deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into dansimp-new-gummi-bear

Browse Source
This commit is contained in:
Thomas Raya 2021-10-04 12:38:47 -07:00 committed by GitHub
commit 91a5b22e66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
81 changed files with 11956 additions and 1608 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.redirection.json
View File

@ -1,5 +1,10 @@
{
"redirections": [
{
"source_path": "windows/whats-new/windows-11.md",
"redirect_url": "/windows/whats-new/windows-11-whats-new",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/use-json-customize-start-menu-windows.md",
"redirect_url": "/windows/configuration/customize-start-menu-layout-windows-11",
@ -18960,6 +18965,11 @@
"redirect_url": "/windows/security/",
"redirect_document_id": false
},
{
"source_path": "windows/deploy-windows-cm/upgrade-to-windows-with-configuraton-manager.md",
"redirect_url": "/windows/deploy-windows-cm/upgrade-to-windows-with-configuration-manager",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md",
"redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates",

4
windows/application-management/manage-windows-mixed-reality.md
View File

@ -33,6 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
1. Download the FOD .cab file:
- [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
- [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
- [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
@ -49,7 +50,8 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
```
> [!NOTE]
> You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab**
> * On Windows 10, you must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab**
> * On Windows 11, you must rename the FOD .CAB file to: **Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e45~amd_64~~.cab**
1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**.

64
windows/client-management/mdm/enterprise-app-management.md
View File

@ -8,8 +8,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/22/2017
author: dansimp
ms.date: 10/04/2021
---
# Enterprise app management
@ -49,9 +49,9 @@ Inventory can be performed recursively at any level from the AppManagement node
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
> **Note**  On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
> [!NOTE]
> On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
Here are the nodes for each package full name:
- Name
@ -116,8 +116,8 @@ Here are the nodes for each license ID:
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
> **Note**  The LicenseID in the CSP is the content ID for the license.
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
Here is an example of a query for all app licenses on a device.
@ -308,9 +308,9 @@ Here are the requirements for this scenario:
- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
- The user must be logged in, but association with AAD identity is not required.
> **Note**  You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
> [!NOTE]
> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
Here is an example of a line-of-business app installation.
@ -429,14 +429,13 @@ Here are the requirements for this scenario:
To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> **Note**  When you remove the provisioned app, it will not remove it from the users that already installed the app.
> [!NOTE]
> When you remove the provisioned app, it will not remove it from the users that already installed the app.
Here is an example of app installation.
> **Note**  This is only supported in Windows 10 for desktop editions.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
```xml
<!-- Add PackageFamilyName -->
@ -472,8 +471,8 @@ The DeploymentOptions parameter is only available in the user context.
Here is an example of app installation with dependencies.
> **Note**  This is only supported in Windows 10 for desktop editions.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
```xml
<!-- Add PackageFamilyName -->
@ -513,9 +512,9 @@ When an app installation is completed, a Windows notification is sent. You can a
- Status - indicates the status of app installation.
- NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of suceess this value is updated.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up actio has not completed, this state may briefly appear.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
- LastError - This is the last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
@ -577,9 +576,10 @@ Here is an example of an alert.
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
The Data field value of 0 (zero) indicates sucess, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
The Data field value of 0 (zero) indicates success, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
> **Note**  At this time, the alert for Store app installation is not yet available.
> [!NOTE]
> At this time, the alert for Store app installation is not yet available.
## Uninstall your apps
@ -590,7 +590,7 @@ You can uninstall apps from users from Windows 10 devices. To uninstall an app,
- nonStore - These apps that were not acquired from the Microsoft Store.
- System - These apps are part of the OS. You cannot uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
Here is an example for uninstalling all versions of an app for a user.
@ -624,7 +624,8 @@ Here is an example for uninstalling a specific version of the app for a user.
You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
> **Note**  You can only remove an app that has an inventory value IsProvisioned = 1.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
Removing provisioned app occurs in the device context.
@ -753,7 +754,6 @@ Here is an example of a status check.
Updating an existing app follows the same process as an initial installation. For more information, see [Deploy apps to a user from a hosted location](#deploy-apps-to-a-user-from-a-hosted-location).
### Update provisioned apps
A provisioned app automatically updates when an app update is sent to the user. You can also update a provisioned app using the same process as an initial provisioning. For more information about initial provisioning, see [Provision apps for all users of a device](#provision-apps-for-all-users-of-a-device).
@ -790,8 +790,8 @@ The following subsections provide information about additional settings configur
You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
> **Note**  This is only supported in mobile devices.
> [!NOTE]
> This is only supported in mobile devices.
Here is an example.
@ -825,8 +825,8 @@ Here is an example.
In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
> **Note**  The feature is only for Windows 10 Mobile.
> [!NOTE]
> The feature is only for Windows 10 Mobile.
The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
@ -862,8 +862,8 @@ Here is an example.
The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> **Note**  This is only applicable to multi-user devices.
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
@ -898,11 +898,3 @@ Here is an example.
</Item>
</Replace>
```

32
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DCOM
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -93,12 +98,6 @@ If you do not configure this policy setting, DCOM will only look in the locally
> This policy setting applies to all sites in Trusted zones.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -160,7 +159,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to view and change a list of DCOM server application IDs (appids), which are exempted from the DCOM Activation security check.
This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check.
DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.
DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server application IDs added to this policy must be listed in curly brace format.
@ -169,15 +168,15 @@ For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
If you add an application ID to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local
If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local
settings.
- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid.
The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid.
DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
> [!NOTE]
@ -187,12 +186,6 @@ DCOM servers added to this exemption list are only exempted if their custom laun
> This policy setting applies to all sites in Trusted zones.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -205,8 +198,5 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

20
windows/client-management/mdm/policy-csp-admx-devicecompat.md
View File

@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_DeviceCompat
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -85,12 +89,6 @@ manager: dansimp
Changes behavior of Microsoft bus drivers to work with specific devices.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -155,12 +153,6 @@ ADMX Info:
Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:

17
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DeviceGuard
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -95,12 +100,6 @@ If using a signed and protected policy then disabling this policy setting doesn'
2. Disable the setting and then remove the policy from each computer, with a physically present user.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -112,8 +111,6 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

17
windows/client-management/mdm/policy-csp-admx-dfs.md
View File

@ -13,10 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DFS
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
@ -93,12 +96,6 @@ This value is specified in minutes.
> The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -111,8 +108,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

23
windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DiskDiagnostic
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -96,12 +101,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -179,12 +178,6 @@ This policy setting takes effect only when the DPS is in the running state. When
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -197,8 +190,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are for upcoming release.
<!--/Policies-->

17
windows/client-management/mdm/policy-csp-admx-eventlogging.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EventLogging
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -89,12 +94,6 @@ You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypte
- If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -107,8 +106,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

32
windows/client-management/mdm/policy-csp-admx-eventviewer.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EventViewer
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -89,13 +94,8 @@ manager: dansimp
This is the program that will be invoked when the user clicks the `events.asp` link.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Events.asp program*
@ -160,12 +160,6 @@ ADMX Info:
This specifies the command line parameters that will be passed to the `events.asp` program.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -232,13 +226,7 @@ This is the URL that will be passed to the Description area in the Event Propert
Change this value if you want to use a different Web server to handle event information requests.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:

28
windows/client-management/mdm/policy-csp-admx-externalboot.md
View File

@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_ExternalBoot
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -98,12 +102,6 @@ This policy specifies whether the PC can use the hibernation sleep state (S4) wh
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -174,13 +172,6 @@ If you disable or do not configure this setting, Windows, when started from a Wi
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace*
@ -253,13 +244,6 @@ If you do not configure this setting, users who are members of the Administrator
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Windows To Go Default Startup Options*

17
windows/client-management/mdm/policy-csp-admx-filerevocation.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FileRevocation
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -90,12 +95,6 @@ Any other Windows Runtime application will only be able to revoke access to cont
> Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of `mail.contoso.com` will revoke the users access to all content protected under the contoso.com hierarchy.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -108,8 +107,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

25
windows/client-management/mdm/policy-csp-admx-framepanes.md
View File

@ -13,9 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FramePanes
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
@ -94,13 +98,7 @@ This policy setting shows or hides the Details Pane in File Explorer.
This is the default policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
@ -169,12 +167,6 @@ Hides the Preview Pane in File Explorer.
- If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -186,8 +178,5 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

17
windows/client-management/mdm/policy-csp-admx-fthsvc.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FTHSVC
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -91,12 +96,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
No system restart or service restart is required for this policy setting to take effect: changes take effect immediately.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -110,7 +109,5 @@ ADMX Info:
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

