From 264f06d9834e80b58f7bf01229b7ff32475cbd36 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 16 May 2018 01:01:56 +0000 Subject: [PATCH] Merged PR 8254: Some formatting and content fixes --- windows/privacy/gdpr-it-guidance.md | 2 +- windows/privacy/manage-windows-endpoints.md | 6 +- ...ws-personal-data-services-configuration.md | 397 ++++++++++-------- 3 files changed, 219 insertions(+), 186 deletions(-) diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index 06a4930af2..a87e41b1a2 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -178,7 +178,7 @@ If an IT organization has not disabled this policy, users within the organizatio Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection. -This notification can also be shown when the diagnostic level for the device was changed. For instance, if the telemetry level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon. +This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon. ### Diagnostic Data Viewer (DDV) diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md index 692310a8a3..d0be3c4145 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-endpoints.md @@ -24,13 +24,13 @@ Some Windows components, app, and related services transfer data to Microsoft ne - Connecting to the cloud to store and access backups. - Using your location to show a weather forecast. -This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709 and later. +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. We used the following methodology to derive these network endpoints: -1. Set up the latest version of Windows 10 Enterprise test virtual machine using the default settings. +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. @@ -39,6 +39,8 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. +## Windows 10 Enterprise connection endpoints + ## Apps The following endpoint is used to download updates to the Weather app Live Tile. diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index ab9988ab42..4b824f3b1d 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -43,44 +43,49 @@ This setting determines the amount of Windows diagnostic data sent to Microsoft. #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | -| **Policy Name** | Allow Telemetry | -| **Default setting** | 2 - Enhanced | -| **Recommended** | 2 - Enhanced | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Allow Telemetry | +>| **Default setting** | 2 - Enhanced | +>| **Recommended** | 2 - Enhanced | -| | | -|:-|:-| -| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | -| **Policy Name** | Allow Telemetry | -| **Default setting** | 2 - Enhanced | -| **Recommended** | 2 - Enhanced | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Allow Telemetry | +>| **Default setting** | 2 - Enhanced | +>| **Recommended** | 2 - Enhanced | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | -| **Value** | AllowTelemetry | -| **Type** | REG_DWORD | -| **Setting** | "00000002" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | AllowTelemetry | +>| **Type** | REG_DWORD | +>| **Setting** | "00000002" | -| | | -|:-|:-| -| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection | -| **Value** | AllowTelemetry | -| **Type** | REG_DWORD | -| **Setting** | "00000002" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | AllowTelemetry | +>| **Type** | REG_DWORD | +>| **Setting** | "00000002" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | System | -| **Policy** | AllowTelemetry (scope: device and user) | -| **Default setting** | 2 – Enhanced | -| **Recommended** | 2 – Allowed | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | AllowTelemetry (scope: device and user) | +>| **Default setting** | 2 – Enhanced | +>| **Recommended** | 2 – Allowed | ### Diagnostic opt-in change notifications @@ -88,30 +93,33 @@ This setting determines whether a device shows notifications about Windows diagn #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | -| **Policy Name** | Configure telemetry opt-in change notifications | -| **Default setting** | Enabled | -| **Recommended** | Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Configure telemetry opt-in change notifications | +>| **Default setting** | Enabled | +>| **Recommended** | Enabled | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | -| **Value** | DisableTelemetryOptInChangeNotification | -| **Type** | REG_DWORD | -| **Setting** | "00000001" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | DisableTelemetryOptInChangeNotification | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | System | -| **Policy** | ConfigureTelemetryOptInChangeNotification | -| **Default setting** | 0 – Enabled | -| **Recommended** | 0 – Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | ConfigureTelemetryOptInChangeNotification | +>| **Default setting** | 0 – Enabled | +>| **Recommended** | 0 – Enabled | ### Configure telemetry opt-in setting user interface @@ -119,30 +127,33 @@ This setting determines whether people can change their own Windows diagnostic d #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | -| **Policy Name** | Configure telemetry opt-in setting user interface | -| **Default setting** | Enabled | -| **Recommended** | Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Configure telemetry opt-in setting user interface | +>| **Default setting** | Enabled | +>| **Recommended** | Enabled | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | -| **Value** | DisableTelemetryOptInSettingsUx | -| **Type** | REG_DWORD | -| **Setting** | "00000001" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | DisableTelemetryOptInSettingsUx | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | System | -| **Policy** | ConfigureTelemetryOptInSettingsUx | -| **Default setting** | 0 – Enabled | -| **Recommended** | 0 – Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | ConfigureTelemetryOptInSettingsUx | +>| **Default setting** | 0 – Enabled | +>| **Recommended** | 0 – Enabled | ## Policies affecting personal data protection managed by the Enterprise IT @@ -158,66 +169,73 @@ The following settings determine whether fixed and removable drives are protecte #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives | -| **Policy Name** | Deny write access to fixed drives not