cfecfa26f7c24acb3b30f43146 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:08:44 -0700 Subject: [PATCH 07/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...indows-operating-system-components-to-microsoft-services.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 72969b2ae6..d601a9e3c9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -33,9 +33,10 @@ Note: CRL and OCSP network traffic is currently whitelisted and will still show Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we *strongly* recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. + Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. From 3a80747199f26f3b9b8a8d11cd74f5e1993788f8 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:15:59 -0700 Subject: [PATCH 08/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ystem-components-to-microsoft-services-using-MDM.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index ab00e59a78..78760c1120 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -24,7 +24,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. -Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. +Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features. You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we *strongly* recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. @@ -32,17 +32,15 @@ You can use Microsoft Intune with MDM CSPs and custom [OMA URIs](https://docs.mi To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. - -Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic. +There is some traffic which is required (i.e. "Allowed Traffic") for the operation of Windows and Microsoft Intune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional "Allowed Traffic" specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft Intune and Windows Update related traffic. For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). -Note that the Get Help and Give us Feedback links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com. +Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. -The endpoints for the MDM Allowed Traffic are in the [Allowed Traffic](#bkmk-mdm-allowedtraffic). +The "Allowed Traffic" endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic). ### Settings for Windows 10 Enterprise edition 1903 and newer From 1d6f823b33fd78059ee94029dcbe23c04b080bd2 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:19:06 -0700 Subject: [PATCH 09/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ws-operating-system-components-to-microsoft-services.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d601a9e3c9..8f669c13c1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -48,6 +48,11 @@ To use Microsoft InTune cloud based device management for restricting traffic pl We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. + +The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic). + + ## Management options for each setting The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all of these connections. @@ -1884,7 +1889,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0. - +### |**Allowed traffic endpoints** | | --- | |activation-v2.sls.microsoft.com/*| From c454c4c54ab3f639a8ace433708a52a3c675125e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:22:21 -0700 Subject: [PATCH 10/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...dows-operating-system-components-to-microsoft-services.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8f669c13c1..e3e434d433 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -14,7 +14,7 @@ ms.author: dansimp manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 08/21/2019 +ms.date: 8/21/2019 --- # Manage connections from Windows operating system components to Microsoft services @@ -1889,7 +1889,8 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0. -### +### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline + |**Allowed traffic endpoints** | | --- | |activation-v2.sls.microsoft.com/*| From 3c057242e8e9cae8935459cae52f2049db97a938 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:23:17 -0700 Subject: [PATCH 11/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e3e434d433..33e406f622 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1889,6 +1889,8 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0. + + ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline |**Allowed traffic endpoints** | From 9aa05d0ba0cd277fea6afffe52c6703bba9d3ee8 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:24:19 -0700 Subject: [PATCH 12/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 33e406f622..816758c823 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1889,7 +1889,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0. - + ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 50eb4774f17ae5a3ff4515dc89c32584c546be1b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:28:24 -0700 Subject: [PATCH 13/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 78760c1120..8f83bc7aae 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -26,7 +26,7 @@ Note: CRL and OCSP network traffic is currently whitelisted and will still show Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we *strongly* recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. You can use Microsoft Intune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. From c346781647aaf9bc3fd2bd8ae8547d1a2e1951fd Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:32:04 -0700 Subject: [PATCH 14/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 816758c823..b670c14b58 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -50,7 +50,7 @@ We are always striving to improve our documentation and welcome your feedback. Y We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. -The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic). +The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic) ## Management options for each setting From ee9f0b89622e42fab6636bc99a04a30c3acb66c0 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:32:19 -0700 Subject: [PATCH 15/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 8f83bc7aae..3a61737fac 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -40,7 +40,7 @@ For detailed information about managing network connections to Microsoft service Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. -The "Allowed Traffic" endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic). +The "Allowed Traffic" endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) ### Settings for Windows 10 Enterprise edition 1903 and newer From 70864ef2ef23f5694ee5c2cc629b9f30081a1e7f Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:57:26 -0700 Subject: [PATCH 16/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b670c14b58..9049a2c9ec 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -33,7 +33,7 @@ Note: CRL and OCSP network traffic is currently whitelisted and will still show Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off WU and root certificate updates a wide range of web sites will produce certificate errors because they use certificates that chain to un-trusted roots. To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. From 616b6a6a8800746ec684433756906140cdc582cc Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 17:58:44 -0700 Subject: [PATCH 17/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 