8
windows/client-management/mdm/policy-csp-admx-hotspotauth.md
View File

@ -13,12 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_HotSpotAuth
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -95,7 +96,6 @@ This policy setting defines whether WLAN hotspots are probed for Wireless Intern
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Hotspot Authentication*

7
windows/client-management/mdm/policy-csp-admx-iis.md
View File

@ -13,12 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_IIS
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>

9
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -13,13 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_LeakDiagnostic
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
@ -116,6 +116,5 @@ ADMX Info:
<!--Policies-->
<!--/Policies-->

142
windows/client-management/mdm/policy-csp-enterprisecloudprint.md
View File

@ -51,28 +51,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -89,7 +95,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
The datatype is a string.
@ -106,28 +112,34 @@ The default value is an empty string. Otherwise, the value should contain the UR
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -144,7 +156,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
The datatype is a string.
@ -161,28 +173,34 @@ The default value is an empty string. Otherwise, the value should contain a GUID
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -199,7 +217,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
The datatype is a string.
@ -216,28 +234,34 @@ The default value is an empty string. Otherwise, the value should contain a URL.
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -254,7 +278,7 @@ The default value is an empty string. Otherwise, the value should contain a URL.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
The datatype is a string.
@ -271,28 +295,34 @@ The default value is an empty string. Otherwise, the value should contain the UR
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -309,7 +339,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
The datatype is an integer.
@ -324,28 +354,34 @@ The datatype is an integer.
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -362,7 +398,7 @@ The datatype is an integer.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
The datatype is a string.
@ -372,16 +408,6 @@ The default value is an empty string. Otherwise, the value should contain a URL.
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

147
windows/client-management/mdm/policy-csp-errorreporting.md
View File

@ -14,7 +14,12 @@ manager: dansimp
# Policy CSP - ErrorReporting
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -48,28 +53,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -103,12 +114,6 @@ If you enable this policy setting, you can add specific event types to a list by
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -128,28 +133,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -173,12 +184,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -198,28 +203,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -247,12 +258,6 @@ If you do not configure this policy setting, users can change this setting in Co
See also the Configure Error Reporting policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -272,28 +277,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -317,12 +328,6 @@ If you enable this policy setting, any additional data requests from Microsoft i
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -342,28 +347,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -387,12 +398,6 @@ If you enable this policy setting, Windows Error Reporting does not display any
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -405,16 +410,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

114
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -45,28 +45,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -92,12 +98,6 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -117,28 +117,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -162,12 +168,6 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -187,28 +187,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -232,12 +238,6 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -257,28 +257,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -302,12 +308,6 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -320,16 +320,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

21
windows/client-management/mdm/policy-csp-experience.md
View File

@ -373,7 +373,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. This policy turns on Find My Device.
This policy turns on Find My Device.
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
@ -610,7 +610,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
@ -925,7 +925,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
Most restricted value is 0.
@ -999,7 +999,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive.
This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive.
- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
- User Setting is changeable on a per user basis.
@ -1078,7 +1078,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
Most restricted value is 0.
@ -1747,16 +1747,5 @@ Supported values:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
<!--/Policies-->

30
windows/client-management/mdm/policy-csp-exploitguard.md
View File

@ -36,28 +36,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -118,15 +124,5 @@ Here is an example:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

71
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - FileExplorer
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -39,28 +45,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -80,12 +92,6 @@ manager: dansimp
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -105,28 +111,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -145,14 +157,6 @@ ADMX Info:
<!--Description-->
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off heap termination on corruption*
@ -164,16 +168,5 @@ ADMX Info:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

30
windows/client-management/mdm/policy-csp-games.md
View File

@ -36,28 +36,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -87,16 +93,6 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

33
windows/client-management/mdm/policy-csp-handwriting.md
View File

@ -36,28 +36,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -74,7 +80,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
This policy allows an enterprise to configure the default mode for the handwriting panel.
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
@ -101,16 +107,5 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

2
windows/deployment/TOC.yml
View File

@ -116,7 +116,7 @@
- name: Replace a device
href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: In-place upgrade
href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
href: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
- name: Deploy Windows client with MDT
items:
- name: Deploy to a new device

2
windows/deployment/deploy-windows-cm/TOC.yml
View File

@ -25,4 +25,4 @@
- name: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
href: replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: Perform an in-place upgrade to Windows 10 using Configuration Manager
href: upgrade-to-windows-10-with-configuraton-manager.md
href: upgrade-to-windows-10-with-configuration-manager.md

2
windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -201,7 +201,7 @@ When the process is complete, you will have a new Windows 10 computer in your do
![User data and setting restored example 8.](../images/pc0006h.png)<br>
![User data and setting restored example 9.](../images/pc0006i.png)
Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuration-manager.md).
## Related topics

2
windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md → windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
View File

@ -135,8 +135,6 @@ On **PC0004**:
![Upgrade task sequence example 6.](../images/pc0004-f.png)<br>
![Upgrade task sequence example 7.](../images/pc0004-g.png)
In-place upgrade with Configuration Manager
## Related topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>

2
windows/deployment/planning/index.md
View File

@ -30,6 +30,6 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
- [Deploy Windows 10 with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
 

2
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -79,7 +79,7 @@ sections:
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
answer: |
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?

7
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -17,10 +17,15 @@ ms.topic: article
# Manually Configuring Devices for Update Compliance
**Applies to**
- Windows 10
- Windows 11
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:

5
windows/deployment/update/update-compliance-configuration-mem.md
View File

@ -16,10 +16,11 @@ ms.topic: article
---
# Configuring Microsoft Endpoint Manager devices for Update Compliance
**Applies to**
- Windows 10
- Windows 11
- Windows 10
- Windows 11
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.

5
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -17,6 +17,11 @@ ms.topic: article
# Configuring devices through the Update Compliance Configuration Script
**Applies to**
- Windows 10
- Windows 11
> [!NOTE]
> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.

10
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -1,5 +1,5 @@
---
title: Delivery Optimization in Update Compliance (Windows 10)
title: Delivery Optimization in Update Compliance
ms.reviewer:
manager: laurawi
description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
@ -17,6 +17,12 @@ ms.custom: seo-marvel-apr2020
---
# Delivery Optimization in Update Compliance
**Applies to**
- Windows 10
- Windows 11
![DO status.](images/UC_workspace_DO_status.png)
The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
@ -30,7 +36,7 @@ The Delivery Optimization Status section includes three blades:
## Device Configuration blade
Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md).
Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md).
## Content Distribution (%) blade
The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).

7
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -17,6 +17,11 @@ ms.custom: seo-marvel-apr2020
# Feature Update Status
**Applies to**
- Windows 10
- Windows 11
[ ![The Feature Update Status report.](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels).
@ -38,7 +43,7 @@ Refer to the following list for what each state means:
## Safeguard holds
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows 10 release information page for any given release.
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
## Queries for safeguard holds

11
windows/deployment/update/update-compliance-get-started.md
View File

@ -17,6 +17,11 @@ ms.topic: article
# Get started with Update Compliance
**Applies to**
- Windows 10
- Windows 11
> [!IMPORTANT]
> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM.
@ -35,11 +40,11 @@ After adding the solution to Azure and configuring devices, it can take some tim
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
- **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
- **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions.
- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but does not currently provide detailed deployment insights for them.
- **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
- **Showing Device Names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
## Add Update Compliance to your Azure subscription

19
windows/deployment/update/update-compliance-monitor.md
View File

@ -1,8 +1,8 @@
---
title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance (Windows 10)
title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
ms.reviewer:
manager: laurawi
description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network.
description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@ -18,24 +18,29 @@ ms.custom: seo-marvel-apr2020
# Monitor Windows Updates with Update Compliance
**Applies to**
- Windows 10
- Windows 11
## Introduction
Update Compliance enables organizations to:
* Monitor security, quality, and feature updates for Windows 10 Professional, Education, and Enterprise editions.
* Monitor security, quality, and feature updates for Windows 10 or Windows 11 Professional, Education, and Enterprise editions.
* View a report of device and update issues related to compliance that need attention.
* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md).
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 or Windows 11 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
Update Compliance uses Windows client diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
See the following articles in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance.
- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience.
## Related topics
## Related articles
* [Get started with Update Compliance](update-compliance-get-started.md)
* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)

12
windows/deployment/update/update-compliance-need-attention.md
View File

@ -14,9 +14,15 @@ ms.prod: w10
---
# Needs attention!
**Applies to**
- Windows 10
- Windows 11
![Needs attention section.](images/UC_workspace_needs_attention.png)
The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
> [!NOTE]
> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
@ -26,7 +32,7 @@ The different issues are broken down by Device Issues and Update Issues:
## Device Issues
* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated.
* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10.
* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client.
## Update Issues
@ -39,7 +45,7 @@ The different issues are broken down by Device Issues and Update Issues:
Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
> [!NOTE]
> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows client feature update was unsuccessful.
## List of Queries

7
windows/deployment/update/update-compliance-privacy.md
View File

@ -16,9 +16,14 @@ ms.topic: article
# Privacy in Update Compliance
**Applies to**
- Windows 10
- Windows 11
Update Compliance is fully committed to privacy, centering on these tenets:
- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details).
- **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details).
- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
- **Security:** Your data is protected with strong security and encryption.
- **Trust:** Update Compliance supports the Online Services Terms.

