mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 04:13:41 +00:00
Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Replaced Windows Defender with Microsoft Defender Antivirus and added a GP section for Cloud Clipboard
This commit is contained in:
Tom Layson
@ -27,13 +27,13 @@ ms.date: 5/21/2021
|
||||
|
||||
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
|
||||
|
||||
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
|
||||
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
|
||||
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
|
||||
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
|
||||
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
|
||||
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features.
|
||||
> - It is recommended that you restart a device after making configuration changes to it.
|
||||
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
|
||||
|
||||
@ -48,7 +48,7 @@ We are always striving to improve our documentation and welcome your feedback. Y
|
||||
|
||||
## Management options for each setting
|
||||
|
||||
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
|
||||
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections
|
||||
|
||||
### Settings for Windows 10 Enterprise edition
|
||||
|
||||
@ -103,7 +103,7 @@ The following table lists management options for each setting, beginning with Wi
|
||||
| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
|
||||
| [22. Teredo](#bkmk-teredo) | |  |  |
|
||||
| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) | |  |  |
|
||||
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
|
||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
|
||||
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
|
||||
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
|
||||
@ -131,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
|
||||
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
|
||||
| [22. Teredo](#bkmk-teredo) | |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) | |  |  |
|
||||
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
|
||||
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
|
||||
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
|
||||
| [29. Windows Update](#bkmk-wu) | |  |  |
|
||||
@ -148,7 +148,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
| [14. Network Connection Status Indicator](#bkmk-ncsi) |  |  |
|
||||
| [19. Software Protection Platform](#bkmk-spp) |  |  |
|
||||
| [22. Teredo](#bkmk-teredo) |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) |  |  |
|
||||
| [24. Microsoft Defender Antivirus](#bkmk-defender) |  |  |
|
||||
| [29. Windows Update](#bkmk-wu) |  |  |
|
||||
|
||||
### Settings for Windows Server 2016 Nano Server
|
||||
@ -213,7 +213,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
|
||||
| [22. Teredo](#bkmk-teredo) | |  |  |
|
||||
| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
|
||||
| [24. Windows Defender](#bkmk-defender) | |  |  |
|
||||
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
|
||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
|
||||
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
|
||||
| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
|
||||
@ -291,7 +291,7 @@ You can also apply the Group Policies using the following registry keys:
|
||||
> [!IMPORTANT]
|
||||
> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
|
||||
|
||||
1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
|
||||
1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
|
||||
|
||||
2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
|
||||
|
||||
@ -423,7 +423,7 @@ To turn off Insider Preview builds for Windows 10:
|
||||
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. <br /> **Set Value to: Disabled**|
|
||||
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. <br /> **Set Value to: Enabled** </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
|
||||
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> **Set Value to: Enabled**|
|
||||
| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
|
||||
| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.|
|
||||
|
||||
|
||||
| Registry Key | Registry path |
|
||||
@ -432,7 +432,7 @@ To turn off Insider Preview builds for Windows 10:
|
||||
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer<br />REG_DWORD: AllowServicePoweredQSA <br />**Set Value to: 0**|
|
||||
| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete<br/>REG_SZ: AutoSuggest <br />Set Value to: **no** |
|
||||
| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation<br/>REG_DWORD: PolicyDisableGeolocation <br />**Set Value to: 1** |
|
||||
| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter<br/>REG_DWORD: EnabledV9 <br />**Set Value to: 0** |
|
||||
| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter<br/>REG_DWORD: EnabledV9 <br />**Set Value to: 0** |
|
||||
|
||||
There are more Group Policy objects that are used by Internet Explorer:
|
||||
|
||||
@ -567,7 +567,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
|
||||
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.<br /> **Set to Enabled** |
|
||||
| Configure Password Manager | Choose whether employees can save passwords locally on their devices. <br /> **Set to Disabled** |
|
||||
| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions. <br /> **Set to Disabled** |
|
||||
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
|
||||
| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off. <br /> **Set to Disabled** |
|
||||
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> **Set to Disabled** |
|
||||
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> **Enabled** and **Set this to <<about:blank>>** |
|
||||
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> **Set to: Enable** |
|
||||
@ -583,7 +583,7 @@ Alternatively, you can configure the following Registry keys as described:
|
||||
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_DWORD name: DoNotTrack<br/> REG_DWORD: **1** |
|
||||
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: FormSuggest Passwords<br /> REG_SZ: **No** |
|
||||
| Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes<br/>REG_DWORD name: ShowSearchSuggestionsGlobal <br />Value: **0**|
|
||||
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter<br/>REG_DWORD name: EnabledV9 <br/>Value: **0** |
|
||||
| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter<br/>REG_DWORD name: EnabledV9 <br/>Value: **0** |
|
||||
| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI<br/>REG_DWORD name: AllowWebContentOnNewTabPage <br/>Value: **0** |
|
||||
| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings<br/>REG_SZ name: ProvisionedHomePages <br/>Value: **<<about:blank>>**|
|
||||
| Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main <br>REG_DWORD name: PreventFirstRunPage <br/>Value: **1**|
|
||||
@ -594,13 +594,13 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
|
||||
|
||||
### <a href="" id="bkmk-edgegp"></a>13.2 Microsoft Edge Enterprise
|
||||
|
||||
For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
|
||||
For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies).
