@@ -40,6 +41,9 @@ ms.date: 05/14/2018
+ +**InternetExplorer/AllowEnhancedSuggestionsInAddressBar** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. + +If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. + +If you disable this policy setting, users do not receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. + +If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar* +- GP name: *AllowServicePoweredQSA* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Disabled +- 1 - Enabled (Default) + + + + + + + + + +
+ **InternetExplorer/AllowEnterpriseModeFromToolsMenu** @@ -2713,6 +2811,81 @@ ADMX Info:
+ +**InternetExplorer/DisableActiveXVersionListAutoDownload** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. + +> [!Caution] +> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. + +If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic download of the ActiveX VersionList* +- GP name: *VersionListAutomaticDownloadDisable* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Enabled +- 1 - Disabled (Default) + + + + + + + + + +
+ **InternetExplorer/DisableAdobeFlash** @@ -2904,6 +3077,80 @@ ADMX Info:
+ +**InternetExplorer/DisableCompatView** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting controls the Compatibility View feature, which allows users to fix website display problems that they may encounter while browsing. + +If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. + +If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Compatibility View* +- GP name: *CompatView_DisableList* +- GP path: *Windows Components/Internet Explorer/Compatibility View* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Disabled (Default) +- 1 - Enabled + + + + + + + + + +
+ **InternetExplorer/DisableConfiguringHistory** @@ -3290,6 +3537,80 @@ ADMX Info:
+ +**InternetExplorer/DisableFeedsBackgroundSync** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows you to choose whether or not to have background synchronization for feeds and Web Slices. + +If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. + +If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off background synchronization for feeds and Web Slices* +- GP name: *Disable_Background_Syncing* +- GP path: *Windows Components/RSS Feeds* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Enabled (Default) +- 1 - Disabled + + + + + + + + + +
+ **InternetExplorer/DisableFirstRunWizard** @@ -3424,6 +3745,82 @@ ADMX Info:
+ +**InternetExplorer/DisableGeolocation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows you to disable browser geolocation support. This prevents websites from requesting location data about the user. + +If you enable this policy setting, browser geolocation support is turned off. + +If you disable this policy setting, browser geolocation support is turned on. + +If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off browser geolocation* +- GP name: *GeolocationDisable* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Disabled (Default) +- 1 - Enabled + + + + + + + + + +
+ **InternetExplorer/DisableHomePageChange** @@ -4001,6 +4398,82 @@ ADMX Info:
+ +**InternetExplorer/DisableWebAddressAutoComplete** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar. + +If you enable this policy setting, users are not suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. + +If you disable this policy setting, users are suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. + +If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the auto-complete feature for web addresses* +- GP name: *RestrictWebAddressSuggest* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- yes - Disabled (Default) +- no - Enabled + + + + + + + + + +
+ **InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** @@ -12568,6 +13041,83 @@ ADMX Info:
+ +**InternetExplorer/NewTabDefaultPage** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows you to specify what is displayed when the user opens a new tab. + +If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. + +If you disable or do not configure this policy setting, users can select their preference for this behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify default behavior for a new tab* +- GP name: *NewTabAction* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +Supported values: +- 0 - NewTab_AboutBlank (about:blank) +- 1 - NewTab_Homepage (Home page) +- 2 - NewTab_AboutTabs (New tab page) +- 3 - NewTab_AboutNewsFeed (New tab page with my news feed) (Default) + + + + + + + + + +
+ **InternetExplorer/NotificationBarInternetExplorerProcesses** @@ -16878,14 +17428,53 @@ ADMX Info: + + + + +## InternetExplorer policies supported by Windows Holographic + +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) + + + +## InternetExplorer policies supported by Windows Holographic for Business + +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) + + + +## InternetExplorer policies supported by IoT Core + +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) + + + +## InternetExplorer policies supported by IoT Enterprise + +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableFeedsBackgroundSync](#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableWebAddressAutoComplete](#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/NewTabDefaultPage](#internetexplorer-newtabdefaultpage) + + +
-Footnote: +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From ba046cc060498140ddec69490a6c8a2020520465 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:57:29 -0700 Subject: [PATCH 024/156] Create windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 271 ++++++++++++++++++ 1 file changed, 271 insertions(+) create mode 100644 windows/privacy/windows-endpoints-1903-non-enterprise-editions.md diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md new file mode 100644 index 0000000000..44fadd939e --- /dev/null +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -0,0 +1,271 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: daniha +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry +|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Microsoft Office +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates +|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.login.msa.