From 98e7b875d9a8381cacac98271dc0ebac04a92ee9 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 19 Mar 2020 13:35:01 -0700 Subject: [PATCH 01/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md some updates for completeness, and removing the 1903 / 1909 verbiage since that is more applicable to the non-MDM "main" article --- ...ating-system-components-to-microsoft-services-using-MDM.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index ce948dbf85..be706097ca 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -23,9 +23,7 @@ ms.date: 9/10/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Note: The 1903 settings in the Windows Restricted Traffic Limited Functionality Baseline package are applicable to 1909 Windows Enterprise devices. - -Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied to in order re-restrict the device. Also, egress traffic may occur during the period leading up to the re-applications of the Restricted Traffic Limited Functionality Baseline settings. +Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied to in order re-restrict the device's egress traffic. Also, egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. The device will remain enrolled to Microsoft Intune after either reset option is selected. However, the client must be re-sync the Microsoft InTune settings down to the device. This can be done by the user logging out and then re-logging back into the device. >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) From 92001c89b625a1f449d3cf8e1ce807f4ed8b0fe1 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 19 Mar 2020 13:41:28 -0700 Subject: [PATCH 02/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md typo fix --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index be706097ca..b27adb237b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -23,7 +23,7 @@ ms.date: 9/10/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied to in order re-restrict the device's egress traffic. Also, egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. The device will remain enrolled to Microsoft Intune after either reset option is selected. However, the client must be re-sync the Microsoft InTune settings down to the device. This can be done by the user logging out and then re-logging back into the device. +Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device's egress traffic. Also, egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. The device will remain enrolled to Microsoft Intune after either reset option is selected. However, the client must be re-sync the Microsoft InTune settings down to the device. This can be done by the user logging out and then re-logging back into the device. >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) From 79d3d4078739247e621b741fdde56690c47f33cc Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 19 Mar 2020 13:42:25 -0700 Subject: [PATCH 03/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md added 2 "Notes" for 1909 and PBR impact --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e1626b44e7..4a8eaed2e5 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,6 +29,10 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Note: Regarding the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), the 1903 settings (folder) are applicable to 1909 Windows Enterprise devices. There were no additional settings required for the 1909 release. + +Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device. Also, egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. + >[!IMPORTANT] > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. From 82ea04db13f2ec7f2e3290e5bc1a704c25c7c7f4 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 19 Mar 2020 14:14:47 -0700 Subject: [PATCH 04/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md getting different messages so removing the PBR note for now --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index b27adb237b..291b0a7d56 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -23,8 +23,6 @@ ms.date: 9/10/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device's egress traffic. Also, egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. The device will remain enrolled to Microsoft Intune after either reset option is selected. However, the client must be re-sync the Microsoft InTune settings down to the device. This can be done by the user logging out and then re-logging back into the device. - >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. From 578b767a2b6d75665c30d13f623a12f74529d530 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 19 Mar 2020 14:28:47 -0700 Subject: [PATCH 05/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md Ok, got new info, the Note is re-instated with clarity between "Remove Everything" reset and "Keep my files" resets. --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 291b0a7d56..fbb1a9a595 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -23,6 +23,8 @@ ms.date: 9/10/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. + >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. From 21cef95fddd0380e7f8b5f60d16573c57693743c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 19 Mar 2020 14:29:50 -0700 Subject: [PATCH 06/27] Corrected "Smartscreen" to "SmartScreen" --- ...ating-system-components-to-microsoft-services-using-MDM.