From f2e843a665be3df78b420703fb46a8c6704762d8 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 30 Sep 2021 10:58:34 +0100 Subject: [PATCH 01/11] Revert "Update windows-11-endpoints-non-enterprise-editions.md" This reverts commit 9d46a53147b2de444c37a960e0b880fa77da4c5b. --- windows/privacy/windows-11-endpoints-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index e4ce5d42be..c2b9346db8 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -103,7 +103,7 @@ The following methodology was used to derive the network endpoints: | Teams Chat integration with Windows  | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.  | | | | | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request  | | | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | -| Widgets | To turn off a widget locally, right click on the widget to remove it from the widgets board.
Disable the connection point to turn off for an organization.
See below for a list of available widgets.|TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | +| Widgets | To turn off a widget locally, right click on the widget to it unpin from the dashboard.
Disable the connection point to turn off for an organization.
See below for a list of available widgets.|TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | | | **MSN news feed**
The Windows feeds endpoint on msn.com is used to download news headlines to the dashboard. ||| | | **Calendar**
This endpoint downloads calender content for the widget. ||| | | **ToDo**
This endpoint downloads ToDo content for the widget. ||| From b07301d2a77ded165bd3182f60d233afe6180e58 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 30 Sep 2021 10:58:47 +0100 Subject: [PATCH 02/11] Revert "Update windows-11-endpoints-non-enterprise-editions.md" This reverts commit b8350d424d25264b805886ab8443d0a0ba5c7505. --- ...windows-11-endpoints-non-enterprise-editions.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index c2b9346db8..09c4383824 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -104,13 +104,13 @@ The following methodology was used to derive the network endpoints: | | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request  | | | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | | Widgets | To turn off a widget locally, right click on the widget to it unpin from the dashboard.
Disable the connection point to turn off for an organization.
See below for a list of available widgets.|TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | -| | **MSN news feed**
The Windows feeds endpoint on msn.com is used to download news headlines to the dashboard. ||| -| | **Calendar**
This endpoint downloads calender content for the widget. ||| -| | **ToDo**
This endpoint downloads ToDo content for the widget. ||| -| | **Microsoft 365 recommendations**
This endpoint downloads Microsoft 365 recommendations for the widget. ||| -| | **Photos**
This endpoint downloads photo content for the widget. ||| -| | **Family**
This endpoint downloads family content for the widget. ||| -| | **Finance, Sports, Weather, Traffic, eSports**
The WebXT endpoint is used to download content for all WebXT widgets. ||| +| | MSN news feed
The Windows feeds endpoint on msn.com is used to download news headlines to the dashboard. ||| +| | Calendar
The calendar endpoint is used to download content for the widget. ||| +| | ToDo
The ToDo endpoint is used to download content for the widget. ||| +| | Microsoft 365 recommendations
The Microsoft 365 recommendations endpoint is used to download content for the widget. ||| +| | Photos
The photos endpoint is used to download content for the widget. ||| +| | Family
The family endpoint is used to download content for the widget. ||| +| | Finance, Sports, Weather, Traffic, eSports
The WebXT endpoint is used to download content for all WebXT widgets. ||| |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| ||||wdcpalt.microsoft.com| |||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| From fc3a4fade5ccaed06c63b6fa6cfbe8d2f2887289 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 30 Sep 2021 10:58:56 +0100 Subject: [PATCH 03/11] Revert "Update windows-11-endpoints-non-enterprise-editions.md" This reverts commit d308ba37ec4463bbd27965cdbb4a1bd96fb826ab. --- .../windows-11-endpoints-non-enterprise-editions.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index 09c4383824..0e8224533c 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -103,14 +103,14 @@ The following methodology was used to derive the network endpoints: | Teams Chat integration with Windows  | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.  | | | | | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request  | | | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | -| Widgets | To turn off a widget locally, right click on the widget to it unpin from the dashboard.
Disable the connection point to turn off for an organization.
See below for a list of available widgets.|TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | +| Widgets | To turn a widget off locally, right click on the widget to it unpin from dashboard.