9
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -15,12 +15,17 @@ ms.custom: seo-marvel-apr2020
# Security Update Status
**Applies to**
- Windows 10
- Windows 11
![The Security Update Status report.](images/UC_workspace_SU_status.png)
The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates.
The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows client version and the deployment progress toward the latest two security updates.
The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures.
The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows client, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section.

19
windows/deployment/update/update-compliance-using.md
View File

@ -1,5 +1,5 @@
---
title: Using Update Compliance (Windows 10)
title: Using Update Compliance
ms.reviewer:
manager: laurawi
description: Learn how to use Update Compliance to monitor your device's Windows updates.
@ -18,11 +18,16 @@ ms.custom: seo-marvel-apr2020
# Use Update Compliance
**Applies to**
- Windows 10
- Windows 11
In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
Update Compliance:
- Provides detailed deployment monitoring for Windows 10 Feature and Quality updates.
- Provides detailed deployment monitoring for Windows client feature and quality updates.
- Reports when devices need attention due to issues related to update deployment.
- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
@ -49,21 +54,21 @@ When you select this tile, you will be redirected to the Update Compliance works
![The Overview blade.](images/UC_workspace_overview_blade.png)
Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client.
* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus.
The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency).
The following is a breakdown of the different sections available in Update Compliance:
* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates.
* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates.
* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment.
* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows client updates.
* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows client it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates.
* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment.
* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types.
## Update Compliance data latency
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.

29
windows/deployment/update/waas-branchcache.md
View File

@ -1,5 +1,5 @@
---
title: Configure BranchCache for Windows 10 updates (Windows 10)
title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: w10
ms.mktglfcycl: manage
@ -12,21 +12,22 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Configure BranchCache for Windows 10 updates
# Configure BranchCache for Windows client updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
>[!TIP]
>Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution.
>Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
@ -36,7 +37,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
## Configure servers for BranchCache
@ -49,21 +50,3 @@ In addition to these steps, there is one requirement for WSUS to be able to use
>[!NOTE]
>Configuration Manager only supports Distributed Cache mode.
## Related topics
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Deploy Windows 10 updates using Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
- [Manage device restarts after updates](waas-restart.md)

9
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -55,7 +55,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
</td>
<td align="center">
<a href="/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
<a href="/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
</td>
</tr>
<tr>
@ -262,14 +262,15 @@ The deployment process for the replace scenario is as follows:
2. Deploy the new computer as a bare-metal deployment.
**Note**<br>In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
> [!NOTE]
> In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
## Related topics
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi)
- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi)

96
windows/hub/images/winlogo.svg Normal file
View File

@ -0,0 +1,96 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by Microsoft Visio, SVG Export winlogo.svg Page-1 -->
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ev="http://www.w3.org/2001/xml-events"
xmlns:v="http://schemas.microsoft.com/visio/2003/SVGExtensions/" width="6.06944in" height="6.09028in"
viewBox="0 0 437 438.5" xml:space="preserve" color-interpolation-filters="sRGB" class="st2">
<v:documentProperties v:langID="1033" v:viewMarkup="false"/>
<style type="text/css">
<![CDATA[
.st1 {fill:none;stroke:none;stroke-width:0.25}
.st2 {fill:none;fill-rule:evenodd;font-size:12px;overflow:visible;stroke-linecap:square;stroke-miterlimit:3}
]]>
</style>
<g v:mID="0" v:index="1" v:groupContext="foregroundPage">
<title>Page-1</title>
<v:pageProperties v:drawingScale="1" v:pageScale="1" v:drawingUnits="0" v:shadowOffsetX="9" v:shadowOffsetY="-9"/>
<g id="shape1-1" v:mID="1" v:groupContext="shape" transform="translate(0.25,-0.25)">
<title>Sheet.1</title>
<rect v:rectContext="foreign" x="0" y="0.500011" width="436.5" height="438" class="st1"/>
<image x="0" y="0.500011" width="436.5" height="438" preserveAspectRatio="none" xlink:href="data:image/png;base64,iV
BORw0KGgoAAAANSUhEUgAAAkYAAAJICAYAAACE1yscAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAFiUAABYlAU
lSJPAAABTLSURBVHhe7dYxTiBQDENBjs1B9z6shL4r3EREaZgnTe/SH1+SJEn6zjGSJEl6OUaSJEkvx0iSJOnlGEmSJL1+HKOPz38Av3
Jd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bAD
CRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2
DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQ
PARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEco
yAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117
UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8
kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l
3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AE
wkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCF
h3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2w
AwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHC
Ng3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW
0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARH
KMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdd
e1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNAB
PJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAt
Zd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNg
BMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxw
hYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3Xd
sAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkR
wjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3X
VtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwE
RyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgH
XXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQ
ATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQ
LWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1z
YATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJM
cIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd1
3bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJ
EcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN
11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8
BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjI
B117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BE+nGMJEmS/mqOkSRJ0ssxkiRJejlGkiRJL8dIkiTp5RhJkiS9HCNJkqSXYy
RJkvRyjCRJkl6OkSRJ0ssxkiRJejlGkiRJL8dIkiTp5RhJkiS9HCNJkqSXYyRJkvRyjCRJkl6OkSRJ0ssxkiRJejlGkiRJL8dIkiTp5R
hJkiS9HCNJkqSXYyRJkvRyjCRJkl6OkSRJ0ssxkiRJejlGkiRJrx/H6OPzH8CvXNc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQ
ATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQ
LWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1z
YATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJM
cIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd1
3bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJ
EcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN
11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8
BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjI
B117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ
0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyT
EC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXd
c2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATC
THCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWH
dd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bAD
CRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2
DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQ
PARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEco
yAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117
UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8
kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l
3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AE
wkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCF
h3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2w
AwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHC
Ng3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW
0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARH
KMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdd
e1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNAB
PJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAt
Zd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxwhYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNg
BMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3XdsAMJEcI2DddW0DwERyjIB117UNABPJMQLWXdc2AEwkxw
hYd13bADCRHCNg3XVtA8BEcoyAdde1DQATyTEC1l3XNgBMJMcIWHdd2wAwkRwjYN11bQPARHKMgHXXtQ0AE8kxAtZd1zYATCTHCFh3Xd
sAMJF+HCNJkqS/mmMkSZL0cowkSZK++/r6DwqOoucNyrLNAAAAAElFTkSuQmCC"/>
<rect v:rectContext="foreign" x="0" y="0.500011" width="436.5" height="438" class="st1"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.0 KiB

