| Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimates a solution will be available in late August.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
August 20, 2019
10:50 AM PT
Opened:
May 24, 2019
04:20 PM PT |
+ | Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms: - Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimates a solution will be available in late August.
Back to top | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| Last updated:
August 20, 2019
11:06 AM PT
Opened:
May 24, 2019
04:20 PM PT |
| Intermittent loss of Wi-Fi connectivity Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms: - Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM). Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated External
| Last updated:
August 01, 2019
08:44 PM PT
Opened:
May 21, 2019
07:13 AM PT |
| Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Microsoft has identified some scenarios in which these features may have issues or stop working, for example: - Connecting to (or disconnecting from) an external monitor, dock, or projector
- Rotating the screen
- Updating display drivers or making other display mode changes
- Closing full screen applications
- Applying custom color profiles
- Running applications that rely on custom gamma ramps
Affected platforms: - Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| Last updated:
August 01, 2019
06:27 PM PT
Opened:
May 21, 2019
07:28 AM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms: - Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
Back to top | OS Build 18362.116
May 21, 2019
KB4505057 | Resolved
KB4505903 | Resolved:
July 26, 2019
02:00 PM PT
Opened:
May 21, 2019
07:56 AM PT |
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index 15f5bd4ccc..a57a74739b 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -60,10 +60,10 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details > | August 13, 2019
KB4512506 | Mitigated External
| August 23, 2019
04:25 PM PT |
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503292 | Resolved
KB4512514 | August 17, 2019
02:00 PM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details > | August 13, 2019
KB4512506 | Resolved
KB4517297 | August 16, 2019
02:00 PM PT |
IA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
See details > | August 13, 2019
KB4512506 | Mitigated
| August 17, 2019
12:59 PM PT |
- Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows udates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details > | August 13, 2019
KB4512506 | Investigating
| August 16, 2019
04:28 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Resolved External
| August 13, 2019
06:59 PM PT |
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details > | June 11, 2019
KB4503292 | Resolved External
| August 09, 2019
07:03 PM PT |
@@ -81,9 +81,9 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1
Mitigation: To mitigate this issue, Symantec and Norton released updates to their anti-virus software. Symantec Endpoint Protection protected devices can safely apply this update and future updates. See the Symantec support article for additional detail. Norton Security and Norton 360 products will automatically install a product update or users may manually run LiveUpdate and reboot until there are no further updates available.
Next Steps: The safeguard hold on affected devices will be removed in the coming week to allow customers time to apply the resolving anti-virus updates.
Back to top | August 13, 2019
KB4512506 | Mitigated External
| Last updated:
August 23, 2019
04:25 PM PT
Opened:
August 13, 2019
10:05 AM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with errorAfter installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
Back to top | August 13, 2019
KB4512506 | Resolved
KB4517297 | Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT |
| IA64 and x64 devices may fail to start after installing updates IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error: \"File: \\Windows\\system32\\winload.efi Status: 0xc0000428 Info: Windows cannot verify the digital signature for this file.\"
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
Back to top | August 13, 2019
KB4512506 | Mitigated
| Last updated:
August 17, 2019
12:59 PM PT
Opened:
August 13, 2019
08:34 AM PT |
- | Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1
Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available. Please reach out to Symantec or Norton support for further guidance.