3a61737fac..0454326ebb 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -26,7 +26,7 @@ Note: CRL and OCSP network traffic is currently whitelisted and will still show Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps Microsoft deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off Windows Update a wide range of web sites will produce certificate errors because they use certificates that will chain to un-trusted roots. You can use Microsoft Intune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. From b4f9415e7b3c691c3aaabcdb1885bba0e31c6e12 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 18:00:17 -0700 Subject: [PATCH 18/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9049a2c9ec..31ad3b2218 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -33,7 +33,7 @@ Note: CRL and OCSP network traffic is currently whitelisted and will still show Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off WU and root certificate updates a wide range of web sites will produce certificate errors because they use certificates that chain to un-trusted roots. +You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off Windows Update and root certificate updates a wide range of web sites will produce certificate errors because they use certificates that will chain to un-trusted roots. To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. From 0a88334b99d36bb40053a29d6364623ccf1a81b6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 20:07:17 -0700 Subject: [PATCH 19/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 31ad3b2218..6a6a779e36 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -46,8 +46,6 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic) From 87757f6a5be4febf6000119077a356657b093468 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 20:20:44 -0700 Subject: [PATCH 20/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 0454326ebb..16505fd2e7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -38,7 +38,7 @@ For more information on Microsoft Intune please see [Transform IT service delive For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). -Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. +Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com. The "Allowed Traffic" endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) From 07e567f44d531389601e8b13ec859c207e3f4ee7 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 21 Aug 2019 20:21:14 -0700 Subject: [PATCH 21/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 6a6a779e36..361191b1d1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -46,7 +46,7 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp@microsoft.com**. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com. The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic) From fce1bad3d3fbc7d55389947953d14408922af0f7 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 23 Aug 2019 20:04:08 -0700 Subject: [PATCH 22/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 23 +++++++------------ 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 361191b1d1..2756e0e71a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,35 +25,28 @@ ms.date: 8/21/2019 - Windows Server 2016 - Windows Server 2019 -Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro using UI, Group Policies and Registry settings. +This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and Registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. -If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. +Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. +Note: For security reasons, it is important to take care in deciding which settings to configure as many of them will result in a less secure device. Examples of settings that can lead to a less secure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. We do not recommended disabling any of these features. -Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features. +You can configure diagnostic data to the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to reduce the amount of data sent from Windows 10 to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against disabling these settings. This data helps us deliver a secure, reliable, and more delightful personalized experience. -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off Windows Update and root certificate updates a wide range of web sites will produce certificate errors because they use certificates that will chain to un-trusted roots. +To deploy the complete list of settings below to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\system32 folder because it will not apply correctly. -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. - -Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. -You should not extract this package to the windows\\system32 folder because it will not apply correctly. - -Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. -It is recommended that you restart a device after making configuration changes to it. -Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. +Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic) ## Management options for each setting -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all of these connections. +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections. ### Settings for Windows 10 Enterprise edition From d4b3f0f086bd6b675e66e45fc07377269bd211f8 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 23 Aug 2019 23:24:59 -0700 Subject: [PATCH 23/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2756e0e71a..b2182c333b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1,5 +1,5 @@ --- -title: Manage connections from Windows operating system components to Microsoft services (Windows 10) +title: Manage connections from Windows 10 operating system components to Microsoft services description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 ms.reviewer: @@ -14,7 +14,7 @@ ms.author: dansimp manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 8/21/2019 +ms.date: 8/23/2019 --- # Manage connections from Windows operating system components to Microsoft services @@ -25,23 +25,22 @@ ms.date: 8/21/2019 - Windows Server 2016 - Windows Server 2019 -This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and Registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. +This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services. -Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. +Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. -Note: For security reasons, it is important to take care in deciding which settings to configure as many of them will result in a less secure device. Examples of settings that can lead to a less secure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. We do not recommended disabling any of these features. +For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. -You can configure diagnostic data to the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to reduce the amount of data sent from Windows 10 to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against disabling these settings. This data helps us deliver a secure, reliable, and more delightful personalized experience. +However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script: +• You should not extract this