328
windows/hub/index.yml
View File

@ -1,121 +1,243 @@
### YamlMime:Landing
### YamlMime:Hub
title: Windows client resources and documentation for IT Pros # < 60 chars
summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars
title: Windows client documentation for IT Pros # < 60 chars
summary: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars
# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-apps | power-automate | power-bi | power-platform | power-virtual-agents | sql | sql-server | vs | visual-studio | windows | xamarin
brand: windows
metadata:
title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 06/01/2020 #Required; mm/dd/yyyy format.
ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice # Optional; Remove if no subservice is used.
ms.topic: hub-page # Required
ms.collection: windows-10 # Optional; Remove if no collection is used.
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: dougeby #Required; microsoft alias of author; optional team alias.
ms.date: 10/01/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: What's new
linkLists:
- linkListType: overview
links:
- text: Windows 11 overview
url: /windows/whats-new/windows-11
- text: Windows 11 requirements
url: /windows/whats-new/windows-11-requirements
- text: Plan for Windows 11
url: /windows/whats-new/windows-11-plan
- text: Prepare for Windows 11
url: /windows/whats-new/windows-11-prepare
- text: What's new in Windows 10, version 21H1
url: /windows/whats-new/whats-new-windows-10-version-21H1
- text: Windows release information
url: /windows/release-health/release-information
# highlightedContent section (optional)
# Maximum of 8 items
highlightedContent:
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
items:
# Card
- title: Become a Windows Insider
itemType: overview
url: https://insider.windows.com
# Card
- title: See what's new in Windows release health
itemType: overview
url: /windows/release-health/
# Card
- title: Learn more about Hybrid Work
itemType: overview
url: https://www.microsoft.com/hybridwork/
# productDirectory section (optional)
productDirectory:
title: Get to know Windows 11 # < 60 chars (optional)
summary: Learn more about what's new, what's updated, and what you get in Windows 11 # < 160 chars (optional)
items:
# Card
- title: What's new in Windows 11
imageSrc: /windows/resources/images/winlogo.svg
summary: Get more information about features and improvements that are important to admins
url: /windows/whats-new/windows-11-whats-new
- title: Windows 11 requirements
imageSrc: /windows/resources/images/winlogo.svg
summary: See the system requirements for Windows 11, including running Windows 11 on a virtual machine
url: /windows/whats-new/windows-11-requirements
- title: Trusted Platform Module (TPM)
imageSrc: /windows/resources/images/winlogo.svg
summary: Learn more about TPM, and why it's a good thing
url: /windows/security/information-protection/tpm/trusted-platform-module-overview
# conceptualContent section (optional)
conceptualContent:
# Supports up to 3 sections
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
title: Windows client resources and documentation for IT Pros
summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11.
items:
# card
- title: Overview
links:
- url: /windows/whats-new/windows-11-whats-new
itemType: overview
text: What's new in Windows 11
- url: /windows/whats-new/windows-11-plan
itemType: overview
text: Plan for Windows 11
- url: /windows/whats-new/windows-11-prepare
itemType: overview
text: Prepare for Windows 11
- url: /windows/whats-new/whats-new-windows-10-version-21H1
itemType: overview
text: What's new in Windows 10, version 21H1
- url: /windows/release-health/release-information
itemType: overview
text: Windows release information
# Card (optional)
- title: Configuration
linkLists:
- linkListType: how-to-guide
links:
- text: Configure Windows
url: /windows/configuration/index
- text: Accessibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
- text: Configure access to Microsoft Store
url: /windows/configuration/stop-employees-from-using-microsoft-store
- text: Set up a shared or guest PC
url: /windows/configuration/set-up-shared-or-guest-pc
- title: Configuration
links:
- url: /windows/configuration/index
itemType: overview
text: Configure Windows
- url: /windows/configuration/provisioning-packages/provisioning-packages
itemType: how-to-guide
text: Use Provisioning packages to configure new devices
- url: /windows/configuration/windows-10-accessibility-for-itpros
itemType: overview
text: Accessibility information for IT Pros
- url: /windows/configuration/customize-start-menu-layout-windows-11
itemType: how-to-guide
text: Customize the Start menu layout
- url: /windows/configuration/stop-employees-from-using-microsoft-store
itemType: how-to-guide
text: Control access to Microsoft Store
- url: /windows/configuration/set-up-shared-or-guest-pc
itemType: how-to-guide
text: Set up a shared or guest PC
# Card (optional)
- title: Deployment
linkLists:
- linkListType: deploy
links:
- text: Deploy and update Windows
url: /windows/deployment/index
- text: Windows deployment scenarios
url: /windows/deployment/windows-10-deployment-scenarios
- text: Create a deployment plan
url: /windows/deployment/update/create-deployment-plan
- text: Prepare to deploy Windows client
url: /windows/deployment/update/prepare-deploy-windows
- title: Deployment
links:
- url: /windows/deployment/index
itemType: deploy
text: Deploy and update Windows
- url: /windows/deployment/windows-10-deployment-scenarios
itemType: deploy
text: Windows deployment scenarios
- url: /windows/deployment/update/create-deployment-plan
itemType: deploy
text: Create a deployment plan
- url: /windows/deployment/update/prepare-deploy-windows
itemType: deploy
text: Prepare to deploy Windows client
# Card
- title: App management
linkLists:
- linkListType: how-to-guide
links:
- text: Windows application management
url: /windows/application-management/index
- text: Understand the different apps included in Windows 10
url: /windows/application-management/apps-in-windows-10
- text: Get started with App-V for Windows 10
url: /windows/application-management/app-v/appv-getting-started
- text: Keep removed apps from returning during an update
url: /windows/application-management/remove-provisioned-apps-during-update
- title: App management
links:
- url: /windows/application-management/index
itemType: overview
text: Windows application management
- url: /windows/application-management/apps-in-windows-10
itemType: overview
text: Learn more about the different apps types for Windows
- url: /windows/application-management/private-app-repository-mdm-company-portal-windows-11
itemType: how-to-guide
text: Use the private app repo on Windows 11
- url: /windows/application-management/remove-provisioned-apps-during-update
itemType: how-to-guide
text: Keep removed apps from returning during an update
# Card
- title: Client management
linkLists:
- linkListType: how-to-guide
links:
- text: Windows client management
url: /windows/client-management/index
- text: Administrative tools
url: /windows/client-management/administrative-tools-in-windows-10
- text: Create mandatory user profiles
url: /windows/client-management/mandatory-user-profile
- text: New policies for Windows 10
url: /windows/client-management/new-policies-for-windows-10
- text: Configuration service provider reference
url: /windows/client-management/mdm/configuration-service-provider-reference
- title: Client management
links:
- url: /windows/client-management/index
itemType: overview
text: Windows client management
- url: /windows/client-management/administrative-tools-in-windows-10
itemType: overview
text: Administrative tools
- url: /windows/client-management/mandatory-user-profile
itemType: how-to-guide
text: Create mandatory user profiles
- url: /windows/client-management/new-policies-for-windows-10
itemType: overview
text: New policies for Windows 10
- url: /windows/client-management/mdm/configuration-service-provider-reference
itemType: reference
text: Configuration service provider reference
# Card (optional)
- title: Security and Privacy
linkLists:
- linkListType: how-to-guide
links:
- text: Windows Enterprise Security
url: /windows/security/index
- text: Windows Privacy
url: /windows/privacy/index
- text: Identity and access management
url: /windows/security/identity-protection/index
- text: Threat protection
url: /windows/security/threat-protection/index
- text: Information protection
url: /windows/security/information-protection/index
- text: Required diagnostic data
url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
- text: Optional diagnostic data
url: /windows/privacy/windows-diagnostic-data
- text: Changes to Windows diagnostic data collection
url: /windows/privacy/changes-to-windows-diagnostic-data-collection
- title: Security and Privacy
links:
- url: /windows/security/index
itemType: overview
text: Windows Enterprise Security
- url: /windows/privacy/index
itemType: overview
text: Windows Privacy
- url: /windows/security/hardware
itemType: overview
text: Hardware security
- url: /windows/security/operating-system
itemType: overview
text: Operating system security
- url: /windows/security/apps
itemType: overview
text: Application security
- url: /windows/security/identity
itemType: overview
text: User and identity security
- url: /windows/security/cloud
itemType: overview
text: Cloud services
# additionalContent section (optional)
# Card with summary style
additionalContent:
# Supports up to 4 subsections
sections:
- title: More Windows resources # < 60 chars (optional)
items:
# Card
- title: Windows 11 product site
summary: Find out more about Windows 11 for enterprise and Windows 11 for business
url: https://www.microsoft.com/microsoft-365/windows
- title: Windows blogs
summary: Keep up with the latest news about Windows
url: https://blogs.windows.com/
- title: "Planning for Windows 11: best practices for organizations"
summary: Blog article with best practices to help you plan for Windows 11
url: https://aka.ms/Windows/blog002
- title: Windows 11 security explained
summary: Blog article to learn how Windows 11 enables security by design from the chip to the cloud
url: https://aka.ms/Windows/blog010
# Card
- title: Participate in the Tech Community
summary: Learn how to be part of the Windows Tech Community
url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
# Card
- title: Ask the community
summary: Get help, and help others
url: https://answers.microsoft.com/windows/forum
- title: Other resources
items:
- title: Microsoft Endpoint Manager
links:
- text: Microsoft Endpoint Manager documentation
url: /mem
- text: Overview of Microsoft Endpoint Manager
url: /mem/endpoint-manager-overview
- text: Getting started with Microsoft Endpoint Manager
url: /mem/endpoint-manager-getting-started
- text: Microsoft Endpoint Manager blog
url: https://aka.ms/memblog
- title: Windows 365
links:
- text: Windows 365 documentation
url: /windows-365
- text: What is Windows 365
url: /windows-365/overview
- text: Windows 365 blog
url: https://www.microsoft.com/microsoft-365/blog/
- title: Windows Server
links:
- text: Windows Server documentation
url: /windows-server
- text: What's new in Windows Server 2022?
url: /windows-server/get-started/whats-new-in-windows-server-2022
- text: Get started with Windows Server
url: /windows-server/get-started/get-started-with-windows-server
- text: Windows Server blog
url: https://cloudblogs.microsoft.com/windowsserver/

3
windows/privacy/Microsoft-DiagnosticDataViewer.md
View File

@ -21,7 +21,8 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1803 and newer
- Windows 11
- Windows 10, version 1803 and later
- Windows Server, version 1803
- Windows Server 2019

36
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
ms.date: 04/28/2021
ms.date: 09/08/2021
ms.reviewer:
---
@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@ -2692,7 +2693,7 @@ The following fields are available:
- **Slot** Slot to which the DRAM is plugged into the motherboard.
- **Speed** The configured memory slot speed in MHz.
- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
@ -6247,6 +6248,21 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
- **InteractionCampaignID** The ID of the interaction campaign that was processed.
- **ResultId** The result of the evaluation/presentation.
- **WasCompleted** True if the interaction campaign is complete.
- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@ -6278,6 +6294,20 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
- **ResultId** The result generated by the evaluation and presentation.
- **WasCompleted** True if the user interaction campaign is complete.
- **WasPresented** True if the user interaction campaign is displayed to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.