*.net|HTTPS|Microsoft Account related +|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight +|\*.skype.com|HTTP/HTTPS|Skype +|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|*cdn.onenote.net*|HTTP|OneNote +|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|*emdl.ws.microsoft.com*|HTTP|Windows Update +|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates +|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*licensing.*mp.microsoft.com*|HTTPS|Licensing +|*maps.windows.com*|HTTPS|Related to Maps application +|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps +|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry +|*photos.microsoft.com*|HTTPS|Photos App +|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates +|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration +|*wac.phicdn.net*|HTTP|Windows Update +|*windowsupdate.com*|HTTP|Windows Update +|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) +|*wpc.v0cdn.net*|HTTP|Windows Telemetry +|arc.msn.com|HTTPS|Spotlight +|auth.gfx.ms*|HTTPS|MSA related +|cdn.onenote.net|HTTPS|OneNote Live Tile +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|evoke-windowsservices-tas.msedge*|HTTPS|Photos app +|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store +|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|g.live.com*|HTTPS|OneDrive +|go.microsoft.com|HTTP|Windows Defender +|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry +|login.live.com|HTTPS|Device Authentication +|msagfx.live.com|HTTP|OneDrive +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|officeclient.microsoft.com|HTTPS|Microsoft Office +|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|ow1.res.office365.com|HTTP|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata +|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager +|s-0001.s-msedge.net|HTTPS|Microsoft Office +|self.events.data.microsoft.com|HTTPS|Microsoft Office +|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store +|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update +|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions +|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Microsoft Windows Time related +|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation +|v10.events.data.microsoft.com|HTTPS|Diagnostic Data +|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data +|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles +|www.msftconnecttest.com|HTTP|Network Connection (NCSI) +|www.office.com|HTTPS|Microsoft Office + + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|\*.cloudapp.azure.com|HTTPS|Azure +|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update +|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) +|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update +|\*c-msedge.net|HTTP|Office +|a1158.g.akamai.net|HTTP|Maps application +|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata +|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office +|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application +|candycrush.king.com|HTTPS|Candy Crush application +|cdn.onenote.net|HTTP|Microsoft OneNote +|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates +|client.wns.windows.com|HTTPS|Winddows Notification System +|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting +|config.edge.skype.com|HTTPS|Microsoft Skype +|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry +|cs9.wac.phicdn.net|HTTP|Windows Update +|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|fe3.update.microsoft.com|HTTPS|Windows Update +|g.live.com|HTTPS|Microsoft OneDrive +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge +|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com|HTTP|Licensing +|location-inference-westus.cloudapp.net|HTTPS|Used for location data +|login.live.com|HTTP|Device Authentication +|maps.windows.com|HTTP|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTP|OneDrive +|nav.smartscreen.microsoft.com|HTTPS|Windows Defender +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms|HTTP|OneDrive +|pti.store.microsoft.com|HTTPS|Microsoft Store +|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure +|s2s.config.skype.com|HTTP|Microsoft Skype +|settings-win.data.microsoft.com|HTTPS|Application settings +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype +|slscr.update.microsoft.com|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|store-images.microsoft.com|HTTPS|Microsoft Store +|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Windows time +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation +|v10.events.data.microsoft.com*|HTTPS|Microsoft Office +|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic +|watson.telemetry.microsoft.com|HTTPS|Telemetry +|wdcp.microsoft.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic +|www.msftconnecttest.com|HTTP|Network connection +|www.office.com|HTTPS|Microsoft Office + + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps +|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values +|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|\*.wac.phicdn.net|HTTP|Windows Update +|\*.windowsupdate.com*|HTTP|Windows Update +|\*.wns.windows.com|HTTPS|Windows Notifications Service +|\*.wpc.*.net|HTTP|Diagnostic Data +|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*dsp.mp.microsoft.com|HTTPS|Windows Update +|a1158.g.akamai.net|HTTP|Maps +|a122.dscg3.akamai.net|HTTP|Maps +|a767.dscg3.akamai.net|HTTP|Maps +|au.download.windowsupdate.com*|HTTP|Windows Update +|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles +|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps +|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile +|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates +|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online +|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent +|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|download.windowsupdate.com*|HTTPS|Windows Update +|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store +|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app +|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing +|login.live.com|HTTPS|Device Authentication +|maps.windows.com/windows-app-web-link|HTTPS|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTPS|OneDrive +|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype +|sls.update.microsoft.com*|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update +|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data +|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic +|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|wdcp.microsoft.com|HTTPS|Windows Defender +|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic Data +|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|www.msftconnecttest.com|HTTP|Network Connection +|www.office.com|HTTPS|Microsoft Office + From e936adc1bb432d397f45c9e3aac764d712c1240e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 12:35:53 -0700 Subject: [PATCH 025/156] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 44fadd939e..2c3885c711 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -1,5 +1,5 @@ --- -title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +title: Windows 10, version 1903, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -7,22 +7,22 @@ ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high audience: ITPro -author: danihalfin -ms.author: daniha -manager: dansimp +author: mikeedgar +ms.author: v-medgar +manager: sanashar ms.collection: M365-security-compliance ms.topic: article -ms.date: 6/26/2018 +ms.date: 5/9/2019 --- -# Windows 10, version 1809, connection endpoints for non-Enterprise editions +# Windows 10, version 1903, connection endpoints for non-Enterprise editions **Applies to** -- Windows 10 Home, version 1809 -- Windows 10 Professional, version 1809 -- Windows 10 Education, version 1809 +- Windows 10 Home, version 1903 +- Windows 10 Professional, version 1903 +- Windows 10 Education, version 1903 -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1903-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1903. We used the following methodology to derive these network endpoints: From 455b7236ea01925b0814ebb968321986a6e2f357 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 16:57:41 -0700 Subject: [PATCH 026/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ating-system-components-to-microsoft-services.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 72bb0cefbe..1cd88e5243 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -39,9 +39,6 @@ However, some of the settings reduce the functionality and security configuratio Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. ->[!IMPORTANT] -> As part of the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), MDM functionallity is disabled. If you manage devices through MDM, make sure [cloud notifications are enabled](#bkmk-priv-notifications). - Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. @@ -56,8 +53,6 @@ The following sections list the components that make network connections to Micr The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607. ->[!NOTE] ->For some settings, MDM policies only partly cover capabilities available through Group Policy. See each setting’s section for more details. | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | @@ -268,7 +263,7 @@ On Windows Server 2016 Nano Server: ### 2. Cortana and Search -Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683). +Use Group Policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683). ### 2.1 Cortana and Search Group Policies @@ -558,7 +553,7 @@ To disable the Microsoft Account Sign-In Assistant: ### 13. Microsoft Edge -Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). +Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). ### 13.1 Microsoft Edge Group Policies @@ -1643,7 +1638,7 @@ To disable Windows Defender Smartscreen: ### 25. Windows Spotlight -Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface, MDM policy, or through Group Policy. +Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or Group Policy. If you're running Windows 10, version 1607 or later, you need to: @@ -1765,7 +1760,7 @@ Windows Update Delivery Optimization lets you get Windows updates and Microsoft By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. -Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. +Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization. In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Bypass** (100), as described below. From 3c8fc7a4ed6263938d394c3edb28ce1e49d77d37 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:08:30 -0700 Subject: [PATCH 027/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ows-operating-system-components-to-microsoft-services.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1cd88e5243..e86b33a16f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -96,7 +96,7 @@ The following table lists management options for each setting, beginning with Wi | [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  | | [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  | | [19. Software Protection Platform](#bkmk-spp) | |  |  | -| [20. Storage Health](#bkmk-storage-health) | |  | | | +| [20. Storage Health](#bkmk-storage-health) | |  |  | | | [21. Sync your settings](#bkmk-syncsettings) |  |  |  | | [22. Teredo](#bkmk-teredo) | |  | |  | | [23. Wi-Fi Sense](#bkmk-wifisense) |  |  | | @@ -129,7 +129,7 @@ See the following table for a summary of the management settings for Windows Ser | [18. Settings > Privacy](#bkmk-settingssection) | | | | | [18.1 General](#bkmk-general) |  |  |  | | [19. Software Protection Platform](#bkmk-spp) | |  |  | -| [20. Teredo](#bkmk-teredo) | |  |  | +| [22. Teredo](#bkmk-teredo) | |  |  | | [24. Windows Defender](#bkmk-defender) | |  |  | | [26. Microsoft Store](#bkmk-windowsstore) | |  |  | | [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | @@ -1488,7 +1488,7 @@ For Windows 10: -or- -- Create a REG_DWORD registry setting named **AllowDiskHealthModelUpdates** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\StorageHealth** with a value of 0. +- Create a REG_DWORD registry setting named **AllowDiskHealthModelUpdates** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\StorageHealth** with a **value of 0**. ### 21. Sync your settings From bb3fc68af11c27d207e9b245ab56a43affc54c69 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:15:11 -0700 Subject: [PATCH 028/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e86b33a16f..5964599ef4 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -96,9 +96,9 @@ The following table lists management options for each setting, beginning with Wi | [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  | | [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  | | [19. Software Protection Platform](#bkmk-spp) | |  |  | -| [20. Storage Health](#bkmk-storage-health) | |  |  | | +| [20. Storage Health](#bkmk-storage-health) | |  |  | | [21. Sync your settings](#bkmk-syncsettings) |  |  |  | -| [22. Teredo](#bkmk-teredo) | |  | |  | +| [22. Teredo](#bkmk-teredo) | |  |  | | [23. Wi-Fi Sense](#bkmk-wifisense) |  |  | | | [24. Windows Defender](#bkmk-defender) | |  |  | | [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  | @@ -146,7 +146,7 @@ See the following table for a summary of the management settings for Windows Ser | [6. Font streaming](#font-streaming) |  |  | | [14. Network Connection Status Indicator](#bkmk-ncsi) |  | | | [19. Software Protection Platform](#bkmk-spp) |  | -| [22. Teredo](#bkmk-teredo) |  | | +| [22. Teredo](#bkmk-teredo) |  |  | | [24. Windows Defender](#bkmk-defender) |  |  | | [28. Windows Update](#bkmk-wu) |  |  | @@ -158,7 +158,7 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  | | [3. Date & Time](#bkmk-datetime) |  | -| [22. Teredo](#bkmk-teredo) | | +| [22. Teredo](#bkmk-teredo) |  | | [28. Windows Update](#bkmk-wu) |  | ### Settings for Windows Server 2019 @@ -206,7 +206,7 @@ See the following table for a summary of the management settings for Windows Ser | [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  | | [18.21 Inking & Typing](#bkmk-priv-ink) | | |  | | [19. Software Protection Platform](#bkmk-spp) | |  |  | -| [20. Storage Health](#bkmk-storage-health) | |  | | +| [20. Storage Health](#bkmk-storage-health) | |  |  | | [21. Sync your settings](#bkmk-syncsettings) |  |  |  | | [22. Teredo](#bkmk-teredo) | |  |  | | [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  | From 1000661358f37cf87af06bcba38828acb560e92c Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:19:05 -0700 Subject: [PATCH 029/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5964599ef4..ef98f3c09d 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -99,7 +99,7 @@ The following table lists management options for each setting, beginning with Wi | [20. Storage Health](#bkmk-storage-health) | |  |  | | [21. Sync your settings](#bkmk-syncsettings) |  |  |  | | [22. Teredo](#bkmk-teredo) | |  |  | -| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  | | +| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  | | [24. Windows Defender](#bkmk-defender) | |  |  | | [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  | | [25. Windows Spotlight](#bkmk-spotlight) |  |  |  | From 5d4ef5882af406a1993bf5d8aa1175265df89e02 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:22:58 -0700 Subject: [PATCH 030/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ows-operating-system-components-to-microsoft-services.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index ef98f3c09d..af7aace6a4 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -104,7 +104,7 @@ The following table lists management options for each setting, beginning with Wi | [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  | | [25. Windows Spotlight](#bkmk-spotlight) |  |  |  | | [26. Microsoft Store](#bkmk-windowsstore) | |  |  | -| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | +| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  |  | | [27. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  | | [28. Windows Update](#bkmk-wu) |  |  | | @@ -132,7 +132,7 @@ See the following table for a summary of the management settings for Windows Ser | [22. Teredo](#bkmk-teredo) | |  |  | | [24. Windows Defender](#bkmk-defender) | |  |  | | [26. Microsoft Store](#bkmk-windowsstore) | |  |  | -| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | +| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  |  | | [28. Windows Update](#bkmk-wu) | |  |  | ### Settings for Windows Server 2016 Server Core @@ -214,7 +214,7 @@ See the following table for a summary of the management settings for Windows Ser | [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  | | [25. Windows Spotlight](#bkmk-spotlight) |  |  |  | | [26. Microsoft Store](#bkmk-windowsstore) | |  |  | -| [26.1 Apps for websites](#bkmk-apps-for-websites) | | | +| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | | [27. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  | | [28. Windows Update](#bkmk-wu) | |  |  | From b6bc7577d870a0007cf4dd4117f29f3f27f4316d Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:25:53 -0700 Subject: [PATCH 031/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index af7aace6a4..94c2c9f4dd 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -106,7 +106,7 @@ The following table lists management options for each setting, beginning with Wi | [26. Microsoft Store](#bkmk-windowsstore) | |  |  | | [26.1 Apps for websites](#bkmk-apps-for-websites) | |  |  | | [27. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  | -| [28. Windows Update](#bkmk-wu) |  |  | | +| [28. Windows Update](#bkmk-wu) | |  |  | ### Settings for Windows Server 2016 with Desktop Experience From 4b445fe8cf340293684880184d40d5fb096a738e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:36:36 -0700 Subject: [PATCH 032/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 94c2c9f4dd..91ea2a2d0a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -125,7 +125,7 @@ See the following table for a summary of the management settings for Windows Ser | [10. Live Tiles](#live-tiles) | |  |  | | [12. Microsoft Account](#bkmk-microsoft-account) | |  |  | | [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  | -| [16. OneDrive](#bkmk-onedrive) | |  | | +| [16. OneDrive](#bkmk-onedrive) | |  |  | | [18. Settings > Privacy](#bkmk-settingssection) | | | | | [18.1 General](#bkmk-general) |  |  |  | | [19. Software Protection Platform](#bkmk-spp) | |  |  | From 2e7a4cf02e2b44f53b2e9bbdbbe64642ad437c6d Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:38:28 -0700 Subject: [PATCH 033/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 91ea2a2d0a..4f37cf4f5a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -144,8 +144,8 @@ See the following table for a summary of the management settings for Windows Ser | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  |  | | [3. Date & Time](#bkmk-datetime) |  |  | | [6. Font