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index fbb1a9a595..7d1d0e9dbe 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -141,8 +141,8 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. [Defender/AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** 1. [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)** 1. [Defender/EnableSmartScreenInShell](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)** - 1. Windows Defender Smartscreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender Smartscreen. **Set to 0 (zero)** - 1. Windows Defender Smartscreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** + 1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)** + 1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** 1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)** 1. [Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares** 1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)** From 2c94e76a2718cc7f7449752476d352180b35ed27 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 19 Mar 2020 14:30:34 -0700 Subject: [PATCH 07/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md slight re-wording done --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4a8eaed2e5..5d1dd37e36 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,7 +31,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] Note: Regarding the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), the 1903 settings (folder) are applicable to 1909 Windows Enterprise devices. There were no additional settings required for the 1909 release. -Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device. Also, egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. +Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. >[!IMPORTANT] > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) From 2d1db59e749bf3226e81c667dce0089865be4b96 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 20 Mar 2020 16:34:45 -0700 Subject: [PATCH 08/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5d1dd37e36..4cfdf2e6c7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,7 +29,7 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. -Note: Regarding the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), the 1903 settings (folder) are applicable to 1909 Windows Enterprise devices. There were no additional settings required for the 1909 release. +Note: Regarding the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), the 1903 settings (folder) are applicable to 1909 Windows Enterprise devices. There were no additional settings required for the 1909 release. Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. From 6700fff3bea2b6590fe6e2df37e05a676bff338b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Mon, 23 Mar 2020 14:44:36 -0700 Subject: [PATCH 09/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ting-system-components-to-microsoft-services-using-MDM.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 7d1d0e9dbe..211a9ee187 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -23,8 +23,6 @@ ms.date: 9/10/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. - >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. @@ -33,6 +31,9 @@ Note: If a user executes the "Reset this PC" command (Settings -> Update & Secur >- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. >- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. +[!Warning] +If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. + For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). From 8d82992dc367c0809df0a325375595852d3092d6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Mon, 23 Mar 2020 14:45:16 -0700 Subject: [PATCH 10/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4cfdf2e6c7..acecb638a3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,10 +29,6 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. -Note: Regarding the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), the 1903 settings (folder) are applicable to 1909 Windows Enterprise devices. There were no additional settings required for the 1909 release. - -Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the "Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. - >[!IMPORTANT] > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. @@ -40,6 +36,12 @@ Note: If a user executes the "Reset this PC" command (Settings -> Update & Secur > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. +[!Note] +>Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. + +[!Warning] +>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings. + To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**. From 6ef7b69491cc1623e13c835d9261fcd3a84499a8 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 25 Mar 2020 15:24:18 -0700 Subject: [PATCH 11/27] Update manage-updates-baselines-windows-defender-antivirus.md updated the version table with March data --- .../manage-updates-baselines-windows-defender-antivirus.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 5184c72aca..d444eaedc1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -50,6 +50,7 @@ Only the main version is listed in the following table as reference information: Month | Platform/Client | Engine ---|---|--- +Mar-2020 | 4.18.2003.x| 1.1.16900.x Feb-2020 | - | 1.1.16800.x Jan-2020 | 4.18.2001.x | 1.1.16700.x Dec-2019 | - | - | From 7c9649cca34194a2c06343247a1c8ccef17e2bbf Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 25 Mar 2020 16:18:12 -0700 Subject: [PATCH 12/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index acecb638a3..60cb2e767e 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -11,7 +11,7 @@ ms.localizationpriority: high audience: ITPro author: medgarmedgar ms.author: v-medgar -manager: sanashar +manager: robsize ms.collection: M365-security-compliance ms.topic: article ms.date: 9/17/2019 From 994b300c912b6f6208a637a342c0b38f381a7cb6 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Wed, 25 Mar 2020 16:18:37 -0700 Subject: [PATCH 13/27] Changes from editor --- devices/hololens/hololens-updates.md | 64 ++++++++++++++-------------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 664bdfa289..dd416b800f 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -22,25 +22,25 @@ appliesto: # Manage HoloLens updates -HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md). +HoloLens uses Windows Update in the same manner as other Windows 10 devices. When an update is available, it is automatically downloaded and installed the next time that your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md). ## Manage updates automatically Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. Make sure that they use Windows Holographic for Business build 10.0.18362.1042 or a later build. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage their updates. -Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process: which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or you can define different update schedules for different types of updates. +Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process—that is, which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or, you can define different update schedules for different types of updates. > [!NOTE] -> For HoloLens devices, You can automatically manage feature updates (released twice a year) and quality updates (released monthly or as needed, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). +> For HoloLens devices, you can automatically manage feature updates (released twice a year) and quality updates (released monthly or as required, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). You can configure Windows Update for Business settings for HoloLens by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune. -For a detailed discussion of how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure). +For a detailed discussion about how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure). > [!IMPORTANT] > Intune provides two policy types for managing updates: *Windows 10 update ring* and *Windows 10 feature updates*. The Windows 10 feature update policy type is in public preview at this time and is not supported for HoloLens. > -> You can use Windows 10 update ring policies with HoloLens 2. +> You can use Windows 10 update ring policies to manage HoloLens 2 updates. ### Configure update policies for HoloLens 2 or HoloLens (1st gen) @@ -55,15 +55,15 @@ The [Policy configuration service provider (CSP)](https://docs.microsoft.com/win #### Configure automatic checks for updates -You can use the Update/AllowAutoUpdate policy to manage automatic update behavior, such as scanning, downloading, and installing updates. +You can use the **Update/AllowAutoUpdate** policy to manage automatic update behavior, such as scanning, downloading, and installing updates. This policy supports the following values: - **0** - Notify the user when there is an update that is ready to download that applies to the device. -- **1** - Automatically install the update and then notify the user to schedule a device restart. -- **2** - Automatically install the update, and then restart the device. *This is the recommended value*, and is the default value for this policy. +- **1** - Automatically install the update, and then notify the user to schedule a device restart. +- **2** - Automatically install the update, and then restart the device. This is the recommended value, and it is the default value for this policy. -- **3** - Automatically install the update, and restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is daily at 3 AM. +- **3** - Automatically install the update, and then restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is daily at 3 A.M. - **4** - Automatically install the update, and then restart the device. This option also sets the Settings page to read-only. @@ -79,11 +79,11 @@ For more details about the available settings for this policy, see [Update/Allow To configure how and when updates are applied, use the following policies: - [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday). - - Values: **0** – **7** (0 = every day, 1 = Sunday, 7 = Saturday) + - Values: **0**–**7** (0 = every day, 1 = Sunday, 7 = Saturday) - Default value: **0** (every day) - [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime). - - Values: 0 – 23 (0 = 12AM, 23 = 11PM) - - Default value: 3pm + - Values: 0–23 (0 = midnight, 23 = 11 P.M.) + - Default value: 3 P.M. #### For devices that run Windows 10, version 1607 only @@ -95,13 +95,13 @@ You can use the following update policies to configure devices to get updates fr ### Plan and configure update rollouts for HoloLens 2 -HoloLens 2 supports more update automation features that HoloLens (1st gen), especially if you use Microsoft Intune to manage Windows Update for Business policy. These features make it easier for you to plan and implement update rollouts across your organization. +HoloLens 2 supports more update automation features than HoloLens (1st gen). this is especially true if you use Microsoft Intune to manage Windows Update for Business policy. These features make it easier for you to plan and implement update rollouts across your organization. #### Plan the update strategy Windows Updates for Business supports deferral policies. After Microsoft releases an update, you can use a deferral policy to define how long to wait before installing that update on devices. By associating subsets of your devices (referred to as *update rings*) with different deferral policies, you can coordinate an update rollout strategy for your organization. -For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table: +For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table. |Group |Number of devices |Deferral (days) | | ---| :---: | :---: | @@ -111,7 +111,7 @@ For example, consider an organization that has 1,000 devices and has to update t |Grp 4 (main 2) |300 |150 | |Grp 5 (main 3) |395 |180 | -Here's how the rollout progresses over time to the entire organization: +Here's how the rollout progresses over time to the entire organization. ![Timeline for deploying updates](./images/hololens-updates-timeline.png) @@ -132,18 +132,18 @@ You can configure different deferrals for feature updates and quality updates. T For a more detailed version of this example, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#create-and-assign-update-rings). -1. Sign in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to your Intune profiles. +1. Sign in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to your Intune profiles. 