diff --git a/windows/manage/configure-telemetry-in-your-organization.md b/windows/manage/configure-telemetry-in-your-organization.md index 401c40d256..419bc3113d 100644 --- a/windows/manage/configure-telemetry-in-your-organization.md +++ b/windows/manage/configure-telemetry-in-your-organization.md @@ -1,6 +1,7 @@ --- description: Use this article to make informed decisions about how you can configure telemetry in your organization. -title: Configure telemetry in your organization +title: Configure telemetry in your organization (Windows 10) +keywords: privacy --- # Configure telemetry in your organization @@ -14,7 +15,7 @@ title: Configure telemetry in your organization Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. **Note**   -This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server +This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers. @@ -22,7 +23,7 @@ We understand that the privacy and security of our customers’ information is i ## Overview -In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using **Settings** > **Privacy**, Group Policy, or MDM. +In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM. Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers. @@ -34,11 +35,11 @@ For Windows 10, we invite IT pros to join the Windows Insider Program to give u ### Data collection -Data gathered by the Connected User Experience and Telemetry component complies with Microsoft’s [security and privacy policies](https://privacy.microsoft.com/privacystatement/), as well as international laws and regulations. The principle of least privilege guides access to telemetry data. Only Microsoft personnel who can demonstrate a valid business need can access the telemetry data. +Data gathered by the Connected User Experience and Telemetry component complies with Microsoft’s [security and privacy policies](https://privacy.microsoft.com/privacystatement), as well as international laws and regulations. The principle of least privilege guides access to telemetry data. Only Microsoft personnel who can demonstrate a valid business need can access the telemetry data. ### Data transfer -All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10,data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection,are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. +All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. ### Endpoints @@ -58,9 +59,7 @@ Data gathered from telemetry is used by Microsoft teams primarily to improve our ### Retention -Microsoft only gathers the information we need, and it is only stored for as long as it is needed to provide a service or for analysis. Most of the data is deleted within 30 days. - -Windows Error Reporting and Online Crash Analysis data is kept for 60 days. +Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history. Info is typically gathered at a fractional sampling rate, which can be as low as 1% of clients reporting data. ## How is the data gathered? @@ -119,7 +118,7 @@ The data gathered at this level includes: - **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. **Note**   - This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-privacy-for-windows-10-in-your-company.md#windows-defender). + This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender). Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. @@ -214,8 +213,6 @@ We do not recommend that you turn off telemetry in your organization as valuable **Important**   These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). -  - You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.** @@ -299,6 +296,6 @@ Telemetry plays an important role in quickly identifying and fixing critical rel Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates. -### Build features that address our customers’ needs +### Build features that address our customers’ needs Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft. \ No newline at end of file diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md index e7e12620ef..f4ceaf4890 100644 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ b/windows/manage/disconnect-your-organization-from-microsoft.md @@ -1,28 +1,26 @@ --- -title: Disconnect from Microsoft and configure privacy settings in your organization -description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.If you’re looking for content on what each telemetry level means and how to configure it in your organization, see Configure telemetry in your organization. +title: Disconnect your organization from Microsoft (Windows 10) +description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy +keywords: privacy, disconnect from Microsoft ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library author: brianlic-msft --- -# Disconnect from Microsoft and configure privacy settings in your organization +# Disconnect your organization from Microsoft **Applies to** - Windows 10 -Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. +If you’re looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md). + +Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -**Note**  Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows. - -  - Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. @@ -133,10 +131,6 @@ Here's what's covered in this article: - [23. Windows Update](#bkmk-wu) -- [Manage your telemetry settings](#bkmk-utc) - -- [How telemetry works](#bkmk-moreutc) - ## What's new in Windows 10, version 1511 @@ -255,46 +249,14 @@ Use either Group Policy or MDM policies to manage settings for Cortana. For more Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Allow Cortana

Choose whether to let Cortana install and run on the device.

-

Default: Enabled

Allow search and Cortana to use location

Choose whether Cortana and Search can provide location-aware search results.

-

Default: Enabled

Do not allow web search

Choose whether to search the web from Windows Desktop Search.

-

Default: Disabled

Don't search the web or display web results in Search

Choose whether to search the web from Cortana.

-

Default: Disabled

Set what information is shared in Search

Control what information is shared with Bing in Search.