|
||||
|
||||
> [!Important]
|
||||
> - The following settings are applicable to Microsoft Edge version 77 or later.
|
||||
> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems).
|
||||
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
|
||||
> - Devices must be domain joined for some of the policies to take effect.
|
||||
> - The following settings are applicable to Microsoft Edge version 77 or later.
|
||||
> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems
|
||||
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows
|
||||
> - Devices must be domain joined for some of the policies to take effect.
|
||||
|
||||
| Policy | Group Policy Path | Registry Path |
|
||||
|----------------------------------|--------------------|---------------------------------------------|
|
||||
@ -913,7 +913,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
|
||||
|
||||
- Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
|
||||
|
||||
To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**:
|
||||
To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**:
|
||||
|
||||
- Turn off the feature in the UI.
|
||||
|
||||
@ -1616,13 +1616,13 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
|
||||
|
||||
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
|
||||
|
||||
### <a href="" id="bkmk-defender"></a>24. Windows Defender
|
||||
### <a href="" id="bkmk-defender"></a>24. Microsoft Defender Antivirus
|
||||
|
||||
You can disconnect from the Microsoft Antimalware Protection Service.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
|
||||
> 1. Ensure Windows and Windows Defender are fully up to date.
|
||||
> **Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903**
|
||||
> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date.
|
||||
> 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
|
||||
|
||||
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
|
||||
@ -1687,21 +1687,21 @@ You can turn off **Enhanced Notifications** as follows:
|
||||
- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**.
|
||||
|
||||
|
||||
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen
|
||||
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Microsoft Defender Antivirus SmartScreen
|
||||
|
||||
To disable Windows Defender SmartScreen:
|
||||
To disable Microsoft Defender Antivirus SmartScreen:
|
||||
|
||||
In Group Policy, configure:
|
||||
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled**
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled**
|
||||
|
||||
-and-
|
||||
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable**
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable**
|
||||
|
||||
-and-
|
||||
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations**
|
||||
- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations**
|
||||
|
||||
-OR-
|
||||
|
||||
@ -1930,6 +1930,22 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
|
||||
|
||||
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**.
|
||||
|
||||
### <a href="" id="bkmk-clcp"></a>30. Cloud Clipboard
|
||||
|
||||
Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device.
|
||||
|
||||
Most restricted value is 0.
|
||||
|
||||
ADMX Info:
|
||||
|
||||
- GP English name: Allow Clipboard synchronization across devices<br>
|
||||
- GP name: AllowCrossDeviceClipboard<br>
|
||||
- GP path: System/OS Policies<br>
|
||||
- GP ADMX file name: OSPolicy.admx<br>
|
||||
|
||||
The following list shows the supported values:<br>
|
||||
0 – Not allowed. 1 (default) – Allowed.<br>
|
||||
|
||||
|
||||
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
|
||||
|
||||
|
||||
Reference in New Issue
Block a user