Back to top | August 13, 2019
KB4512506 | Investigating
| Last updated:
August 16, 2019
04:28 PM PT
Opened:
August 13, 2019
10:05 AM PT |
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devicesYou may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 ( KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Back to top | June 11, 2019
KB4503292 | Resolved External
| Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT |
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 6cacd95c0a..0ff0106922 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -49,11 +49,13 @@ sections:
- type: markdown
text: "
| Message | Date |
- Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST. | August 16, 2019
04:00 PM PT |
+
+ Take action: SHA-2 code signing support guidance for Windows 7 SP1 and Windows Server 2008 RS2 SP1
Windows 7 SP1 and Windows Server 2008 R2 SP1 update signatures are now SHA-2 based signatures and requires that SHA-2 support to be installed. For important customer guidance on installation and troubleshooting tips, please read the knowledge base article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. | August 23, 2019
03:35 PM PT |
+ Take action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet. | August 23, 2019
02:17 PM PT |
+ Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST. | August 16, 2019
04:00 PM PT |
August 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate. | August 13, 2019
10:00 AM PT |
Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506)
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.) | August 13, 2019
10:00 AM PT |
Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability | August 13, 2019
10:00 AM PT |
- Take action: Install required updates for Windows 7 SP1 and Windows Server 2008 RS2 SP1 for SHA-2 code sign support
As of August 13, 2019, Windows 7 SP1 and Windows Server 2008 R2 SP1 updates signatures only support SHA-2 code signing. As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, we are requiring that SHA-2 code signing support be installed. If you have Windows Update enabled and have applied the security updates released in March 2019 ( KB4490628) and August 2019 ( KB4474419), you are protected automatically; no further configuration is necessary. If you have not installed the March 2019 updates, you will need to do so in order to continue to receive updates on devices running Windows 7 SP1 and Windows Server 2008 R2 SP1. | August 13, 2019
10:00 AM PT |
Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard. | August 13, 2019
10:00 AM PT |
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.) | August 06, 2019
10:00 AM PT |
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store. | August 01, 2019
02:00 PM PT |
@@ -78,8 +80,8 @@ Given the potential impact to customers and their businesses, we have also relea
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
- April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
-- May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
-- May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
+- May 1, 2019 was an \\\"optional,\\\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
+- May 3, 2019 was the \\\"optional\\\" Windows 10, version 1809 \\\"C\\\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \\\"required\\\" (instead of \\\"optional\\\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog. | May 10, 2019
10:00 AM PT |
From fce1bad3d3fbc7d55389947953d14408922af0f7 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Fri, 23 Aug 2019 20:04:08 -0700
Subject: [PATCH 34/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...system-components-to-microsoft-services.md | 23 +++++++------------
1 file changed, 8 insertions(+), 15 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 361191b1d1..2756e0e71a 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,35 +25,28 @@ ms.date: 8/21/2019
- Windows Server 2016
- Windows Server 2019
-Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro using UI, Group Policies and Registry settings.
+This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and Registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
-Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+Note: For security reasons, it is important to take care in deciding which settings to configure as many of them will result in a less secure device. Examples of settings that can lead to a less secure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. We do not recommended disabling any of these features.
-Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. It is not recommended to disable any of these features.
+You can configure diagnostic data to the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to reduce the amount of data sent from Windows 10 to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against disabling these settings. This data helps us deliver a secure, reliable, and more delightful personalized experience.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off Windows Update and root certificate updates a wide range of web sites will produce certificate errors because they use certificates that will chain to un-trusted roots.
+To deploy the complete list of settings below to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\system32 folder because it will not apply correctly.
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
-
-Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying.
-You should not extract this package to the windows\\system32 folder because it will not apply correctly.
-
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
-It is recommended that you restart a device after making configuration changes to it.
-Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
## Management options for each setting
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
### Settings for Windows 10 Enterprise edition
From d4b3f0f086bd6b675e66e45fc07377269bd211f8 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Fri, 23 Aug 2019 23:24:59 -0700
Subject: [PATCH 35/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...system-components-to-microsoft-services.md | 29 +++++++++----------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2756e0e71a..b2182c333b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,5 +1,5 @@
---
-title: Manage connections from Windows operating system components to Microsoft services (Windows 10)
+title: Manage connections from Windows 10 operating system components to Microsoft services
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
@@ -14,7 +14,7 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 8/21/2019
+ms.date: 8/23/2019
---
# Manage connections from Windows operating system components to Microsoft services
@@ -25,23 +25,22 @@ ms.date: 8/21/2019
- Windows Server 2016
- Windows Server 2019
-This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and Registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article.
+This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services.
-Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign.
-Note: For security reasons, it is important to take care in deciding which settings to configure as many of them will result in a less secure device. Examples of settings that can lead to a less secure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. We do not recommended disabling any of these features.
+For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
-You can configure diagnostic data to the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to reduce the amount of data sent from Windows 10 to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against disabling these settings. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script:
+• You should not extract this package to the windows\system32 folder because it will not apply correctly
+• It is recommended that you restart the device after making configuration changes to it.
+• **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied.
-To deploy the complete list of settings below to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\system32 folder because it will not apply correctly.
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp@microsoft.com**.