streaming](#font-streaming) |  |  | -| [14. Network Connection Status Indicator](#bkmk-ncsi) |  | | -| [19. Software Protection Platform](#bkmk-spp) |  | +| [14. Network Connection Status Indicator](#bkmk-ncsi) |  |  | +| [19. Software Protection Platform](#bkmk-spp) |  |  | | [22. Teredo](#bkmk-teredo) |  |  | | [24. Windows Defender](#bkmk-defender) |  |  | | [28. Windows Update](#bkmk-wu) |  |  | From cbac0ad6f2f8e9a057a565e7239504376228330c Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:40:59 -0700 Subject: [PATCH 034/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4f37cf4f5a..01593aa1b1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -200,7 +200,7 @@ See the following table for a summary of the management settings for Windows Ser | [18.14 Radios](#bkmk-priv-radios) |  |  |  | | [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  | | [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  | -| [18.17 Background apps](#bkmk-priv-background) |  |  | | +| [18.17 Background apps](#bkmk-priv-background) |  |  |  | | [18.18 Motion](#bkmk-priv-motion) |  |  |  | | [18.19 Tasks](#bkmk-priv-tasks) |  |  |  | | [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  | From 36d3fb430d2bd55ce4cc1c1c15cf37b35fd07822 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 19:42:23 -0700 Subject: [PATCH 035/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 01593aa1b1..5a69fa7d6e 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -204,7 +204,7 @@ See the following table for a summary of the management settings for Windows Ser | [18.18 Motion](#bkmk-priv-motion) |  |  |  | | [18.19 Tasks](#bkmk-priv-tasks) |  |  |  | | [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  | -| [18.21 Inking & Typing](#bkmk-priv-ink) | | |  | +| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  | | [19. Software Protection Platform](#bkmk-spp) | |  |  | | [20. Storage Health](#bkmk-storage-health) | |  |  | | [21. Sync your settings](#bkmk-syncsettings) |  |  |  | From cdecc3168902b9c4de822b9696641cd71f8873e7 Mon Sep 17 00:00:00 2001 From: Justin Hall
Default: Allowed +| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings.
**0** Not allowed.
1 (default) Allowed. +| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet +| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device.
Set to **0** to disable.
+| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Set to 0 to disable font streaming
Set to 1 to enable font streaming +| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | **0**: users cannot make their devices available for downloading and installing preview software
**1**: users can make their devices available for downloading and installing preview software
**2**: (default) not configured; users can make their devices available for download and installing preview software +| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer) | +| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the user’s browsing activity. +| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. +| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. +| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. +| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. +| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. Set value to **1** to disable Tile Notifications. +| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | **0**: not allowed
**1**: allowed
Does not apply to Microsoft Accounts that have already been configured on the device. +| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant.
**0**: turned off
**1**: turned on +| 12. Microsoft Edge | | The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies). +| | [Browser/AllowAutoFill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites.
Default: Allowed +| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers.
Default: Not allowed +| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge.
Default: Enabled +| | [Browser/AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices.
Default: Allowed +| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions..
Default: Allowed +| | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off.
Default: Allowed +| | [Browser/FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | Choose the home page for Microsoft Edge on Windows Mobile 10.
Default: blank +| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | **1**: turn off NCSI
Note:: After you apply this policy you must restart the device for the policy setting to take effect. +| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
**0** Disabled. Force disable auto-update over metered connection.
+| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data.
**0** Disabled. Force off auto-update.
+| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive.
**1** True (sync disabled).
+| 16. Preinstalled apps | N/A | N/A +| 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. +| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**.
**0**: not allowed
**1**: allowed (default) +| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Turn off **Location for this device**.
**0**: turned off and the employee can't turn it back on
**1**: turned on but lets the employee choose whether to use it (default)
**2**: turned on and the employee can't turn it off
Note:: You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). +| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Turn off **Let apps use my camera**.
**0**: apps can't use the camera
**1** apps can use the camera
Note:: You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). +| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Turn off **Let apps use my microphone**.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage.
**DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune** +| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Turn off **Let apps access my notifications**.
**0**: user in control
**1**: force allow
**2**: force deny +| | [Settings/Notifications & actions/AllowOnlineTips]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Disable **AllowOnlineTips** to prevent traffic +| 17.6 Speech, Inking, & Typing | [Speech/AllowSpeechModelUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-speech#speech-allowspeechmodelupdate) | Turn off updates to the speech recognition and speech synthesis models.