package to the windows\system32 folder because it will not apply correctly +• It is recommended that you restart the device after making configuration changes to it. +• **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied. -To deploy the complete list of settings below to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\system32 folder because it will not apply correctly. +To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). -Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp@microsoft.com**. -To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic) +The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic) ## Management options for each setting @@ -259,7 +258,7 @@ On Windows Server 2016 Nano Server: - Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1. >[!NOTE] ->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. +>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. ### 2. Cortana and Search @@ -389,7 +388,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo > [!NOTE] -> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**. +> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**. To turn off Insider Preview builds for a released version of Windows 10: From e58e97c7026a96dad3882bf8feff0863a5a70f65 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 23 Aug 2019 23:26:19 -0700 Subject: [PATCH 24/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ws-operating-system-components-to-microsoft-services.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b2182c333b..3c359f2303 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -32,9 +32,10 @@ Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Prot For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script: -• You should not extract this package to the windows\system32 folder because it will not apply correctly -• It is recommended that you restart the device after making configuration changes to it. -• **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied. + +- You should not extract this package to the windows\system32 folder because it will not apply correctly +- It is recommended that you restart the device after making configuration changes to it. +- **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). From ae05231c212f5bebac8fa81f24a695f92be0ed7c Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 23 Aug 2019 23:28:05 -0700 Subject: [PATCH 25/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ating-system-components-to-microsoft-services-using-MDM.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 16505fd2e7..3a7eed115d 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.localizationpriority: medium author: medgarmedgar ms.author: v-medgar -ms.date: 8/21/2019 +ms.date: 8/23/2019 --- # Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server @@ -22,7 +22,7 @@ Learn about the network connections that Windows components make to Microsoft in If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. +Note: CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features. From e9e744962ad75f1d2e3298356b896a6a67a7afdf Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 23 Aug 2019 23:33:54 -0700 Subject: [PATCH 26/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 3c359f2303..6e22b2c01d 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -27,7 +27,7 @@ ms.date: 8/23/2019 This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services. -Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. +Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is Allowed Traffic. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. From fc65d55d5eb465170e7766662bb2a3934e8c905a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 00:52:46 -0700 Subject: [PATCH 27/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 6e22b2c01d..80bf7d294c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -39,7 +39,7 @@ However, if you still wish to quickly configure all of the settings covered in t To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp@microsoft.com**. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic) From e5f2ad87a92a599575e21846bf67a6098d78a10a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 01:59:30 -0700 Subject: [PATCH 28/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ponents-to-microsoft-services-using-MDM.md | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 3a7eed115d..24488f94c9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -12,36 +12,27 @@ ms.author: v-medgar ms.date: 8/23/2019 --- -# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server +# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server **Applies to** - Windows 10 Enterprise 1903 version and newer -Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro using MDM/CSP and custom OMA URIs policies. +This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals to help manage those connections. If you would like to reduce the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to help reduce egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services. -If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. +Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is “Allowed Traffic”. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. Additionally, there is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the "Allowed Traffic" for Microsoft Intune MDM Server to manage Windows 10 devices. -Note: CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. - -Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features. - -You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps Microsoft deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off Windows Update a wide range of web sites will produce certificate errors because they use certificates that will chain to un-trusted roots. - -You can use Microsoft Intune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. +For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In an MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. -There is some traffic which is required (i.e. "Allowed Traffic") for the operation of Windows and Microsoft Intune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional "Allowed Traffic" specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft Intune and Windows Update related traffic. - For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). -Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com. - -The "Allowed Traffic" endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) +Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**. +The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-mdm-allowedtraffic) ### Settings for Windows 10 Enterprise edition 1903 and newer From a21367b5a30534fa3c89a878bdaba123b7617dae Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 07:11:43 -0700 Subject: [PATCH 29/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 80bf7d294c..13946a3935 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -17,7 +17,7 @@ ms.topic: article ms.date: 8/23/2019 --- -# Manage connections from Windows operating system components to Microsoft services +# Manage connections from Windows 10 operating system components to Microsoft services **Applies to** From 91ac3260421c7940b2cee0971e90c1eb88634915 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 07:26:14 -0700 Subject: [PATCH 30/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 24488f94c9..ff74b27252 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -22,7 +22,7 @@ This article describes the egress network connections that Windows 10 components Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is “Allowed Traffic”. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. Additionally, there is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the "Allowed Traffic" for Microsoft Intune MDM Server to manage Windows 10 devices. -For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In an MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. +For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In a MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. From 97e9ebd860b6ee6d4feb3566a9932386ea5ffc6b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:08:22 -0700 Subject: [PATCH 31/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 13946a3935..044d9f5ae2 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,23 +25,27 @@ ms.date: 8/23/2019 - Windows Server 2016 - Windows Server 2019 -This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services. +This article describes the network connections that Windows 10 components make to Microsoft and the Windows settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is Allowed Traffic. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. -For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. +Notes: +- The Allowed Traffic endpoints are listed here: Allowed Traffic. + -- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. +- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. +- It is recommended that you restart a device after making configuration changes to it. +- The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. -However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script: - -- You should not extract this package to the windows\system32 folder because it will not apply correctly -- It is recommended that you restart the device after making configuration changes to it. -- **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied. - -To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). +To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. -The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic) +Management options for each setting + +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections. +Settings for Windows 10 Enterprise edition + +The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607. ## Management options for each setting From e4a2ce9c73e2d121ce950a7da2a258ad48583362 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:10:57 -0700 Subject: [PATCH 32/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 044d9f5ae2..ef4a10105a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,7 +31,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] Notes: - The Allowed Traffic endpoints are listed here: Allowed Traffic. - -- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. + - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. - It is recommended that you restart a device after making configuration changes to it. - The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. From 40fb5d959d1df702447664a837eddf365229d258 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:13:25 -0700 Subject: [PATCH 33/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index ef4a10105a..fbee2a8966 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. Notes: -- The Allowed Traffic endpoints are listed here: Allowed Traffic. +- The Allowed Traffic endpoints are listed here: [Allowed Traffic](g#bkmk-allowedtraffic). - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. - It is recommended that you restart a device after making configuration changes to it. From 9274955165c033f33b1af6c92eefaf01d8980dfb Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:13:54 -0700 Subject: [PATCH 34/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index fbee2a8966..fe5c71d2cf 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. Notes: -- The Allowed Traffic endpoints are listed here: [Allowed Traffic](g#bkmk-allowedtraffic). +- The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic). - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. - It is recommended that you restart a device after making configuration changes to it. From 0a084d561bf646b7d77802807c8e7f526ea7d136 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:23:26 -0700 Subject: [PATCH 35/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...mponents-to-microsoft-services-using-MDM.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index ff74b27252..db0fafaefa 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -18,21 +18,23 @@ ms.date: 8/23/2019 - Windows 10 Enterprise 1903 version and newer -This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals to help manage those connections. If you would like to reduce the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to help reduce egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services. -Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is “Allowed Traffic”. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. Additionally, there is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the "Allowed Traffic" for Microsoft Intune MDM Server to manage Windows 10 devices. +This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft InTune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In a MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience. - -To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. +Notes: +- The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic + - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. +- There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. +- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. +- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. +- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). -For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). +For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). -Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**. -The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-mdm-allowedtraffic) ### Settings for Windows 10 Enterprise edition 1903 and newer From 39d7719f50fd33578d2598ce64b8252441afe81c Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:24:44 -0700 Subject: [PATCH 36/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index db0fafaefa..65b08b68f4 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -31,7 +31,7 @@ Notes: For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). -For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). +For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**. From 7572ccf2bf06d57a6904b63294139dc9b7b4285b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:26:26 -0700 Subject: [PATCH 37/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 65b08b68f4..91c6c9320f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -22,7 +22,7 @@ ms.date: 8/23/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft InTune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. Notes: -- The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic +- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. From 7267e5adeb04122fd931d6852a3bcfb93ee87b81 