-To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
+The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic)
## Management options for each setting
@@ -259,7 +258,7 @@ On Windows Server 2016 Nano Server:
- Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
>[!NOTE]
->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
### 2. Cortana and Search
@@ -389,7 +388,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
From e58e97c7026a96dad3882bf8feff0863a5a70f65 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Fri, 23 Aug 2019 23:26:19 -0700
Subject: [PATCH 36/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...ws-operating-system-components-to-microsoft-services.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index b2182c333b..3c359f2303 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -32,9 +32,10 @@ Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Prot
For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script:
-• You should not extract this package to the windows\system32 folder because it will not apply correctly
-• It is recommended that you restart the device after making configuration changes to it.
-• **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied.
+
+- You should not extract this package to the windows\system32 folder because it will not apply correctly
+- It is recommended that you restart the device after making configuration changes to it.
+- **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied.
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
From ae05231c212f5bebac8fa81f24a695f92be0ed7c Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Fri, 23 Aug 2019 23:28:05 -0700
Subject: [PATCH 37/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...ating-system-components-to-microsoft-services-using-MDM.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 16505fd2e7..3a7eed115d 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: medium
author: medgarmedgar
ms.author: v-medgar
-ms.date: 8/21/2019
+ms.date: 8/23/2019
---
# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
@@ -22,7 +22,7 @@ Learn about the network connections that Windows components make to Microsoft in
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-Note: CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+Note: CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features.
From e9e744962ad75f1d2e3298356b896a6a67a7afdf Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Fri, 23 Aug 2019 23:33:54 -0700
Subject: [PATCH 38/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 3c359f2303..6e22b2c01d 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -27,7 +27,7 @@ ms.date: 8/23/2019
This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services.
-Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign.
+Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is Allowed Traffic. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign.
For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
From fc65d55d5eb465170e7766662bb2a3934e8c905a Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 00:52:46 -0700
Subject: [PATCH 39/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 6e22b2c01d..80bf7d294c 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -39,7 +39,7 @@ However, if you still wish to quickly configure all of the settings covered in t
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp@microsoft.com**.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic)
From e5f2ad87a92a599575e21846bf67a6098d78a10a Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 01:59:30 -0700
Subject: [PATCH 40/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...ponents-to-microsoft-services-using-MDM.md | 21 ++++++-------------
1 file changed, 6 insertions(+), 15 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 3a7eed115d..24488f94c9 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -12,36 +12,27 @@ ms.author: v-medgar
ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
-Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro using MDM/CSP and custom OMA URIs policies.
+This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals to help manage those connections. If you would like to reduce the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to help reduce egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is “Allowed Traffic”. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. Additionally, there is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the "Allowed Traffic" for Microsoft Intune MDM Server to manage Windows 10 devices.
-Note: CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
-
-Note: For security reasons you must very carefully decide which settings to configure as many of them will result in an insecure device. Examples of settings that we strongly recommend against and will result in an potentially insecure device configuration are: disabling Windows Update and disabling Windows Defender. It is not recommended to disable either of these features.
-
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT (Malicious Software Removal Tool) reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. However, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against this. This data helps Microsoft deliver a secure, reliable, and more delightful personalized experience. Additionally, if you turn off Windows Update a wide range of web sites will produce certificate errors because they use certificates that will chain to un-trusted roots.
-
-You can use Microsoft Intune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In an MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
-There is some traffic which is required (i.e. "Allowed Traffic") for the operation of Windows and Microsoft Intune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional "Allowed Traffic" specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft Intune and Windows Update related traffic.
-
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to telmhelp@microsoft.com.
-
-The "Allowed Traffic" endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
+Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
+The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
### Settings for Windows 10 Enterprise edition 1903 and newer
From a21367b5a30534fa3c89a878bdaba123b7617dae Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 07:11:43 -0700
Subject: [PATCH 41/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 80bf7d294c..13946a3935 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -17,7 +17,7 @@ ms.topic: article
ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services
+# Manage connections from Windows 10 operating system components to Microsoft services
**Applies to**
From 91ac3260421c7940b2cee0971e90c1eb88634915 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 07:26:14 -0700
Subject: [PATCH 42/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 24488f94c9..ff74b27252 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -22,7 +22,7 @@ This article describes the egress network connections that Windows 10 components
Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is “Allowed Traffic”. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. Additionally, there is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the "Allowed Traffic" for Microsoft Intune MDM Server to manage Windows 10 devices.