**0**: not allowed (default)
**1**: allowed +| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)|This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and suggestion capabilities of apps and services running on Windows.
**0**: disallow
**1**: choice deferred to user's preference +| 17.7 Account info | [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo) | Turn off **Let apps access my name picture and other account info in the UI**.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.8 Contacts | [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts) | Turn off **Choose apps that can access contacts** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.9 Calendar | [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar) | Turn off **Let apps access my calendar** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.10 Call history | [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory) | Turn off **Let apps access my call history** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.11 Email | [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail) | Turn off **Let apps access and send email** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.12 Messaging | [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging) | Turn off **Let apps read or send messages (text or MMS)** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.13 Phone calls | [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone) |
**0**: user in control
**1**: force allow
**2**: force deny +| 17.14 Radios | [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios) | Turn off **Let apps control radios** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.15 Other devices | [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices) | Turn off **Let apps automatically share and sync info** with wireless devices that don't explicitly pair with your PC, tablet, or phone** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| | [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices) | Turn off **Let your apps use your trusted devices** (hardware you've already connected, or comes with your PC, tablet, or phone) in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.16 Feedback & diagnostics | [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**.
**0**: maps to the **Security** level
**1**: maps to the **Basic** level
**2**: maps to the **Enhanced** level
**3**: maps to the **Full** level +| 17.17 Background apps | [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground) | Turn off **Let apps run in the background** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny
Note: Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**. +| 17.18 Motion | [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion) | Turn off **Let Windows and your apps use your motion data and collect motion history** in the UI.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.19 Tasks | [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks) | Turn off the ability to choose which apps have access to tasks.
**0**: user in control
**1**: force allow
**2**: force deny +| 17.20 App Diagnostics | [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo) | Turn off the ability to choose which apps have access to diagnostic information.
**0**: user in control
**1**: force allow
**2**: force deny +| 18. Software Protection Platform | [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation) | Opt out of sending KMS client activation data to Microsoft automatically.
**0**: disabled (default)
**1**: enabled +| 19. Storage Health | [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates) | Allows disk health model updates.
**0** - Do not allow
+| 20. Sync your settings | [Experience/AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | Control whether your settings are synchronized.
**0**: not allowed
**1**: allowed +| 21. Teredo | No MDM needed or required|No MDM needed or required +| 22. Wi-Fi Sense | No MDM needed or required|No MDM needed or required +| 23. Windows Defender | [Defender/AllowCloudProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Disconnect from the Microsoft Antimalware Protection Service.
**0** Not allowed.
**1** (default) Allowed. +| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft.
**0**: always prompt
**1**: send safe samples automatically (default)
**2**: never send
**3**: send all samples automatically +| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen.
**0**: turned off
**1**: turned on +| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store
**0**: Turns off traffic
**1**: Allows traffic +| 24. Windows Media Player | N/A | N/A +| 25. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight.
**0**: disabled +| 26. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
**0** (default) Enable launch of apps.
**1** Disable launch of apps. +| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed.
**1** (default) Allowed.
**0** Not allowed. +| 26.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
**0**: disabled
**1** enabled +| 27. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode) | Lets you choose where Delivery Optimization gets or sends updates and apps.
**0**: turns off Delivery Optimization
**1**: gets or sends updates and apps to PCs on the same NAT only
**2**: gets or sends updates and apps to PCs on the same local network domain
**3**: gets or sends updates and apps to PCs on the Internet
**99**: simple download mode with no peering
**100**: use BITS instead of Windows Update Delivery Optimization +| | [DeliveryOptimization/DOGroupID](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dogroupid) | Lets you provide a Group ID that limits which PCs can share apps and updates.
Note: This ID must be a GUID. +| | [DeliveryOptimization/DOMaxCacheAge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxcacheage) | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days). +| | [DeliveryOptimization/DOMaxCacheSize](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxcachesize) | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20| which represents 20% of the disk. +| | [DeliveryOptimization/DOMaxUploadBandwidth](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxuploadbandwidth) | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth. +| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. Set to **100** - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. +| 28. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates.