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:27:32 -0700 Subject: [PATCH 38/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 91c6c9320f..ecf093ed88 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -19,7 +19,7 @@ ms.date: 8/23/2019 - Windows 10 Enterprise 1903 version and newer -This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft InTune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. Notes: - The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) From c8bb10ec4e1c74ac0b4385e75e961880b3b5e66a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:28:37 -0700 Subject: [PATCH 39/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index ecf093ed88..efef6e3119 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -24,7 +24,7 @@ This article describes the network connections that Windows 10 components make t Notes: - The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -- There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. + - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. - To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. - The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. From 7db5a7083dcf4299e6536f7bc967f362d3883359 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 13:38:29 -0700 Subject: [PATCH 40/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index fe5c71d2cf..89334b2989 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -32,7 +32,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] Notes: - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic). - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. +- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. - It is recommended that you restart a device after making configuration changes to it. - The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. From 49d22b3ff6dab0501cc717c7fa4069944d923c5d Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 19:08:19 -0700 Subject: [PATCH 41/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 26 +++++++------------ 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 89334b2989..4d5fc2e52e 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,32 +25,24 @@ ms.date: 8/23/2019 - Windows Server 2016 - Windows Server 2019 -This article describes the network connections that Windows 10 components make to Microsoft and the Windows settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. -Notes: -- The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic). - - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. -- It is recommended that you restart a device after making configuration changes to it. -- The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. +>[!Notes] +> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic). +> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. +> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. +> - It is recommended that you restart a device after making configuration changes to it. +> - The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. -Management options for each setting +## Management options for each setting -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections. -Settings for Windows 10 Enterprise edition - -The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607. - - -## Management options for each setting - -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections. +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections ### Settings for Windows 10 Enterprise edition From d2911f6d31bd0373210e719dba27590fbe91eee5 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 19:16:10 -0700 Subject: [PATCH 42/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4d5fc2e52e..c8f0d1813c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -34,7 +34,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. > - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. > - It is recommended that you restart a device after making configuration changes to it. -> - The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. +> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) @@ -225,7 +225,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list. > [!CAUTION] -> By not automatically downloading the root certificates, the device might have not been able to connect to some websites. +> By not automatically downloading the root certificates the device may not be able to connect to some websites. For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: From bb1507e3154ad818fd9ef27ac8d0a0f89b616fc7 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 19:17:51 -0700 Subject: [PATCH 43/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...components-to-microsoft-services-using-MDM.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index efef6e3119..53a6958b4d 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -19,15 +19,15 @@ ms.date: 8/23/2019 - Windows 10 Enterprise 1903 version and newer -This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Notes: -- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) - - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. - - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. -- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. -- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. -- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. +>[!Notes] +>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) +> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. +> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. +>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features. +>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. +>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). From b7c0fcf3f21ddf09c62470ea9fe62bd83972feb7 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 19:22:31 -0700 Subject: [PATCH 44/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c8f0d1813c..dc138711f7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,7 +29,7 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. ->[!Notes] +>[!IMPORTANT] > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic). > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. > - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. From 5926db8bbb593260c812f63ce977976a775a49d4 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 19:22:54 -0700 Subject: [PATCH 45/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 53a6958b4d..a646c6bbbd 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -21,7 +21,7 @@ ms.date: 8/23/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. ->[!Notes] +>[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. > - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices. From 2c926798989c40500368a66d3ce6f5eb1da3c268 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Sat, 24 Aug 2019 19:55:38 -0700 Subject: [PATCH 46/46] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index a646c6bbbd..d507296ac2 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -36,7 +36,7 @@ For detailed information about managing network connections to Microsoft service We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**. -### Settings for Windows 10 Enterprise edition 1903 and newer +## Settings for Windows 10 Enterprise edition 1903 and newer The following table lists management options for each setting.