-For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In an MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
+For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In a MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
From 97e9ebd860b6ee6d4feb3566a9932386ea5ffc6b Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:08:22 -0700
Subject: [PATCH 43/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...system-components-to-microsoft-services.md | 26 +++++++++++--------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 13946a3935..044d9f5ae2 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,23 +25,27 @@ ms.date: 8/23/2019
- Windows Server 2016
- Windows Server 2019
-This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services.
+This article describes the network connections that Windows 10 components make to Microsoft and the Windows settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is Allowed Traffic. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
-For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
+Notes:
+- The Allowed Traffic endpoints are listed here: Allowed Traffic.
+ -- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+- It is recommended that you restart a device after making configuration changes to it.
+- The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script:
-
-- You should not extract this package to the windows\system32 folder because it will not apply correctly
-- It is recommended that you restart the device after making configuration changes to it.
-- **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied.
-
-To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
+To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
-The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic)
+Management options for each setting
+
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
+Settings for Windows 10 Enterprise edition
+
+The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
## Management options for each setting
From e4a2ce9c73e2d121ce950a7da2a258ad48583362 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:10:57 -0700
Subject: [PATCH 44/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 044d9f5ae2..ef4a10105a 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -31,7 +31,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
Notes:
- The Allowed Traffic endpoints are listed here: Allowed Traffic.
- -- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+ - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
- It is recommended that you restart a device after making configuration changes to it.
- The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
From 40fb5d959d1df702447664a837eddf365229d258 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:13:25 -0700
Subject: [PATCH 45/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index ef4a10105a..fbee2a8966 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
Notes:
-- The Allowed Traffic endpoints are listed here: Allowed Traffic.
+- The Allowed Traffic endpoints are listed here: [Allowed Traffic](g#bkmk-allowedtraffic).
- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
- It is recommended that you restart a device after making configuration changes to it.
From 9274955165c033f33b1af6c92eefaf01d8980dfb Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:13:54 -0700
Subject: [PATCH 46/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index fbee2a8966..fe5c71d2cf 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
Notes:
-- The Allowed Traffic endpoints are listed here: [Allowed Traffic](g#bkmk-allowedtraffic).
+- The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic).
- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
- It is recommended that you restart a device after making configuration changes to it.
From 0a084d561bf646b7d77802807c8e7f526ea7d136 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:23:26 -0700
Subject: [PATCH 47/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...mponents-to-microsoft-services-using-MDM.md | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index ff74b27252..db0fafaefa 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -18,21 +18,23 @@ ms.date: 8/23/2019
- Windows 10 Enterprise 1903 version and newer
-This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals to help manage those connections. If you would like to reduce the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to help reduce egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services.
-Note: Even if all of the settings described in this article are applied CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic will still exist since it is “Allowed Traffic”. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign. Additionally, there is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the "Allowed Traffic" for Microsoft Intune MDM Server to manage Windows 10 devices.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft InTune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. In a MDM configuration examples of these settings are Windows Update and Windows Defender. We do not recommended disabling these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
-
-To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+Notes:
+- The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic
+ - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+- There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-Note that the **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings. However, we are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-The "Allowed Traffic" endpoints are listed at the bottom of this article. To jump to that section click: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
### Settings for Windows 10 Enterprise edition 1903 and newer
From 39d7719f50fd33578d2598ce64b8252441afe81c Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:24:44 -0700
Subject: [PATCH 48/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index db0fafaefa..65b08b68f4 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -31,7 +31,7 @@ Notes:
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
From 7572ccf2bf06d57a6904b63294139dc9b7b4285b Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:26:26 -0700
Subject: [PATCH 49/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 65b08b68f4..91c6c9320f 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -22,7 +22,7 @@ ms.date: 8/23/2019
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft InTune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Notes:
-- The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic
+- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
- There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
From 7267e5adeb04122fd931d6852a3bcfb93ee87b81 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:27:32 -0700
Subject: [PATCH 50/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 91c6c9320f..ecf093ed88 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -19,7 +19,7 @@ ms.date: 8/23/2019
- Windows 10 Enterprise 1903 version and newer
-This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft InTune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Notes:
- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
From c8bb10ec4e1c74ac0b4385e75e961880b3b5e66a Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:28:37 -0700
Subject: [PATCH 51/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index ecf093ed88..efef6e3119 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -24,7 +24,7 @@ This article describes the network connections that Windows 10 components make t
Notes:
- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
-- There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+ - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
From 7db5a7083dcf4299e6536f7bc967f362d3883359 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 13:38:29 -0700
Subject: [PATCH 52/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index fe5c71d2cf..89334b2989 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -32,7 +32,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
Notes:
- The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic).
- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
-- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
- It is recommended that you restart a device after making configuration changes to it.
- The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
From 49d22b3ff6dab0501cc717c7fa4069944d923c5d Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 19:08:19 -0700
Subject: [PATCH 53/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...system-components-to-microsoft-services.md | 26 +++++++------------
1 file changed, 9 insertions(+), 17 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 89334b2989..4d5fc2e52e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,32 +25,24 @@ ms.date: 8/23/2019
- Windows Server 2016
- Windows Server 2019
-This article describes the network connections that Windows 10 components make to Microsoft and the Windows settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
-Notes:
-- The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic).
- - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
-- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
-- It is recommended that you restart a device after making configuration changes to it.
-- The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+>[!Notes]
+> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic).
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
+> - It is recommended that you restart a device after making configuration changes to it.
+> - The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
-Management options for each setting
+## Management options for each setting
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
-Settings for Windows 10 Enterprise edition
-
-The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
-
-
-## Management options for each setting
-
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
From d2911f6d31bd0373210e719dba27590fbe91eee5 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 19:16:10 -0700
Subject: [PATCH 54/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...ndows-operating-system-components-to-microsoft-services.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 4d5fc2e52e..c8f0d1813c 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -34,7 +34,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
> - It is recommended that you restart a device after making configuration changes to it.
-> - The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
@@ -225,7 +225,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
-> By not automatically downloading the root certificates, the device might have not been able to connect to some websites.
+> By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
From bb1507e3154ad818fd9ef27ac8d0a0f89b616fc7 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 19:17:51 -0700
Subject: [PATCH 55/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...components-to-microsoft-services-using-MDM.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index efef6e3119..53a6958b4d 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -19,15 +19,15 @@ ms.date: 8/23/2019
- Windows 10 Enterprise 1903 version and newer
-This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Notes:
-- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
- - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
- - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
-- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
-- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
-- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
+>[!Notes]
+>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
From b7c0fcf3f21ddf09c62470ea9fe62bd83972feb7 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 19:22:31 -0700
Subject: [PATCH 56/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c8f0d1813c..dc138711f7 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -29,7 +29,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
->[!Notes]
+>[!IMPORTANT]
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic).
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
From 5926db8bbb593260c812f63ce977976a775a49d4 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 19:22:54 -0700
Subject: [PATCH 57/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 53a6958b4d..a646c6bbbd 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -21,7 +21,7 @@ ms.date: 8/23/2019
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
->[!Notes]
+>[!IMPORTANT]
>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
From 2c926798989c40500368a66d3ce6f5eb1da3c268 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sat, 24 Aug 2019 19:55:38 -0700
Subject: [PATCH 58/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
---
...erating-system-components-to-microsoft-services-using-MDM.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index a646c6bbbd..d507296ac2 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -36,7 +36,7 @@ For detailed information about managing network connections to Microsoft service
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-### Settings for Windows 10 Enterprise edition 1903 and newer
+## Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
From e239b0fbd628fff82b982bcd38d8458624f9902f Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sun, 25 Aug 2019 09:16:27 -0700
Subject: [PATCH 59/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index dc138711f7..2580ae1441 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -36,7 +36,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - It is recommended that you restart a device after making configuration changes to it.
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
From 479b5e203ec96090ad1b397671306e9a64bee272 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sun, 25 Aug 2019 09:18:35 -0700
Subject: [PATCH 60/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2580ae1441..3f47529b3b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -36,7 +36,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - It is recommended that you restart a device after making configuration changes to it.
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
From 08edace9169ab1a824c5f024be44dc90aff9ee68 Mon Sep 17 00:00:00 2001
From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com>
Date: Sun, 25 Aug 2019 09:22:47 -0700
Subject: [PATCH 61/61] Update
manage-connections-from-windows-operating-system-components-to-microsoft-services.md
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 3f47529b3b..eb45f00618 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
>[!IMPORTANT]
-> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic).
+> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
> - It is recommended that you restart a device after making configuration changes to it.