Disable the connection point below to turn off for an organization. |TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | | | MSN news feed
The Windows feeds endpoint on msn.com is used to download news headlines to the dashboard. ||| | | Calendar
The calendar endpoint is used to download content for the widget. ||| -| | ToDo
The ToDo endpoint is used to download content for the widget. ||| -| | Microsoft 365 recommendations
The Microsoft 365 recommendations endpoint is used to download content for the widget. ||| -| | Photos
The photos endpoint is used to download content for the widget. ||| -| | Family
The family endpoint is used to download content for the widget. ||| -| | Finance, Sports, Weather, Traffic, eSports
The WebXT endpoint is used to download content for all WebXT widgets. ||| +| | ToDo | The ToDo endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | +| | Microsoft 365 recommendations | The Microsoft 365 recommendations endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | +| | Photos | The photos endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | +| | Family | The family endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | +| | Finance, Sports, Weather, Traffic, eSports | The WebXT endpoint is used to download content for all WebXT widgets. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| ||||wdcpalt.microsoft.com| |||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| From feb3d8c9bd23fc82d07199450125f54b22ea7314 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 30 Sep 2021 10:59:02 +0100 Subject: [PATCH 04/11] Revert "Update windows-11-endpoints-non-enterprise-editions.md" This reverts commit 56f6a2bf3b2be3715d850d7ca12b5a523534eac5. --- windows/privacy/windows-11-endpoints-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index 0e8224533c..ac4eb5690f 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -103,7 +103,7 @@ The following methodology was used to derive the network endpoints: | Teams Chat integration with Windows  | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.  | | | | | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request  | | | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | -| Widgets | To turn a widget off locally, right click on the widget to it unpin from dashboard.
Disable the connection point below to turn off for an organization. |TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | +| Widgets
To turn a widget off locally, right click on the widget to it unpin from dashboard.
Disable the connection point below to turn off for an organization. | |TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | | | MSN news feed
The Windows feeds endpoint on msn.com is used to download news headlines to the dashboard. ||| | | Calendar
The calendar endpoint is used to download content for the widget. ||| | | ToDo | The ToDo endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | From 9a7ad4962c6d5880d04c11d3df8c7da25e0d833b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 30 Sep 2021 10:59:10 +0100 Subject: [PATCH 05/11] Revert "Update windows-11-endpoints-non-enterprise-editions.md" This reverts commit 5226a30d9296809204ab45d7ce3a3849ced417e0. --- .../windows-11-endpoints-non-enterprise-editions.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index ac4eb5690f..d5312274ba 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -103,14 +103,15 @@ The following methodology was used to derive the network endpoints: | Teams Chat integration with Windows  | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.  | | | | | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request  | | | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | -| Widgets
To turn a widget off locally, right click on the widget to it unpin from dashboard.
Disable the connection point below to turn off for an organization. | |TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | -| | MSN news feed
The Windows feeds endpoint on msn.com is used to download news headlines to the dashboard. ||| -| | Calendar
The calendar endpoint is used to download content for the widget. ||| +| Widgets | | | How to turn off  | +| | MSN news feed | The windows feeds endpoint on msn.com is used to download news headlines to the dashboard. | Sign out of dashboard | +| | Calendar | The calendar endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | | | ToDo | The ToDo endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | | | Microsoft 365 recommendations | The Microsoft 365 recommendations endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | | | Photos | The photos endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | | | Family | The family endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | | | Finance, Sports, Weather, Traffic, eSports | The WebXT endpoint is used to download content for all WebXT widgets. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | +| | | TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| ||||wdcpalt.microsoft.com| |||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| From 630fd60b7c9dd04f1dd65d5d19a5a8ba42c690e3 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 30 Sep 2021 11:03:00 +0100 Subject: [PATCH 06/11] Revert "Updated-5442542" This reverts commit 772d707552625531fd5c6309d9fe9d55b3dec3ee. --- .../privacy/manage-windows-11-endpoints.md | 20 ++--- .../privacy/manage-windows-21H1-endpoints.md | 4 +- ...ws-11-endpoints-non-enterprise-editions.md | 76 ++++++------------- ...-endpoints-21H1-non-enterprise-editions.md | 26 ++++--- 4 files changed, 49 insertions(+), 77 deletions(-) diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index a2b10e6e6a..d977b42d2c 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -63,11 +63,13 @@ The following methodology was used to derive these network endpoints: |||TLSv1.2|I-ring.msedge.net| |||HTTPS|s-ring.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| |Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| |Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| @@ -79,8 +81,9 @@ The following methodology was used to derive these network endpoints: |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| -||This traffic is related to the Microsoft Edge browser. This encapsulates all network traffic that supports edge. Edge cannot contact the outside world and thus ceases to function other than as a local PDF viewer.|HTTPS|iecvlist.microsoft.com| +||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| ||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| @@ -111,19 +114,6 @@ The following methodology was used to derive these network endpoints: |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -| Teams Chat integration with Windows   | The following endpoints are used to configure Microsoft Teams Chat integration with Windows. | | | -| | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request | -| | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com