54
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
ms.date: 04/28/2021
ms.date: 09/08/2021
ms.reviewer:
---
@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@ -2734,8 +2735,8 @@ The following fields are available:
- **Model** Model and sub-model of the memory
- **Slot** Slot to which the DRAM is plugged into the motherboard.
- **Speed** The configured memory slot speed in MHz.
- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
- **Type** Reports DDR as an enumeration value per DMTF SMBIOS standard version 3.3.0, section 7.18.2.
- **TypeDetails** Reports Non-volatile as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
@ -3028,6 +3029,22 @@ The following fields are available:
- **winInetError** The HResult of the operation.
## Other events
### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties
This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management.
The following fields are available:
- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node.
- **nodeOperatingSystem** A user friendly description of the node's OS version.
- **nodeOSVersion** A major or minor build version string for the node's OS.
- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster.
- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string.
## Privacy logging notification events
### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted
@ -6409,6 +6426,21 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
- **InteractionCampaignID** The ID of the interaction campaign that was processed.
- **ResultId** The result of the evaluation/presentation.
- **WasCompleted** True if the interaction campaign is complete.
- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@ -6440,6 +6472,20 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
- **ResultId** The result generated by the evaluation and presentation.
- **WasCompleted** True if the user interaction campaign is complete.
- **WasPresented** True if the user interaction campaign is displayed to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.

71
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
ms.date: 04/28/2021
ms.date: 09/08/2021
ms.reviewer:
---
@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@ -3007,6 +3008,32 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
### DxgKrnlTelemetry.GPUAdapterStop
This event collects information about an adapter when it stops. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **AdapterLuid** Local Identifier for the adapter.
- **AdapterTypeValue** Numeric value indicating the type of the adapter.
- **DriverDate** Date of the driver.
- **DriverVersion** Version of the driver.
- **GPUDeviceID** Device identifier for the adapter.
- **GPUVendorID** Vendor identifier for the adapter.
- **InterfaceId** Identifier for the adapter.
- **IsDetachable** Boolean value indicating whether the adapter is removable or detachable.
- **IsDisplayDevice** Boolean value indicating whether the adapter has display capabilities.
- **IsHybridDiscrete** Boolean value indicating whether the adapter is a discrete adapter in a hybrid configuration.
- **IsHybridIntegrated** Boolean value indicating whether the adapter is an integrated adapter in a hybrid configuration.
- **IsRenderDevice** Boolean value indicating whether the adapter has rendering capabilities.
- **IsSoftwareDevice** Boolean value indicating whether the adapter is implemented in software.
- **IsSurpriseRemoved** Boolean value indicating whether the adapter was surprise removed.
- **SubSystemID** Subsystem identifier for the adapter.
- **SubVendorID** Sub-vendor identifier for the adapter.
- **version** Version of the schema for this event.
- **WDDMVersion** Display driver model version for the driver.
## Failover Clustering events
### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
@ -3674,7 +3701,7 @@ The following fields are available:
- **Slot** Slot to which the DRAM is plugged into the motherboard.
- **Speed** The configured memory slot speed in MHz.
- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
@ -4340,6 +4367,19 @@ The following fields are available:
- **winInetError** The HResult of the operation.
## Other events
### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
The following fields are available:
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@ -5433,16 +5473,6 @@ The following fields are available:
- **UpdateId** The update ID for a specific piece of content.
- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
## Surface events
### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
The following fields are available:
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
## Update Assistant events
@ -8032,6 +8062,21 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
- **InteractionCampaignID** The ID of the interaction campaign that was processed.
- **ResultId** The result of the evaluation/presentation.
- **WasCompleted** True if the interaction campaign is complete.
- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.

245
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
ms.date: 04/29/2021
ms.date: 09/08/2021
ms.reviewer:
---
@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@ -312,7 +313,7 @@ The following fields are available:
- **DatasourceApplicationFile_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_20H1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device.
@ -324,11 +325,11 @@ The following fields are available:
- **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_19ASetup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_19H1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_20H1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device.
@ -344,7 +345,7 @@ The following fields are available:
- **DatasourceDriverPackage_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_20H1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device.
@ -360,7 +361,7 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_20H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@ -376,7 +377,7 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_20H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@ -392,7 +393,7 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@ -408,7 +409,7 @@ The following fields are available:
- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_20H1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device.
@ -424,7 +425,7 @@ The following fields are available:
- **DecisionApplicationFile_19H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_20H1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device.
@ -440,7 +441,7 @@ The following fields are available:
- **DecisionDevicePnp_19H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_20H1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device.
@ -456,7 +457,7 @@ The following fields are available:
- **DecisionDriverPackage_19H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_20H1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device.
@ -472,7 +473,7 @@ The following fields are available:
- **DecisionMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_20H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@ -488,7 +489,7 @@ The following fields are available:
- **DecisionMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_20H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@ -504,7 +505,7 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@ -520,7 +521,7 @@ The following fields are available:
- **DecisionMediaCenter_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_20H1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device.
@ -536,7 +537,7 @@ The following fields are available:
- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS1** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS2** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS3** The total number of objects of this type present on this device.
@ -579,7 +580,7 @@ The following fields are available:
- **Wmdrm_19H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_20H1** The total number of objects of this type present on this device.
- **Wmdrm_20H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_21H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device.
- **Wmdrm_RS1** The total number of objects of this type present on this device.
- **Wmdrm_RS2** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total number of objects of this type present on this device.
@ -1219,6 +1220,28 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd
This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **Blocking** Blocking information.
- **BlockingSystemGeneralScenario** Decision about upgrade eligibility based on RAM.
- **MemoryRequirementViolated** Memory information.
- **SystemRequirementViolatedGeneral** System requirement information.
### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync
The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd
This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date.
@ -1243,6 +1266,34 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd
This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
- **Armv81Support** Arm v8.1 Atomics support.
- **Blocking** Appraiser decision about eligibility to upgrade.
- **CpuFamily** Cpu family.
- **CpuModel** Cpu model.
- **CpuStepping** Cpu stepping.
- **CpuVendor** Cpu vendor.
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync
The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd
This event sends compatibility decision data about the CPU, to help keep Windows up to date.
@ -4796,6 +4847,29 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd
This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **InventoryVersion** The version of the inventory binary generating the events.
- **Manufacturer** Sensor manufacturer.
### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync
This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
@ -5128,7 +5202,7 @@ The following fields are available:
- **FirmwareResetReasonPch** Reason for system reset provided by firmware.
- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed.
- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware.
- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See IO.
- **IO** Amount of data written to and read from the disk by the OS Loader during boot.
- **LastBootSucceeded** Flag indicating whether the last boot was successful.
- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb.
@ -5716,6 +5790,36 @@ The following fields are available:
- **totalRunDuration** Total running/evaluation time from last time.
- **totalRuns** Total number of running/evaluation from last time.
## Other events
### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties
This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management.
The following fields are available:
- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node.
- **nodeOperatingSystem** A user friendly description of the node's OS version.
- **nodeOSVersion** A major or minor build version string for the node's OS.
- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster.
- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string.
### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
The following fields are available:
- **batteryData.data()** Battery performance data.
- **BatteryDataSize:** Size of the battery performance data.
- **batteryInfo.data()** Battery performance data.
- **BatteryInfoSize:** Size of the battery performance data.
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@ -6925,20 +7029,6 @@ The following fields are available:
- **UpdateId** The update ID for a specific piece of content.
- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
## Surface events
### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
The following fields are available:
- **batteryData.data()** Battery performance data.
- **BatteryDataSize:** Size of the battery performance data.
- **batteryInfo.data()** Battery performance data.
- **BatteryInfoSize:** Size of the battery performance data.
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
## System Resource Usage Monitor events
@ -7772,7 +7862,7 @@ The following fields are available:
- **DPRange** Maximum mean value range.
- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean.
- **Value** Standard UTC emitted DP value structure See Value.
- **Value** Standard UTC emitted DP value structure.
## Windows Store events
@ -8161,7 +8251,7 @@ The following fields are available:
### Microsoft.Windows.Kits.WSK.WskImageCreate
This event sends simple data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly.
This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@ -8176,7 +8266,7 @@ The following fields are available:
### Microsoft.Windows.Kits.WSK.WskImageCustomization
This event sends simple data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly.
This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@ -9596,6 +9686,21 @@ The following fields are available:
- **PackageVersion** Current package version of remediation.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
- **InteractionCampaignID** The ID of the interaction campaign that was processed.
- **ResultId** The result of the evaluation/presentation.
- **WasCompleted** True if the interaction campaign is complete.
- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@ -9627,6 +9732,72 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation
This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **InteractionCampaignID** GUID identifying interaction campaign being presented.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation
This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **hrPresentation** Error, if any, occurring during the presentation.
- **InteractionCampaignID** GUID identifying the interaction campaign being presented.
- **ResultId** Result generated by the presentation.
- **WasCompleted** True if the interaction campaign is now considered complete.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
- **ResultId** The result generated by the evaluation and presentation.
- **WasCompleted** True if the user interaction campaign is complete.
- **WasPresented** True if the user interaction campaign is displayed to the user.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **CommandLine** The command line used to launch RUXIMIH.
- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process.
### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation
This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.)
- **Id** GUID passed in by the caller to identify the evaluation.
- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation.
- **Result** Overall result generated by the evaluation.
## Windows Update mitigation events
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages

1052
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

File diff suppressed because it is too large Load Diff

45
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -1,6 +1,6 @@
---
title: Changes to Windows diagnostic data collection
description: This article provides information on changes to Windows diagnostic data collection Windows 10.
description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11.
keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
@ -13,34 +13,32 @@ author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/21/2020
ms.date: 09/17/2021
---
# Changes to Windows diagnostic data collection
**Applies to**
- Windows 10, version 1903 and newer
- The next version of Windows Server
- Windows 11
- Windows 10, version 1903 and later
- Windows Server 2022
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
- [Taxonomy changes](#taxonomy-changes)
- [Behavioral changes](#behavioral-changes)
> [!NOTE]
> You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later.
## Summary of changes
In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
In Windows 10, version 1903 and later, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
Additionally, in an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. Were also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
Additionally, starting in Windows 11 and Windows Server 2022, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. Were also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
## Taxonomy changes
Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes:
Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes:
- The **Basic** diagnostic data level is being labeled as **Required**.
- The **Full** diagnostic data level is being labeled as **Optional**.
@ -50,9 +48,9 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
## Behavioral changes
In an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
Starting in Windows 11 and Windows Server 2022, were simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.
Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11:
Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):
| Policy type | Current policy | Renamed policy |
| --- | --- | --- |
@ -69,18 +67,7 @@ A final set of changes includes two new policies that can help you fine-tune dia
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
- MDM policy: System/LimitDiagnosticLogCollection
>[!Important]
>All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
## Configure a Windows 11 device to limit crash dumps and logs
With the Enhanced diagnostic data level being split out into new policies, we're providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them:
1. Choose to send optional diagnostic data by setting one of the following policies:
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Diagnostic Data**. Set the policy value to **Send optional diagnostic data**.
- MDM: System/AllowTelemetry. Set the policy value to **3**.
2. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
3. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
For more info, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
## Services that rely on Enhanced diagnostic data
@ -93,12 +80,12 @@ The following provides information on the current configurations:
## New Windows diagnostic data processor configuration
**Applies to**
- Windows 10 Edu, Pro, Enterprise editions, version 1809 with July 2021 update and newer
Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory joined devices. This configuration option is supported on the following versions of Windows:
Enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices.
- Windows 11 Enterprise, Professional, and Education
- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update.
Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows 10 operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller.

88
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -1,6 +1,6 @@
---
description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
title: Configure Windows diagnostic data in your organization (Windows 10)
description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization.
title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
@ -13,38 +13,40 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/13/2020
ms.date: 09/08/2021
---
# Configure Windows diagnostic data in your organization
**Applies to**
- Windows 11 Enterprise
- Windows 11 Education
- Windows 11 Professional
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
- Windows Server 2016 and newer
- Windows Server 2016 and later
- Surface Hub
- Hololens
This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
>[!IMPORTANT]
>Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
This topic describes the types of Windows diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
## Overview
Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customers needs.
For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
### Diagnostic data gives users a voice
Diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
Diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
### _Improve app and driver quality_
Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers used on Windows. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
For example, in an earlier version of Windows 10 there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
For example, in an earlier version of Windows there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### _Improve end-user productivity_
@ -54,7 +56,7 @@ Windows diagnostic data also helps Microsoft better understand how customers use
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
## How Microsoft handles diagnostic data
@ -66,7 +68,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be
- Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component.
- Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component.
- Diagnostic logs for additional troubleshooting, also managed by the Connected User Experiences and Telemetry component.
- Crash reporting and crash dumps, managed by [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
@ -78,7 +80,7 @@ All diagnostic data is encrypted using Transport Layer Security (TLS) and uses c
### Endpoints
The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see [Manage connection endpoints for Windows 10 Enterprise, version 1903](manage-windows-1903-endpoints.md).
The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see the **Manage connection endpoints** section of the left-hand navigation menu.
| Windows service | Endpoint |
| - | - |
@ -86,7 +88,7 @@ The following table lists the endpoints related to how you can manage the collec
| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com <br></br> watson.microsoft.com <br></br> umwatsonc.telemetry.microsoft.com <br></br> umwatsonc.events.data.microsoft.com <br></br> *-umwatsonc.events.data.microsoft.com <br></br> ceuswatcab01.blob.core.windows.net <br></br> ceuswatcab02.blob.core.windows.net <br></br> eaus2watcab01.blob.core.windows.net <br></br> eaus2watcab02.blob.core.windows.net <br></br> weus2watcab01.blob.core.windows.net <br></br> weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com <br></br> <br></br> IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com <br></br> oca.microsoft.com <br></br> kmwatsonc.telemetry.microsoft.com <br></br> *-kmwatsonc.telemetry.microsoft.com |
|Settings | settings-win.data.microsoft.com <br></br> <br></br> IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data |
|Settings | settings-win.data.microsoft.com <br></br> <br></br> IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. |
### Data access
@ -102,7 +104,7 @@ There are four diagnostic data collection settings. Each setting is described in
- Diagnostic data off (Security)
- Required diagnostic data (Basic)
- Enhanced
- Enhanced (This setting is only available on devices running Windows 10, Windows Server 2016, and Windows Server 2019.)
- Optional diagnostic data (Full)
Heres a summary of the types of data that is included with each setting:
@ -111,14 +113,14 @@ Heres a summary of the types of data that is included with each setting:
| --- | --- | --- | --- | --- |
| **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
| **Crash Metadata** | N/A | Yes | Yes | Yes |
| **Crash Dumps** | N/A | No | Triage dumps only <br></br>For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps <br></br>For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). |
| **Crash Dumps** | N/A | No | Triage dumps only <br></br>For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full and triage memory dumps <br></br>For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). |
| **Diagnostic logs** | N/A | No | No | Yes |
| **Data collection** | N/A | 100% | Sampling applies | Sampling applies |
### Diagnostic data off
This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education. If you choose this setting, devices in your organization will still be secure.
This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows Enterprise, and Windows Education editions. If you choose this setting, devices in your organization will still be secure.
>[!NOTE]
> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@ -127,7 +129,7 @@ This setting was previously labeled as **Security**. When you configure this set
Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data thats critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version.
This is the default setting for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
This is the default setting for current releases of Windows, Windows 10, version 1903.
Required diagnostic data includes:
@ -157,10 +159,12 @@ Required diagnostic data includes:
### Enhanced diagnostic data
>[!NOTE]
>Were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
In Windows 10 and Windows Server 2019, enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users.
Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
>[!Important]
>This diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. More information on these settings are available in the **Manage diagnostic data using Group Policy and MDM** section of this topic.
When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
- Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
@ -187,7 +191,7 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed
>[!Note]
>Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
## Manage enterprise diagnostic data
## Manage diagnostic data using Group Policy and MDM
Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization.
@ -214,16 +218,42 @@ You can use Group Policy to set your organizations diagnostic data setting:
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
2. Double-click **Allow Telemetry** (or **Allow diagnostic data** on Windows 11 and Windows Server 2022).
> [!NOTE]
> If devices in your organization are running Windows 10, 1803 and newer, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
> If devices in your organization are running Windows 10, 1803 and later, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
### Use Group Policy to manage optional diagnostic data collection
The following policy lets you limit the types of [crash dumps](/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
2. Double-click **Limit dump collection**.
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
You can also limit the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
2. Double-click **Limit diagnostic log collection**.
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
### Use MDM to manage diagnostic data collection
Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the following MDM policies:
- System/AllowTelemetry
- System/LimitDumpCollection
- System/LimitDiagnosticLogCollection
> [!NOTE]
> The last two policies are only available on Windows 11 and Windows Server 2022.
## Enable Windows diagnostic data processor configuration
@ -231,7 +261,9 @@ The Windows diagnostic data processor configuration enables you to be the contro
### Prerequisites
- The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer.
- The device must be any of the following releases of Windows:
- Windows 11 Enterprise, Professional, or Education edition
- Windows 10 Enterprise, Education, or Professional edition, version 1809 with July 2021 update or later.
- The device must be joined to Azure Active Directory.
The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable:
@ -295,5 +327,3 @@ For more information about how to limit the diagnostic data to the minimum requi
## Change privacy settings on a single server
You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings).
To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).