1. Select **Software Updates** > **Windows 10 update rings** > **Create**. -1. Under **Basics**, specify a name, a description (optional) and then select **Next**. -1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. When finished, select **Next**. -1. Under **Assignments**, select **+ Select groups to include** and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignments. When finished, select **Next**. +1. Under **Basics**, specify a name and a description (optional), and then select **Next**. +1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. Then, select **Next**. +1. Under **Assignments**, select **+ Select groups to include**, and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignments. Then, select **Next**. 1. Under **Review + create**, review the settings. When you're ready to save the update ring configuration, select **Create**. The list of update rings now includes the new Windows 10 update ring. **Example 2: Pause an update ring** -If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you mitigate the issue. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. After the specified time period has passed, the pause automatically expires. At that point, the update process resumes. +If you encounter a problem when you deploy a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you resolve or mitigate the issue. If you pause a feature update, quality updates are still offered to devices to make sure that they stay secure. After the specified time has passed, the pause automatically expires. At that point, the update process resumes. To pause an update ring in Intune, follow these steps: @@ -155,16 +155,16 @@ When an update type is paused, the Overview pane for that ring displays how many While the update ring is paused, you can select either of the following options: - To extend the pause period for an update type for 35 days, select **Extend**. -- To restore updates for that ring to active operation, select **Resume**. You can pause the update ring again if needed. +- To restore updates for that ring to active operation, select **Resume**. You can pause the update ring again if it is necessary. > [!NOTE] > The **Uninstall** operation for update rings is not supported for HoloLens 2 devices. ## Manually check for updates -While HoloLens periodically checks for system updates so you don't have to, there may be circumstances in which you want to manually check. +Although HoloLens periodically checks for system updates so that you don't have to, there may be circumstances in which you want to manually check. -To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app says your device is up to date, you have all the updates that are currently available. +To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app indicates that your device is up to date, you have all the updates that are currently available. ## Manually revert an update @@ -175,17 +175,18 @@ In some cases, you might want to go back to a previous version of the HoloLens s You can roll back updates and return to a previous version of HoloLens 2 by using the Advanced Recovery Companion to reset your HoloLens to the earlier version. > [!NOTE] -> Going back to an earlier version deletes your personal files and settings. +> Reverting to an earlier version deletes your personal files and settings. To go back to a previous version of HoloLens 2, follow these steps: 1. Make sure that you don't have any phones or Windows devices plugged in to your computer. 1. On your computer, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store. 1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download). -1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it. -1. Use a USB-A to USB-C cable to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens, this type of cable works best. +1. When you have finished these downloads, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file. +1. Use a USB-A to USB-C cable to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens, this kind of cable works best. 1. The Advanced Recovery Companion automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile. -1. On the next screen, select **Manual package selection** and then open the folder that you previously unzipped. Select the installation file (the file that has a .ffu extension). +1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded. +1. Select the installation file (the file that has an .ffu extension). 1. Select **Install software**, and then follow the instructions. ### Go back to a previous version (HoloLens (1st gen)) @@ -193,17 +194,18 @@ To go back to a previous version of HoloLens 2, follow these steps: You can roll back updates and return to a previous version of HoloLens (1st gen) by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version. > [!NOTE] -> Going back to an earlier version deletes your personal files and settings. +> Reverting to an earlier version deletes your personal files and settings. To go back to a previous version of HoloLens (1st gen), follow these steps: 1. Make sure that you don't have any phones or Windows devices plugged in to your computer. 1. On your computer, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). 1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery). -1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it. -1. Use the micro-USB cable that came with your HoloLens device to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens device, this one works best. +1. After the downloads finish, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file. +1. Use the micro-USB cable that was provided together with your HoloLens device to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens device, this one works best. 1. The WDRT automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile. -1. On the next screen, select **Manual package selection** and then open the folder that you previously unzipped. Select the installation file (the file that has a .ffu extension). +1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded. +1. Select the installation file (the file that has an .ffu extension). 