-  +| Policy | Description | +-------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | Choose whether to let Cortana install and run on the device. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled| +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | +| Set what information is shared in Search | Control what information is shared with Bing in Search. | When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. @@ -325,38 +287,14 @@ When you enable the **Don't search the web or display web results in Search** Gr **Note**   If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. -  - ### 1.2 Cortana MDM policies The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - ---- - - - - - - - - - - - - - - - - -
PolicyDescription

Experience/AllowCortana

Choose whether to let Cortana install and run on the device.

-

Default: Allowed

Search/AllowSearchToUseLocation

Choose whether Cortana and Search can provide location-aware search results.

-

Default: Allowed

- -  +| Policy | Description | +-------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | +| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| ### 1.3 Cortana Windows Provisioning @@ -385,8 +323,6 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl **Note**   This may change in future versions of Windows. -  - ### 5. Insider Preview builds To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. @@ -425,49 +361,13 @@ Use Group Policy to manage settings for Internet Explorer. Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Turn on Suggested Sites

Choose whether an employee can configure Suggested Sites.

-

Default: Enabled

-

You can also turn this off in the UI by clearing the Internet Options > Advanced > Enable Suggested Sites check box.

Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar

Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.

-

Default: Enabled

Turn off the auto-complete feature for web addresses

Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.

-

Default: Disabled

-

You can also turn this off in the UI by clearing the Internet Options > Advanced > Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog check box.

Disable Periodic Check for Internet Explorer software updates

Choose whether Internet Explorer periodically checks for a new version.

-

Default: Enabled

Turn off browser geolocation

Choose whether websites can request location data from Internet Explorer.

-

Default: Disabled

- -  +| Policy | Description | +-------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | +| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| ### 6.2 ActiveX control blocking @@ -504,105 +404,27 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g **Note**   The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. -  - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Turn off autofill

Choose whether employees can use autofill on websites.

-

Default: Enabled

Allow employees to send Do Not Track headers

Choose whether employees can send Do Not Track headers.

-

Default: Disabled

Turn off password manager

Choose whether employees can save passwords locally on their devices.

-

Default: Enabled

Turn off address bar search suggestions

Choose whether the address bar shows search suggestions.

-

Default: Enabled

Turn off the SmartScreen Filter

Choose whether SmartScreen is turned on or off.

-

Default: Enabled

Open a new tab with an empty tab

Choose whether a new tab page appears.

-

Default: Enabled

Configure corporate Home pages

Choose the corporate Home page for domain-joined devices.

-

Set this to about:blank

- -  +| Policy | Description | +-------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | +| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | +| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | +| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled | +| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | +| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | +| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | ### 8.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Browser/AllowAutoFill

Choose whether employees can use autofill on websites.

-

Default: Allowed

Browser/AllowDoNotTrack

Choose whether employees can send Do Not Track headers.

-

Default: Not allowed

Browser/AllowPasswordManager

Choose whether employees can save passwords locally on their devices.

-

Default: Allowed

Browser/AllowSearchSuggestionsinAddressBar

Choose whether the address bar shows search suggestions.

-

Default: Allowed

Browser/AllowSmartScreen

Choose whether SmartScreen is turned on or off.