40
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -1,5 +1,5 @@
---
title: Diagnostic Data Viewer Overview (Windows 10)
title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11)
description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
keywords: privacy
ms.prod: w10
@ -21,9 +21,10 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1803 and newer
- Windows 10, version 1803 and later and Windows 11
## Introduction
The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
## Install and Use the Diagnostic Data Viewer
@ -31,9 +32,11 @@ The Diagnostic Data Viewer is a Windows app that lets you review the Windows dia
You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data.
### Turn on data viewing
Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. Note that this setting does not affect your Office data viewing or history.
**To turn on data viewing**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
@ -41,21 +44,24 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
![Location to turn on data viewing.](images/ddv-data-viewing.png)
### Download the Diagnostic Data Viewer
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
> [!Important]
> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](./microsoft-diagnosticdataviewer.md).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.
**To start the Diagnostic Data Viewer**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
@ -64,18 +70,19 @@ You can start this app from the **Settings** panel.
>Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article.
### Use the Diagnostic Data Viewer
The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data.
- **View your Windows diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
>[!Important]
>Seeing an event does not necessarily mean it has been uploaded yet. Its possible that some events are still queued and will be uploaded at a later time.
![View your diagnostic events.](images/ddv-event-view.jpg)
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
Selecting an event opens the detailed JSON view, with the matching text highlighted.
@ -83,31 +90,34 @@ The Diagnostic Data Viewer provides you with the following features to view and
- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
To signify your contribution, youll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
To signify your contribution, youll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
>[!Important]
>All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
- **View a summary of the data you've shared with us over time.** Available for users on build 19H1+, 'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft.
Through this feature, you can checkout how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more.
>[!Important]
>This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer.
![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png)
## View Office Diagnostic Data
By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830).
## Turn off data viewing
When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your Windows data history. Note that this setting does not affect your Office data viewing or history.
**To turn off data viewing**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
@ -115,23 +125,25 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
![Location to turn off data viewing.](images/ddv-settings-off.png)
## Modifying the size of your data history
By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
> [!Important]
> Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified.
**Modify the size of your data history**
To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached.
> [!Important]
> Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine.
## View additional diagnostic data in the View problem reports tool
Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer.
This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting.
We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
Available on Windows 10 1809 and higher and Windows 11, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer.
This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting.
We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
You can also use the Windows Error Reporting tool available in the Control Panel.
@ -139,7 +151,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel
Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.
![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png)
![Starting with Windows 1809 and higher and Windows 11, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png)
**To view your Windows Error Reporting diagnostic data using the Control Panel**

20
windows/privacy/index.yml
View File

@ -14,7 +14,7 @@ metadata:
author: dansimp
ms.author: dansimp
manager: dansimp
ms.date: 07/21/2020 #Required; mm/dd/yyyy format.
ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority: high
# highlightedContent section (optional)
@ -37,25 +37,25 @@ highlightedContent:
# productDirectory section (optional)
productDirectory:
title: Understand Windows diagnostic data in Windows 10
summary: For the latest Windows 10 version, learn more about what Windows diagnostic data is collected at various diagnostics levels.
title: Understand Windows diagnostic data in Windows 10 and Windows 11
summary: For the latest Windows 10 version and Windows 11, learn more about what Windows diagnostic data is collected under the different settings.
items:
# Card
- title: Required diagnostic data
- title: Windows 11 required diagnostic data
# imageSrc should be square in ratio with no whitespace
imageSrc: https://docs.microsoft.com/media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected.
url: required-windows-diagnostic-data-events-and-fields-2004.md
url: required-windows-11-diagnostic-events-and-fields.md
# Card
- title: Windows 10 required diagnostic data
imageSrc: https://docs.microsoft.com/media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
url: required-windows-diagnostic-data-events-and-fields-2004.md
# Card
- title: Optional diagnostic data
imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg
summary: Get examples of the types of optional diagnostic data collected from Windows
url: windows-diagnostic-data.md
# Card
- title: Changes to Windows diagnostic data collection
imageSrc: https://docs.microsoft.com/media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
url: changes-to-windows-diagnostic-data-collection.md
# conceptualContent section (optional)
# conceptualContent:

33
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -14,19 +14,20 @@ manager: robsize
ms.date: 12/1/2020
---
# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
- Windows 11
- Windows 10 Enterprise 1903 version and newer
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
>[!IMPORTANT]
>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 and Windows 11 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 and Windows 11 devices.
>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
@ -36,16 +37,16 @@ This article describes the network connections that Windows 10 components make t
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/).
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
## Settings for Windows 10 Enterprise edition 1903 and newer
## Settings for Windows 10 Enterprise edition 1903 and later and Windows 11
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
For Windows 10 and Windows 11, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. **Automatic Root Certificates Update**
1. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices.
@ -104,7 +105,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](/wi
1. **OneDrive**
1. MDM Policy: [DisableOneDriveFileSync](/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 or Windows 11 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\<enabled/>**
@ -135,33 +136,33 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](/wi
1. App Diagnostics - [Privacy/LetAppsGetDiagnosticInfo](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo). Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
1. **Software Protection Platform** - [Licensing/DisallowKMSClientOnlineAVSValidation](/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation). Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
1. **Storage Health** - [Storage/AllowDiskHealthModelUpdates](/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates). Allows disk health model updates. **Set to 0 (zero)**
1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)**
1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)**
1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and later or Windows 11.
1. **Windows Defender**
1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
1. [Defender/SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)**
1. [Defender/EnableSmartScreenInShell](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)**
1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)**
1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
1. [Defender/SignatureUpdateFallbackOrder](). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares**
1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)**
1. **Microsoft Store**
1. [ApplicationManagement/DisableStoreOriginatedApps](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps). Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
1. [ApplicationManagement/AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. [DeliveryOptimization/DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)**
1. **Windows Update**
1. [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)**
1. Windows Update Allow Update Service - [Update/AllowUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\<Replace>\<CmdID>$CmdID$</CmdID>\<Item>\<Meta>\<Format>chr</Format>\<Type>text/plain</Type>\</Meta>\<Target> \<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>\</Target>\<Data>http://abcd-srv:8530</Data>\</Item>\</Replace>**
### <a href="" id="bkmk-mdm-allowedtraffic"></a> Allowed traffic for Microsoft Intune / MDM configurations
|**Allowed traffic endpoints** |
|**Allowed traffic endpoints**
| --- |
|activation-v2.sls.microsoft.com/*|
|cdn.onenote.net|