1. Select **Install software**, and then follow the instructions. > [!NOTE] From fcad58f7413c9fd4223d32aaa9ddffb94ed04fba Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 25 Mar 2020 16:19:02 -0700 Subject: [PATCH 14/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ating-system-components-to-microsoft-services-using-MDM.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 211a9ee187..2739fe9552 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -10,8 +10,8 @@ ms.localizationpriority: high audience: ITPro author: medgarmedgar ms.author: v-medgar -manager: sanashar -ms.date: 9/10/2019 +manager: robsize +ms.date: 3/25/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server From 76f243fcbadeb173189d45bf76a4025e590077e3 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 25 Mar 2020 16:19:48 -0700 Subject: [PATCH 15/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 60cb2e767e..bc2a4781fa 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -14,7 +14,7 @@ ms.author: v-medgar manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 9/17/2019 +ms.date: 3/25/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services From 3327943541c3066c48b803f6b3461886db4cf28c Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Wed, 25 Mar 2020 16:49:56 -0700 Subject: [PATCH 16/27] Link fixes --- devices/hololens/hololens-updates.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index dd416b800f..2b4e28a971 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -31,7 +31,7 @@ Windows Holographic for Business can use [Windows Update for Business](https://d Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process—that is, which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or, you can define different update schedules for different types of updates. > [!NOTE] -> For HoloLens devices, you can automatically manage feature updates (released twice a year) and quality updates (released monthly or as required, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). +> For HoloLens devices, you can automatically manage feature updates (released twice a year) and quality updates (released monthly or as required, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb#types-of-updates-managed-by-windows-update-for-business). You can configure Windows Update for Business settings for HoloLens by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune. @@ -49,9 +49,7 @@ This section describes the policies that you can use to manage updates for eithe The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business. > [!NOTE] -> For details about specific policies that are supported by specific editions of HoloLens, see the following articles: -> - [Policies supported by HoloLens devices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-devices) -> - [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) +> For details about specific policies that are supported by specific editions of HoloLens, see [Policies supported by HoloLens devices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-devices). #### Configure automatic checks for updates @@ -105,8 +103,8 @@ For example, consider an organization that has 1,000 devices and has to update t |Group |Number of devices |Deferral (days) | | ---| :---: | :---: | -|Grp 1 (IT Staff) |5 |0 | -|Grp 2 (Early Adopters) |50 |60 | +|Grp 1 (IT staff) |5 |0 | +|Grp 2 (early adopters) |50 |60 | |Grp 3 (main 1) |250 |120 | |Grp 4 (main 2) |300 |150 | |Grp 5 (main 3) |395 |180 | From ac1e5e471553637555e42ae26a1f92b1c6e7f93c Mon Sep 17 00:00:00 2001 From: Raz Luvaton Date: Thu, 26 Mar 2020 13:08:24 +0200 Subject: [PATCH 17/27] Remove apostrophes that cause bug Fix #6326 --- .../identity-protection/credential-guard/dg-readiness-tool.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index e40d27f3d0..080943b1b0 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -151,8 +151,8 @@ function CheckExemption($_ModName) } -function CheckFailedDriver($_ModName, $CIStats)'' -{'' +function CheckFailedDriver($_ModName, $CIStats) +{ Log "Module: " $_ModName.Trim() if(CheckExemption($_ModName.Trim()) - eq 1) { From 42e66e9b60070ca0debbef248f210fcb159a9f85 Mon Sep 17 00:00:00 2001 From: Raz Luvaton Date: Thu, 26 Mar 2020 13:41:54 +0200 Subject: [PATCH 18/27] Update version output update version to be 3.7.1 --- .../identity-protection/credential-guard/dg-readiness-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index 080943b1b0..6c12907b28 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -959,7 +959,7 @@ function PrintToolVersion LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." + LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" From 5df3f09c65ce4bdef372d22f98ab5e3abd42763f Mon Sep 17 00:00:00 2001 From: Michael Tressler Date: Thu, 26 Mar 2020 10:59:22 -0400 Subject: [PATCH 19/27] Duplicate entry in Group Policy table Remove All Programs list from the Start menu is listed twice. Line 43 and Line 63. I propose removing line 43 as line 63 is more accurate. Simple "enabling" the setting isn't enough. You need to enable and choose an action: collapse/collapse and disable/remove and disable. --- windows/configuration/kiosk-policies.