-

Default: Allowed

- -  +| Policy | Description | +-------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed | +| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | +| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | +| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | +| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | ### 8.3 Microsoft Edge Windows Provisioning @@ -830,7 +652,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: **Note**   -If the telemetry level is set to either [Basic](#bkmk-utc-basic) or [Security](#bkmk-utc-security), this is turned off automatically. +If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.   @@ -877,8 +699,6 @@ To turn off **Location for this device**: **Note**   You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). -   - -or- - Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where @@ -929,10 +749,8 @@ To turn off **Let apps use my camera**: **Note**   You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - -   - - -or- + + -or- - Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: @@ -952,7 +770,7 @@ To turn off **Let apps use my microphone**: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** @@ -975,15 +793,15 @@ To turn off the functionality: - Click the **Stop getting to know me** button, and then click **Turn off**. - -or- + -or- - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - -or- + -or- - Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). - -and- + -and- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). @@ -995,7 +813,7 @@ To turn off **Let apps access my name, picture, and other account info**: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** @@ -1013,7 +831,7 @@ To turn off **Choose apps that can access contacts**: - Turn off the feature in the UI for each app. - -or- + -or- - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** @@ -1027,7 +845,7 @@ To turn off **Let apps access my calendar**: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** @@ -1045,7 +863,7 @@ To turn off **Let apps access my call history**: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** @@ -1059,7 +877,7 @@ To turn off **Let apps access and send email**: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** @@ -1132,11 +950,11 @@ Feedback frequency only applies to user-generated feedback, not diagnostic and u - To change from **Automatically (Recommended)**, use the drop-down list in the UI. - -or- + -or- - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - -or- + -or- - Create the registry keys (REG\_DWORD type): @@ -1158,40 +976,40 @@ Feedback frequency only applies to user-generated feedback, not diagnostic and u To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- To change from [Enhanced](#bkmk-utc-enhanced), use the drop-down list in the UI. The other levels are **Basic** and **Full**. For more info about these levels, see [How telemetry works](#bkmk-moreutc). +- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. **Note**   - You can't use the UI to change the telemetry level to [Security](#bkmk-utc-security). + You can't use the UI to change the telemetry level to **Security**.   - -or- + -or- - Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** - -or- + -or- - Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Maps to the [Security](#bkmk-utc-security) level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the [Basic](#bkmk-utc-basic) level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the [Full](#bkmk-utc-full) level. + - **3**. Maps to the **Full** level. - -or- + -or- - Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - **0**. Maps to the [Security](#bkmk-utc-security) level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the [Basic](#bkmk-utc-basic) level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the [Full](#bkmk-utc-full) level. + - **3**. Maps to the **Full** level. ### 13.15 Background apps @@ -1263,7 +1081,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha -or- -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910) +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. @@ -1360,7 +1178,7 @@ You can turn off the ability to launch apps from the Windows Store that were pre ### 22. Windows Update Delivery Optimization -Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. +Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. @@ -1376,115 +1194,26 @@ You can set up Delivery Optimization from the **Settings** UI. You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Download Mode

Lets you choose where Delivery Optimization gets or sends updates and apps, including

-
    -

  • None. Turns off Delivery Optimization.

    • -

  • Group. Gets or sends updates and apps to PCs on the same local network domain.

    • -

  • Internet. Gets or sends updates and apps to PCs on the Internet.

    • -

  • LAN. Gets or sends updates and apps to PCs on the same NAT only.

    • -

Group ID

Lets you provide a Group ID that limits which PCs can share apps and updates.

-
-Note   -

This ID must be a GUID.

-
-
-  -

Max Cache Age

Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.

-

The default value is 259200 seconds (3 days).

Max Cache Size

Lets you specify the maximum cache size as a percentage of disk size.

-

The default value is 20, which represents 20% of the disk.

Max Upload Bandwidth

Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.

-

The default value is 0, which means unlimited possible bandwidth.

- -  +| Policy | Description | +----------------------------|-----------------------------------------------------------------------------------------------------| +| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including | +| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| +| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| +| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| +| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| ### 22.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

DeliveryOptimization/DODownloadMode

Lets you configure where Delivery Optimization gets or sends updates and apps, including:

-
    -

  • 0. Turns off Delivery Optimization.

    • -

  • 1. Gets or sends updates and apps to PCs on the same NAT only.

    • -

  • 2. Gets or sends updates and apps to PCs on the same local network domain.

    • -

  • 3. Gets or sends updates and apps to PCs on the Internet.

    • -

DeliveryOptimization/DOGroupID

Lets you provide a Group ID that limits which PCs can share apps and updates.

-
-Note   -

This ID must be a GUID.

-
-
-  -

DeliveryOptimization/DOMaxCacheAge

Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.

-

The default value is 259200 seconds (3 days).

DeliveryOptimization/DOMaxCacheSize

Lets you specify the maximum cache size as a percentage of disk size.

-

The default value is 20, which represents 20% of the disk.

DeliveryOptimization/DOMaxUploadBandwidth

Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.

-

The default value is 0, which means unlimited possible bandwidth.