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates + + + + + From dc813d358459496add78badc5af9efe55f11f663 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 15 May 2019 12:01:15 -0700 Subject: [PATCH 040/156] Update configure-connections-to-microsoft-services-with-mdm.md --- .../configure-connections-to-microsoft-services-with-mdm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-connections-to-microsoft-services-with-mdm.md b/windows/privacy/configure-connections-to-microsoft-services-with-mdm.md index 881ce64336..58a96778b5 100644 --- a/windows/privacy/configure-connections-to-microsoft-services-with-mdm.md +++ b/windows/privacy/configure-connections-to-microsoft-services-with-mdm.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -author: mikeedgar +author: medgarmedgar ms.author: v-medgar ms.date: 3/1/2019 --- From 1bb0e75a6a7e985ce9dce893afcb4b122b4d453b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 15 May 2019 12:10:54 -0700 Subject: [PATCH 041/156] Update TOC.md --- windows/privacy/TOC.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index b687b5bc1b..2b3934e585 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -17,12 +17,13 @@ ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) ## Manage Windows 10 connection endpoints -### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) -### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) -### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) -### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) ### [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +## [Manage connections from Windows operating system components to Microsoft services using MDM/CSPs](configure-connections-to-microsoft-services-with-mdm.md) From 6cfd3cb0ee56fda652fac85ef7d25c3298078fce Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 15 May 2019 12:53:41 -0700 Subject: [PATCH 042/156] Rename configure-connections-to-microsoft-services-with-mdm.md to manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md --- ...operating-system-components-to-microsoft-services-with-MDM.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/privacy/{configure-connections-to-microsoft-services-with-mdm.md => manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md} (100%) diff --git a/windows/privacy/configure-connections-to-microsoft-services-with-mdm.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md similarity index 100% rename from windows/privacy/configure-connections-to-microsoft-services-with-mdm.md rename to windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md From 0bb2b2f0691e2ada84e3b6953216187311c49cde Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 15 May 2019 12:54:05 -0700 Subject: [PATCH 043/156] Update TOC.md --- windows/privacy/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 2b3934e585..f1214e7bec 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -26,4 +26,4 @@ ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -## [Manage connections from Windows operating system components to Microsoft services using MDM/CSPs](configure-connections-to-microsoft-services-with-mdm.md) +## [Manage connections from Windows operating system components to Microsoft services using MDM](configure-connections-to-microsoft-services-with-mdm.md) From 6d68ad0c7bde63730d6969a632c45281e56ee4a3 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 15 May 2019 12:55:08 -0700 Subject: [PATCH 044/156] Rename manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md to manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...perating-system-components-to-microsoft-services-using-MDM.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/privacy/{manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md => manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md} (100%) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md similarity index 100% rename from windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-with-MDM.md rename to windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md From 44a8cedab9ee2824824250a667140cdd36f07909 Mon Sep 17 00:00:00 2001 From: Justin Hall
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates - +### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations +| Endpoint of Allowed traffic | +| --- | +|ctldl.windowsupdate.com| +|cdn.onenote.net| +|r.manage.microsoft.com| +|tile-service.weather.microsoft.com| +|settings-win.data.microsoft.com| +|client.wns.windows.com| +|dm3p.wns.windows.com| +|crl.microsoft.com/pki/crl/*| +|www.microsoft.com/pkiops/crl/*| +|activation-v2.sls.microsoft.com/*| +|ocsp.digicert.com/*| From de27d90092f80321a0c9a7b3570cecabd5650c63 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 16 May 2019 13:44:27 -0700 Subject: [PATCH 060/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...rating-system-components-to-microsoft-services-using-MDM.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 381e5fef6e..47198dac47 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -117,7 +117,8 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 28. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates.
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates ### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations -| Endpoint of Allowed traffic | + +|**Allowed traffic endpoints** | | --- | |ctldl.windowsupdate.com| |cdn.onenote.net| From c8b453df2fd9b0083ee15ddbac0fe1017c0608fe Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 16 May 2019 13:45:21 -0700 Subject: [PATCH 061/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ating-system-components-to-microsoft-services-using-MDM.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 47198dac47..5b371ce302 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -117,7 +117,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 28. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates.
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates ### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations - + |**Allowed traffic endpoints** | | --- | |ctldl.windowsupdate.com| @@ -128,7 +128,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt |client.wns.windows.com| |dm3p.wns.windows.com| |crl.microsoft.com/pki/crl/*| -|www.microsoft.com/pkiops/crl/*| +|*microsoft.com/pkiops/crl/*| |activation-v2.sls.microsoft.com/*| |ocsp.digicert.com/*| From 6518bebae843fc8b7d902d20dd57293d7204ef53 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 16 May 2019 13:46:38 -0700 Subject: [PATCH 062/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 5b371ce302..917e71196f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -128,7 +128,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt |client.wns.windows.com| |dm3p.wns.windows.com| |crl.microsoft.com/pki/crl/*| -|*microsoft.com/pkiops/crl/*| +|*microsoft.com/pkiops/crl/**| |activation-v2.sls.microsoft.com/*| |ocsp.digicert.com/*| From efa711233502e9695cf9887f324005da1c7d823d Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 16 May 2019 13:47:34 -0700 Subject: [PATCH 063/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ating-system-components-to-microsoft-services-using-MDM.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 917e71196f..5f3cce836a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -117,7 +117,9 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 28. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates.