*.telecommand.telemetry.microsoft.com
*.co4.telecommand.telemetry.microsoft.com
*.watson.telemetry.microsoft.com | -| Widgets    | | | How to turn off | -| The following endpoints are used for Widgets. | MSN news feed | The windows feeds endpoint on msn.com is used to download news headlines to the dashboard. | Sign out of dashboard | -| | Calendar | The calendar endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | ToDo | The ToDo endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Microsoft 365 recommendations | The Microsoft 365 recommendations endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Photos | The photos endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Family | The family endpoint is used to download content for the widget | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Finance, Sports, Weather, Traffic, eSports | The WebXT endpoint is used to download content for all WebXT widgets. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Tips | The Tips endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | | TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLSv1.2|wdcp.microsoft.com| ||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 52fc822b24..5f9ce40031 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -65,8 +65,10 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| |Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index d5312274ba..1b2a4a3137 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -26,12 +26,12 @@ The following methodology was used to derive the network endpoints: 1. Set up the latest version of Windows 11 on a test virtual machine using the default settings. 2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. -7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. -8. These tests were conducted for one week. If you capture traffic for longer, you may have different results. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week. If you capture traffic for longer you may have different results. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -40,7 +40,7 @@ The following methodology was used to derive the network endpoints: | **Area** | **Description** | **Protocol** | **Destination** | |-----------|--------------- |------------- |-----------------| -| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| @@ -53,7 +53,9 @@ The following methodology was used to derive the network endpoints: |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| |Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com| |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| -|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| @@ -66,9 +68,11 @@ The following methodology was used to derive the network endpoints: |||HTTPS/HTTP|ecn.dev.virtualearth.net| |||HTTPS/HTTP|ssl.bing.com| |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| -|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.
This encapsulates all network traffic that supports edge. Edge cannot contact the outside world and thus ceases to function other than as a local PDF viewer.|HTTPS/HTTP|edge.activity.windows.com| +|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.|HTTPS/HTTP|edge.activity.windows.com| |||HTTPS/HTTP|edge.microsoft.com| -|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.
This encapsulates all network traffic that supports edge. Edge cannot contact the outside world and thus ceases to function other than as a local PDF viewer.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|HTTP|go.microsoft.com/fwlink/| +|||TLSv1.2/HTTPS/HTTP|go.microsoft.com| |Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| @@ -100,18 +104,6 @@ The following methodology was used to derive the network endpoints: |Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -| Teams Chat integration with Windows  | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.  | | | -| | | HTTP | www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request  | -| | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | -| Widgets | | | How to turn off  | -| | MSN news feed | The windows feeds endpoint on msn.com is used to download news headlines to the dashboard. | Sign out of dashboard | -| | Calendar | The calendar endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | ToDo | The ToDo endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Microsoft 365 recommendations | The Microsoft 365 recommendations endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Photos | The photos endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Family | The family endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Finance, Sports, Weather, Traffic, eSports | The WebXT endpoint is used to download content for all WebXT widgets. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | | TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| ||||wdcpalt.microsoft.com| |||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| @@ -139,7 +131,7 @@ The following methodology was used to derive the network endpoints: | **Area** | **Description** | **Protocol** | **Destination** | | --- | --- | --- | ---| -| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| @@ -148,13 +140,16 @@ The following methodology was used to derive the network endpoints: |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| -|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| -|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com| -|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.