+| Policy | Description | +----------------------------|-----------------------------------------------------------------------------------------------------| +| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including | +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| +| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| +| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| +| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| -  ### 22.4 Delivery Optimization Windows Provisioning @@ -1541,15 +1270,15 @@ You can manage your telemetry settings using the management tools you're already You can set your organization's devices to use 1 of 4 telemetry levels: -- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions) +- **Security** (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions) -- [Basic](#bkmk-utc-basic) +- **Basic** -- [Enhanced](#bkmk-utc-enhanced) +- **Enhanced** -- [Full](#bkmk-utc-full) +- **Full** -For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced). +In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is **Enhanced**. **Important**   These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies. @@ -1570,13 +1299,13 @@ Use a Group Policy object to set your organization’s telemetry level. Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values: -- **0**. Maps to the [Security](#bkmk-utc-security) level. +- **0**. Maps to the **Security** level. -- **1**. Maps to the [Basic](#bkmk-utc-basic) level. +- **1**. Maps to the **Basic** level. -- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. +- **2**. Maps to the **Enhanced** level. -- **3**. Maps to the [Full](#bkmk-utc-full) level. +- **3**. Maps to the **Full** level. ### Use Windows Provisioning to set the telemetry level @@ -1594,13 +1323,13 @@ After you create the provisioning package, you can email it to your employees, p 4. Go to **Runtime settings** > **Policies** > **System** > **AllowTelemetry** to configure the policies. You can set it to one of the following: - - **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level. + - **Disabled \[Enterprise SKU Only\]**. Maps to the **Security** level. - - **Basic**. Maps to the [Basic](#bkmk-utc-basic) level. + - **Basic**. Maps to the **Basic** level. - - **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level + - **Full**. Maps to the **Enhanced** level - - **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level. + - **Diagnostic**. Maps to the **Full** level. 5. After you've added all of your settings to the provisioning package, click **Export** > **Provisioning package**. @@ -1626,13 +1355,13 @@ If a management policy already exists (from Group Policy, MDM, or Windows Provis 4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**. - - **0**. This setting maps to the [Security](#bkmk-utc-security) level. + - **0**. This setting maps to the **Security** level. - - **1**. This setting maps to the [Basic](#bkmk-utc-basic) level. + - **1**. This setting maps to the **Basic** level. - - **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level + - **2**. This setting maps to the **Enhanced** level - - **3**. This setting maps to the [Full](#bkmk-utc-full) level. + - **3**. This setting maps to the **Full** level. 5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. @@ -1649,161 +1378,4 @@ There are a few more settings that you can turn off that may send telemetry info - Turn off Linguistic Data Collection in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article. **Note**   - Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -   - -## How telemetry works - - -Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization. - -### Telemetry levels - -This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core. - -- **Security**. Information that's required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core. - -- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level. - -- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels. - -- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels. - -As a diagram: - -![](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only telemetry info that's required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. - -**Note**   -If your organization relies on Windows Update for updates, you shouldn't use the Security level. Because no Windows Update information is gathered at this level, Microsoft can't tell whether an update successfully installed. - -You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level. - -  - -Security level info includes: - -- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - **Note**   - You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. - -   - -- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender). - - **Note**   - This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality. - -   - -No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer's registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article. - -### Basic level - -The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. - -Basic level info includes: - -- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as mobile operator network and IMEI number - - - Processor and memory attributes, such as number of cores, speed, and firmware - - - Operating system attributes, such as Windows edition and IsVirtualDevice - - - Storage attributes, such as number of drives and memory size - -- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems. - - - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS. - - - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. - -### Enhanced level - -The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -Enhanced level info includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang. - -### Full level - -The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels. - -Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft's internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem. - -However, before more info is gathered, Microsoft's privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- Ability to gather user content, such as documents, if they might have been the trigger for the issue. - -### How is telemetry information handled by Microsoft? - -### Collection - -Information gathered by the Connected User Experience and Telemetry component complies with Microsoft's security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info. - -### Data Transfer - -All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -### Microsoft Data Management Service - -The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings. - -### Usage - -Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis. - -An example of personalization is to create individually tailored in-product messages. - -Microsoft doesn't share organization-specific customer information with third parties, except at the customer's direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals. - -### Retention - -Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it's needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%. - - - - - + Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. \ No newline at end of file diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index ffe9e7c732..72dbc00ec1 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -43,23 +43,27 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

-

[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)

-

Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

+

[Configure telemetry in your organization](configure-telemetry-in-your-organization.md)

+

Use this article to make informed decisions about how you can configure telemetry in your organization.

+

[Disconnect your organization from Microsoft](disconnect-your-organization-from-microsoft.md)

+

Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

+ +

[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)

IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.

- +

[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)

Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.

The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.

- +

[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.

- +

[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.