protected by BitLocker | -| **Default setting** | Not configured | -| **Recommended** | Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives | +>| **Policy Name** | Deny write access to fixed drives not protected by BitLocker | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | -| **Value** | FDVDenyWriteAccess | -| **Type** | REG_DWORD | -| **Setting** | "00000001" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | +>| **Value** | FDVDenyWriteAccess | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | BitLocker | -| **Policy** | RemovableDrivesRequireEncryption | -| **Default setting** | Disabled | -| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | BitLocker | +>| **Policy** | RemovableDrivesRequireEncryption | +>| **Default setting** | Disabled | +>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | #### Removable Data Drives #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives | -| **Policy Name** | Deny write access to removable drives not protected by BitLocker | -| **Default setting** | Not configured | -| **Recommended** | Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives | +>| **Policy Name** | Deny write access to removable drives not protected by BitLocker | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | -| **Value** | RDVDenyWriteAccess | -| **Type** | REG_DWORD | -| **Setting** | "00000001" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | +>| **Value** | RDVDenyWriteAccess | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | -| | | -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\FVE | -| **Value** | RDVDenyCrossOrg | -| **Type** | REG_DWORD | -| **Setting** | "00000000" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\FVE | +>| **Value** | RDVDenyCrossOrg | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | BitLocker | -| **Policy** | RemovableDrivesRequireEncryption | -| **Default setting** | Disabled | -| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | BitLocker | +>| **Policy** | RemovableDrivesRequireEncryption | +>| **Default setting** | Disabled | +>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) | ### Privacy – AdvertisingID @@ -225,30 +243,33 @@ This setting determines if the advertising ID, which preventing apps from using #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles | -| **Policy Name** | Turn off the advertising ID | -| **Default setting** | Not configured | -| **Recommended** | Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles | +>| **Policy Name** | Turn off the advertising ID | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo | -| **Value** | DisabledByGroupPolicy | -| **Type** | REG_DWORD | -| **Setting** | "00000001" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo | +>| **Value** | DisabledByGroupPolicy | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | Privacy | -| **Policy** | DisableAdvertisingId | -| **Default setting** | 65535 (default) - Not configured | -| **Recommended** | 1 – Enabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | Privacy | +>| **Policy** | DisableAdvertisingId | +>| **Default setting** | 65535 (default) - Not configured | +>| **Recommended** | 1 – Enabled | ### Edge @@ -259,44 +280,49 @@ These settings whether employees send “Do Not Track” from the Microsoft Edge #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge | -| **Policy Name** | Configure Do Not Track | -| **Default setting** | Disabled | -| **Recommended** | Disabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge | +>| **Policy Name** | Configure Do Not Track | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | -| | | -|:-|:-| -| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge | -| **Policy Name** | Configure Do Not Track | -| **Default setting** | Disabled | -| **Recommended** | Disabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge | +>| **Policy Name** | Configure Do Not Track | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | #### Registry -| | | -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main | -| **Value** | DoNotTrack | -| **Type** | REG_DWORD | -| **Setting** | "00000000" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | -| | | -|:-|:-| -| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main | -| **Value** | DoNotTrack | -| **Type** | REG_DWORD | -| **Setting** | "00000000" | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | #### MDM -| | | -|:-|:-| -| **MDM CSP** | Browser | -| **Policy** | AllowDoNotTrack (scope: device + user) | -| **Default setting** | 0 (default) – Not allowed | -| **Recommended** | 0 – Not allowed | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | Browser | +>| **Policy** | AllowDoNotTrack (scope: device + user) | +>| **Default setting** | 0 (default) – Not allowed | +>| **Recommended** | 0 – Not allowed | ### Internet Explorer @@ -304,41 +330,46 @@ These settings whether employees send “Do Not Track” header from the Microso #### Group Policy -| | | -|:-|:-| -| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | -| **Policy Name** | Always send Do Not Track header | -| **Default setting** | Disabled | -| **Recommended** | Disabled | +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | +>| **Policy Name** | Always send Do Not Track header | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | -||| -|:-|:-| -| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | -| **Policy Name** | Always send Do Not Track header | -| **Default setting** | Disabled | -| **Recommended** | Disabled | +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | +>| **Policy Name** | Always send Do Not Track header | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | #### Registry -||| -|:-|:-| -| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main | -| **Value** | DoNotTrack | -| **Type** | REG_DWORD | -| **Setting** | "00000000" | +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | -||| -|:-|:-| -| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main | -| **Value** | DoNotTrack | -| **Type** | REG_DWORD | -| **Setting** | "00000000" | +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | #### MDM -||| -|:-|:-| -| **MDM CSP** | N/A | +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **MDM CSP** | N/A | ## Additional resources