This encapsulates all network traffic that supports edge. Edge cannot contact the outside world and thus ceases to function other than as a local PDF viewer. |HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com| |Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| @@ -183,18 +178,6 @@ The following methodology was used to derive the network endpoints: |Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -| Teams Chat integration with Windows | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.| | | -|||HTTP|www.microsoft.com
*.watson.telemetry.microsoft.com/telemetry.request| -|||TLSv1.2/HTTPS| *.v10.events.data.microsoft.com
*.telecommand.telemetry.microsoft.com
*.co4.telecommand.telemetry.microsoft.com
*.watson.telemetry.microsoft.com| -|Widgets|||How to turn off | -||MSN news feed |The windows feeds endpoint on msn.com is used to download news headlines to the dashboard.|Sign out of dashboard| -||Calendar|The calendar endpoint is used to download content for the widget.|Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization.| -||ToDo|The ToDo endpoint is used to download content for the widget.|Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization.| -||Microsoft 365 recommendations|The Microsoft 365 recommendations endpoint is used to download content for the widget.|Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization.| -||Photos|The photos endpoint is used to download content for the widget.|Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization.| -||Family|The family endpoint is used to download content for the widget.|Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization.| -||Finance, Sports, Weather, Traffic, eSports|The WebXT endpoint is used to download content for all WebXT widgets.|Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization.| -|||TLSv1.2/HTTPS/HTTP|https://www.msn.com/pcs/api/widget/newsplus/widget| |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| ||||wdcpalt.microsoft.com| |||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| @@ -219,7 +202,7 @@ The following methodology was used to derive the network endpoints: | **Area** | **Description** | **Protocol** | **Destination** | | --- | --- | --- | ---| -| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| @@ -230,14 +213,17 @@ The following methodology was used to derive the network endpoints: |||TLSv1.2|odinvzc.azureedge.net| |||TLSv1.2|b-ring.msedge.net| |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| -|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| |Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| -|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.
This encapsulates all network traffic that supports edge. Edge cannot contact the outside world and thus ceases to function other than as a local PDF viewer.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com| |Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| @@ -258,18 +244,6 @@ The following methodology was used to derive the network endpoints: |Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -| Teams Chat integration with Windows  | The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. | | | -| | | HTTP | www.microsoft.com 
*.watson.telemetry.microsoft.com/telemetry.request  | -| | | TLSv1.2/HTTPS | *.v10.events.data.microsoft.com 
*.telecommand.telemetry.microsoft.com 
*.co4.telecommand.telemetry.microsoft.com 
*.watson.telemetry.microsoft.com | -| Widgets | | | How to turn off  | -| | MSN news feed | The windows feeds endpoint on msn.com is used to download news headlines to the dashboard. | Sign out of dashboard | -| | Calendar | The calendar endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | ToDo | The ToDo endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Microsoft 365 recommendations | The Microsoft 365 recommendations endpoint is used to download content for the widget.| Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Photos | The photos endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Family | The family endpoint is used to download content for the widget. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | Finance, Sports, Weather, Traffic, eSports | The WebXT endpoint is used to download content for all WebXT widgets. | Unpin widget from dashboard through context menu to turn off locally. Disable the connection point below to turn off for an organization. | -| | | TLSv1.2/HTTPS/HTTP | https://www.msn.com/pcs/api/widget/newsplus/widget | |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| ||||wdcpalt.microsoft.com| |||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index 887239462e..f40e2ae5f5 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -28,12 +28,12 @@ The following methodology was used to derive the network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. 2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. -7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. -8. These tests were conducted for one week. If you capture traffic for longer, you may have different results. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week. If you capture traffic for longer you may have different results. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -42,7 +42,7 @@ The following methodology was used to derive the network endpoints: | **Area** | **Description** | **Protocol** | **Destination** | |-----------|--------------- |------------- |-----------------| -| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| @@ -55,7 +55,9 @@ The following methodology was used to derive the network endpoints: |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| |Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com| |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| -|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| @@ -131,7 +133,7 @@ The following methodology was used to derive the network endpoints: | **Area** | **Description** | **Protocol** | **Destination** | | --- | --- | --- | ---| -| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| @@ -140,7 +142,9 @@ The following methodology was used to derive the network endpoints: |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| -|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| @@ -200,7 +204,7 @@ The following methodology was used to derive the network endpoints: | **Area** | **Description** | **Protocol** | **Destination** | | --- | --- | --- | ---| -| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| |Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| @@ -211,7 +215,9 @@ The following methodology was used to derive the network endpoints: |||TLSv1.2|odinvzc.azureedge.net| |||TLSv1.2|b-ring.msedge.net| |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| -|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| From 1e95a995d40e1b49996c1698e423ec653f120707 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 1 Oct 2021 16:39:21 +0100 Subject: [PATCH 07/11] bookmark updates --- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 4 ++-- .../configure-windows-diagnostic-data-in-your-organization.md | 2 -- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index c439934182..e45351e107 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -5202,7 +5202,7 @@ The following fields are available: - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. - **LastBootSucceeded** Flag indicating whether the last boot was successful. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. @@ -7862,7 +7862,7 @@ The following fields are available: - **DPRange** Maximum mean value range. - **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure. See [Value](#value). +- **Value** Standard UTC emitted DP value structure. ## Windows Store events diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 9f13070d00..a1e4e10922 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -327,5 +327,3 @@ For more information about how to limit the diagnostic data to the minimum requi ## Change privacy settings on a single server You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings). - -To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data). \ No newline at end of file diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 834b448116..bf24ccb668 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -87,7 +87,7 @@ The following table provides an overview of the privacy settings discussed earli | [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | | [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later and Windows 11) | Off | | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off | | Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | | Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | From dade399ad7ff73b27c17da5b381a197e333b6383 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 1 Oct 2021 15:52:17 -0700 Subject: [PATCH 08/11] adding link to YouTube video --- windows/security/operating-system.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 66115fef04..9ece307eb3 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -17,8 +17,13 @@ ms.date: 09/21/2021 # Windows operating system security -Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. +Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. +Watch the latest Microsoft Mechanics video that shows off some of the latest Windows 11 security technology + +> [!VIDEO https://www.youtube.com/watch?v=2RTwGNyhSy8] + +

Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.