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index a523b64e83..0f99ece694 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -40,7 +40,6 @@ Remove access to the context menus for the task bar | Enabled Clear history of recently opened documents on exit | Enabled Prevent users from customizing their Start Screen | Enabled Prevent users from uninstalling applications from Start | Enabled -Remove All Programs list from the Start menu | Enabled Remove Run menu from Start Menu | Enabled Disable showing balloon notifications as toast | Enabled Do not allow pinning items in Jump Lists | Enabled From 15e70f91f53d9826fc3d5d5fe7573f12c86e2166 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 26 Mar 2020 08:16:21 -0700 Subject: [PATCH 20/27] Update manage-protection-updates-windows-defender-antivirus.md --- .../manage-protection-updates-windows-defender-antivirus.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index be5477b03f..a487d96a32 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 01/09/2020 ms.reviewer: manager: dansimp ms.custom: nextgen @@ -40,7 +39,7 @@ This article describes how to specify from where updates should be downloaded (t ## Fallback order -Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used. +Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately. When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors: - The age of the last update on the device; and From 94d5b6359e63e2c419bd5f0ddf33476d8192b991 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 26 Mar 2020 20:56:13 +0500 Subject: [PATCH 21/27] Few Changes The user has identified a few changes in the document that has been added where applicable. Problem:https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6276 --- .../microsoft-defender-atp/linux-install-with-ansible.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index b344a91976..373d409cfd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -79,7 +79,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create Ansible YAML files -Create subtask or role files that contribute to an actual task. First create the `copy_onboarding_pkg.yml` file under the `/etc/ansible/roles` directory: +Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory: - Copy the onboarding package to all client machines: @@ -158,7 +158,7 @@ Create subtask or role files that contribute to an actual task. First create the - name: Add Microsoft APT key apt_key: keyserver: https://packages.microsoft.com/ - id: BC528686B50D79E339D3721CEB3E94ADBE1229C + id: BC528686B50D79E339D3721CEB3E94ADBE1229CF when: ansible_os_family == "Debian" - name: Add Microsoft yum repository for MDATP From fece2c14d68e6621d65941b2c7a103e558b7bd03 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 26 Mar 2020 09:24:19 -0700 Subject: [PATCH 22/27] Removing a line fromt Rel notes @yannisle @scooley @Teresa-Motiv --- devices/hololens/hololens-release-notes.md | 1 - 1 file changed, 1 deletion(-) diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 5dcb69f25f..fa096e1117 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -31,7 +31,6 @@ appliesto: - Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used. - Ensures the coordinate system attached to a depth MF sample is consistent with public documentation. - Developers productivity improvement by enabling customers to paste large amount of text through device portal. -- Enables an app to query the depth camera pose and compute the location of each depth pixel in the world. ### February Update - build 18362.1053 From 662002206f4495e28e84d3fd6456e8961883727e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 26 Mar 2020 09:49:32 -0700 Subject: [PATCH 23/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 2739fe9552..85b905236b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -32,7 +32,7 @@ This article describes the network connections that Windows 10 components make t >- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. [!Warning] -If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re-application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. +>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the >Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). From 21c874e3a0c5dd782c6f4786fbb6d886cde24e1a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 26 Mar 2020 09:58:58 -0700 Subject: [PATCH 24/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bc2a4781fa..c8eca50e3c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,10 +36,10 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. -[!Note] +>[!Note] >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. -[!Warning] +>[!Warning] >If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) From 902b4252e8c3dbfe57966d2a5d4f284c9c0eb8a8 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 26 Mar 2020 09:59:32 -0700 Subject: [PATCH 25/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c8eca50e3c..bc2a4781fa 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,10 +36,10 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. ->[!Note] +[!Note] >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. ->[!Warning] +[!Warning] >If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) From e26cb75ec5fcc5615860d3be338c0db9b57a2761 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 26 Mar 2020 10:00:23 -0700 Subject: [PATCH 26/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bc2a4781fa..c8eca50e3c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,10 +36,10 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. -[!Note] +>[!Note] >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. -[!Warning] +>[!Warning] >If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) From 53bed0399f4b30e50e94d575d601f5990bce9952 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 26 Mar 2020 10:05:32 -0700 Subject: [PATCH 27/27] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 85b905236b..d15ec0f74b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -31,7 +31,7 @@ This article describes the network connections that Windows 10 components make t >- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. >- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. -[!Warning] +>[!Warning] >If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the >Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).