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates ### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations - + + + |**Allowed traffic endpoints** | | --- | |ctldl.windowsupdate.com| From a8272559d158d34bc12cf1844e969a53aa8df09d Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Thu, 16 May 2019 13:47:58 -0700 Subject: [PATCH 064/156] Update deploy-multiple-windows-defender-application-control-policies.md --- ...s-defender-application-control-policies.md | 80 ++++++------------- 1 file changed, 26 insertions(+), 54 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 73d0e16c9b..4484f5fbe6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -26,9 +26,10 @@ The restriction of only having a single code integrity policy active on a system - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy 2. Multiple Base Policies - Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent + - If two base policies exist on a device, an application has to be allowed by both to run 3. Supplemental Policies - Users can deploy one or more supplemental policies to expand a base policy - - If two base policies exist on a device, an application has to be allowed by both to run + - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run ## How do Base and Supplemental Policies Interact? @@ -38,68 +39,39 @@ The restriction of only having a single code integrity policy active on a system - Base + supplemental policy: union - Files that are allowed by the base policy or the supplemental policy are not blocked -## PowerShell parameters +## Creating Multiple Base or Supplemental Policies -New-CIPolicy -- MultiplePolicyFormat: allows for multiple policies +Note that multiple policies will not work on pre-1903 systems. +### Allow Multiple Policies + +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. ```powershell -New-CIPolicy [-FilePath]
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates -### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations +### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations |**Allowed traffic endpoints** | | --- | From 3f3a7ad286e895dc69c2832670c252335344e9af Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 17 May 2019 09:03:58 -0700 Subject: [PATCH 080/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 6dc87da4de..6986ee5ce2 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -119,7 +119,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. Set to **100** - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. | 28. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates.
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates -### Allowed (aka "Whitelisted") traffic for Microsoft InTune / MDM configurations +### Allowed traffic (aka "Whitelisted") for Microsoft InTune / MDM configurations |**Allowed traffic endpoints** | | --- | From 96725bbcd2c005c202f75864c5b395600fa7bb93 Mon Sep 17 00:00:00 2001 From: jaimeo
**1** (default) Allowed.
**0** Not allowed. | 26.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
**0**: disabled
**1** enabled | 27. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode) | Lets you choose where Delivery Optimization gets or sends updates and apps.
**0**: turns off Delivery Optimization
**1**: gets or sends updates and apps to PCs on the same NAT only
**2**: gets or sends updates and apps to PCs on the same local network domain
**3**: gets or sends updates and apps to PCs on the Internet
**99**: simple download mode with no peering
**100**: use BITS instead of Windows Update Delivery Optimization -| | [DeliveryOptimization/DOGroupID](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dogroupid) | Lets you provide a Group ID that limits which PCs can share apps and updates.
Note: This ID must be a GUID. -| | [DeliveryOptimization/DOMaxCacheAge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxcacheage) | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days). -| | [DeliveryOptimization/DOMaxCacheSize](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxcachesize) | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20| which represents 20% of the disk. +| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps.
**0**: turns off Delivery Optimization
**1**: gets or sends updates and apps to PCs on the same NAT only
**2**: gets or sends updates and apps to PCs on the same local network domain
**3**: gets or sends updates and apps to PCs on the Internet
**99**: simple download mode with no peering
**100**: use BITS instead of Windows Update Delivery Optimization +| | [DeliveryOptimization/DOGroupID](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dogroupid)| Lets you provide a Group ID that limits which PCs can share apps and updates.
Note: This ID must be a GUID. +| | [DeliveryOptimization/DOMaxCacheAge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxcacheage)| Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days). +| | [DeliveryOptimization/DOMaxCacheSize](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxcachesize) | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20 which represents 20% of the disk. | | [DeliveryOptimization/DOMaxUploadBandwidth](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-domaxuploadbandwidth) | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth. | | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. Set to **100** - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. | 28. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates.
**0**: notify the user before downloading the update
**1**: auto install the update and then notify the user to schedule a device restart
**2**: auto install and restart (default)
**3**: auto install and restart at a specified time
**4**: auto install and restart without end-user control
**5**: turn off automatic updates From 8ea9ed0bf3385a1a5da6d69634e13d9715edf282 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 17 May 2019 09:26:49 -0700 Subject: [PATCH 083/156] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...rating-system-components-to-microsoft-services-using-MDM.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 0d87c0498f..1169395f22 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -30,7 +30,8 @@ For more information on Microsoft InTune please see [Transform IT service delive For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). -The endpoints for the “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist). + +The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist). ### Settings for Windows 10 Enterprise edition 1903 and newer From 0452abec2404cb666d908f4130d5010123785001 Mon Sep 17 00:00:00 2001 From: jaimeo