| Security Measures | Features & Capabilities | From b034f0899fca15ed13a542afefb0abe80a90dda9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 1 Oct 2021 15:53:48 -0700 Subject: [PATCH 09/11] adding vid --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 9ece307eb3..2326c4694b 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -19,7 +19,7 @@ ms.date: 09/21/2021 Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -Watch the latest Microsoft Mechanics video that shows off some of the latest Windows 11 security technology +Watch the latest [Microsoft Mechanics](https://www.youtube.com/channel/UCJ9905MRHxwLZ2jeNQGIWxA) video that shows off some of the latest Windows 11 security technology. > [!VIDEO https://www.youtube.com/watch?v=2RTwGNyhSy8] From deb75ad608360bf5036507e967a2525b08242293 Mon Sep 17 00:00:00 2001 From: Chris Chisholm Date: Mon, 4 Oct 2021 09:52:33 -0600 Subject: [PATCH 10/11] Update windows-11-prepare.md Fixed Spelling Error. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index e74e8d2e46..401e92c65f 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -54,7 +54,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. > [!NOTE] - > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicllty configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. + > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. ## Cloud-based management From 62d44db5ce2dc90fe6f7018d6ede2f91054192d2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 4 Oct 2021 10:45:44 -0700 Subject: [PATCH 11/11] rm duplicate secuirty baseline topic --- .openpublishing.redirection.json | 5 ++ .../windows-security-baselines.md | 83 ------------------- 2 files changed, 5 insertions(+), 83 deletions(-) delete mode 100644 windows/security/threat-protection/windows-security-baselines.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index dd83d22d48..b3343909d2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19015,6 +19015,11 @@ "redirect_url": "/windows/deployment/waas-manage-updates-wufb", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/windows-security-baselines.md", + "redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines", + "redirect_document_id": false + }, { "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", "redirect_url": "/windows/deployment/deploy-whats-new", diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md deleted file mode 100644 index 8e719f1364..0000000000 --- a/windows/security/threat-protection/windows-security-baselines.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Windows security baselines -description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Microsoft 365 Apps for enterprise. -keywords: virtualization, security, malware -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: dansimp -author: dulcemontemayor -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 06/25/2018 -ms.reviewer: -ms.technology: mde ---- - -# Windows security baselines - -**Applies to** - -- Windows 10 -- Windows Server -- Microsoft 365 Apps for enterprise -- Microsoft Edge - -## Using security baselines in your organization - -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. - -Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. - -We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. - -Here is a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions). - -## What are security baselines? - -Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. - -## Why are security baselines needed? - -Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. - -For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting. - -In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups. - -## How can you use security baselines? - -You can use security baselines to: -- Ensure that user and device configuration settings are compliant with the baseline. -- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. - -## Where can I get the security baselines? - -You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. - -The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. - -[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) - -## Community - -[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) - -## Related Videos - -You may also be interested in this msdn channel 9 video: -- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO) - -## See Also - -- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) -- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) -- [Configuration Management for Nano Server](/archive/blogs/grouppolicy/configuration-management-on-servers/) -- [Microsoft Security Guidance Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) -- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) \ No newline at end of file