67
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1,5 +1,5 @@
---
title: Manage connections from Windows 10 operating system components to Microsoft services
title: Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
@ -17,17 +17,18 @@ ms.topic: article
ms.date: 5/21/2021
---
# Manage connections from Windows 10 operating system components to Microsoft services
# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
**Applies to**
- Windows 10 Enterprise, version 1607 and newer
- Windows 11 Enterprise
- Windows 10 Enterprise, version 1607 and later
- Windows Server 2016
- Windows Server 2019
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
> [!IMPORTANT]
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
@ -42,7 +43,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
> - During update or upgrade of Windows, egress traffic may occur.
To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
@ -50,9 +51,9 @@ We are always striving to improve our documentation and welcome your feedback. Y
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
### Settings for Windows 10 and Windows 11 Enterprise edition
The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
The following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
| Setting | UI | Group Policy | Registry |
@ -74,7 +75,7 @@ The following table lists management options for each setting, beginning with Wi
| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
| [18. Settings > Privacy & security](#bkmk-settingssection) | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -130,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser
| [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
| [18. Settings > Privacy & security](#bkmk-settingssection) | | | |
| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -186,7 +187,7 @@ See the following table for a summary of the management settings for Windows Ser
| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
| [18. Settings > Privacy & security](#bkmk-settingssection) | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -237,7 +238,7 @@ Although not recommended, you can turn off Automatic Root Certificates Update, w
> [!CAUTION]
> By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
For Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2016 Server Core, and Windows 11:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
@ -293,7 +294,7 @@ You can also apply the Group Policies using the following registry keys:
> [!IMPORTANT]
> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
> Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
1. Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Defender Firewall with Advanced Security** &gt; **Windows Defender Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**.
@ -389,21 +390,21 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
### <a href="" id="bkmk-previewbuilds"></a>7. Insider Preview builds
The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. This setting stops communication with the Windows Insider Preview service that checks for new builds.
Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10 and Windows 11. This setting stops communication with the Windows Insider Preview service that checks for new builds.
Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are not available for Windows Server 2016.
> [!NOTE]
> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Optional (Full)**. Although the diagnostic data level may initially appear as **Required (Basic)**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Optional (Full)**.
To turn off Insider Preview builds for a released version of Windows 10:
To turn off Insider Preview builds for a released version of Windows 10 or Windows 11:
- **Disable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Toggle user control over Insider builds**.
To turn off Insider Preview builds for Windows 10:
To turn off Insider Preview builds for Windows 10 and Windows 11:
> [!NOTE]
> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
> If you're running a preview version of Windows 10 or Windows 11, you must roll back to a released version before you can turn off Insider Preview builds.
- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
@ -529,7 +530,7 @@ To turn off Live Tiles:
- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
In Windows 10 or Windows 11 Mobile, you must also unpin all tiles that are pinned to Start.
### <a href="" id="bkmk-mailsync"></a>11. Mail synchronization
@ -548,7 +549,7 @@ To turn off the Windows Mail app:
### <a href="" id="bkmk-microsoft-account"></a>12. Microsoft Account
Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher and Windows 11. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
To disable the Microsoft Account Sign-In Assistant:
@ -657,7 +658,7 @@ You can turn off the ability to download and update offline maps.
-and-
- In Windows 10, version 1607 and later, **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
- In Windows 10, version 1607 and later, and Windows 11 **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
-or-
@ -805,9 +806,9 @@ To remove the Sticky notes app:
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage**
### <a href="" id="bkmk-settingssection"></a>18. Settings &gt; Privacy
### <a href="" id="bkmk-settingssection"></a>18. Settings &gt; Privacy & security
Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
Use Settings &gt; Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- [18.1 General](#bkmk-general)
@ -1268,7 +1269,7 @@ In the **Other Devices** area, you can choose whether devices that aren't paired
To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
- Turn off the feature in the UI by going to Settings > Privacy & security > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
-or-
@ -1342,7 +1343,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- Create a REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a **value of 0**.
> [!NOTE]
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 and Windows 11 Enterprise edition.
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
@ -1380,7 +1381,7 @@ To turn off **Let apps run in the background**:
-or-
- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**.
- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above and Windows 11): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**.
-or-
@ -1527,7 +1528,7 @@ To turn this Off in the UI:
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
**For Windows 10:**
**For Windows 10 and Windows 11:**
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Validation**
@ -1555,7 +1556,7 @@ Enterprise customers can manage their Windows activation status with volume lice
Enterprise customers can manage updates to the Disk Failure Prediction Model.
For Windows 10:
For Windows 10 and Windows 11:
- **Disable** this Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Storage Health** &gt; **Allow downloading updates to the Disk Failure Prediction Model**
-or-
@ -1723,12 +1724,12 @@ In Group Policy, configure:
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or Group Policy.
If you're running Windows 10, version 1607 or later, you need to:
If you're running Windows 10, version 1607 or later, or Windows 11, you need to:
- **Enable** the following Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
> [!NOTE]
> This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
> This must be done within 15 minutes after Windows 10 or Windows 11 is installed. Alternatively, you can create an image with this setting.
-or-
@ -1840,11 +1841,11 @@ You can turn off apps for websites, preventing customers who visit websites that
Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
By default, PCs running Windows 10 or Windows 11 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
### <a href="" id="bkmk-wudo-ui"></a>28.1 Settings &gt; Update & security
@ -1933,7 +1934,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
### <a href="" id="bkmk-clcp"></a>30. Cloud Clipboard
Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices.
Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 and Windows 11 devices.
Most restricted value is 0.

159
windows/privacy/manage-windows-11-endpoints.md Normal file
View File

@ -0,0 +1,159 @@
---
title: Connection endpoints for Windows 11 Enterprise
description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
keywords: privacy, manage connections to Microsoft, Windows 11
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/17/2020
---
# Manage connection endpoints for Windows 11 Enterprise
**Applies to**
- Windows 11 Enterprise
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 11 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
|||TLSv1.2|I-ring.msedge.net|
|||HTTPS|s-ring.msedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires this endpoint to contact external websites.|HTTPS|iecvlist.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|www.office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|||HTTPS|officehomeblobs.blob.core.windows.net|
|||HTTPS|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
|||TLSv1.2/HTTPS/HTTP|g.live.com|
|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|||HTTPS|settings.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Microsoft Defender Antivirus|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|dlassets-ssl.xboxlive.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

157
windows/privacy/manage-windows-21H1-endpoints.md Normal file
View File

@ -0,0 +1,157 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 21H1
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1.
keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/17/2020
---
# Manage connection endpoints for Windows 10 Enterprise, version 21H1
**Applies to**
- Windows 10 Enterprise, version 21H1
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 21H1 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
|||TLSv1.2|I-ring.msedge.net|
|||HTTPS|s-ring.msedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|www.office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|||HTTPS|officehomeblobs.blob.core.windows.net|
|||HTTPS|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
|||TLSv1.2/HTTPS/HTTP|g.live.com|
|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|||HTTPS|settings.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|dlassets-ssl.xboxlive.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

8338
windows/privacy/required-windows-11-diagnostic-events-and-fields.md Normal file
View File

File diff suppressed because it is too large Load Diff

648
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

File diff suppressed because it is too large Load Diff

16
windows/privacy/toc.yml
View File

@ -1,7 +1,7 @@
- name: Privacy
href: index.yml
items:
- name: "Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals"
- name: "Windows Privacy Compliance: A Guide for IT and Compliance Professionals"
href: windows-10-and-privacy-compliance.md
- name: Configure Windows diagnostic data in your organization
href: configure-windows-diagnostic-data-in-your-organization.md
@ -15,6 +15,8 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- name: Required Windows 11 diagnostic data events and fields
href: required-windows-11-diagnostic-events-and-fields.md
- name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields
href: required-windows-diagnostic-data-events-and-fields-2004.md
- name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields
@ -29,18 +31,22 @@
href: basic-level-windows-diagnostic-events-and-fields-1703.md
- name: Optional Windows diagnostic data events and fields
items:
- name: Windows 10, version 1709 and newer optional diagnostic data
- name: Windows 10, version 1709 and later and Windows 11 optional diagnostic data
href: windows-diagnostic-data.md
- name: Windows 10, version 1703 optional diagnostic data
href: windows-diagnostic-data-1703.md
- name: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy
href: enhanced-diagnostic-data-windows-analytics-events-and-fields.md
- name: Manage Windows 10 connection endpoints
- name: Manage Windows connection endpoints
items:
- name: Manage connections from Windows operating system components to Microsoft services
href: manage-connections-from-windows-operating-system-components-to-microsoft-services.md
- name: Manage connections from Windows operating system components to Microsoft services using MDM
href: manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
- name: Connection endpoints for Windows 11
href: manage-windows-11-endpoints.md
- name: Connection endpoints for Windows 10, version 21H1
href: manage-windows-21H1-endpoints.md
- name: Connection endpoints for Windows 10, version 20H2
href: manage-windows-20H2-endpoints.md
- name: Connection endpoints for Windows 10, version 2004
@ -55,6 +61,10 @@
href: manage-windows-1803-endpoints.md
- name: Connection endpoints for Windows 10, version 1709
href: manage-windows-1709-endpoints.md
- name: Connection endpoints for non-Enterprise editions of Windows 11
href: windows-11-endpoints-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 21H1
href: windows-endpoints-21H1-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 20H2
href: windows-endpoints-20H2-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 2004

85
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 & Privacy Compliance Guide
description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10.
title: Windows Privacy Compliance Guide
description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows.
keywords: privacy, GDPR, compliance
ms.prod: w10
ms.mktglfcycl: manage
@ -16,64 +16,62 @@ ms.topic: article
ms.date: 07/21/2020
---
# Windows 10 & Privacy Compliance:<br />A Guide for IT and Compliance Professionals
# Windows Privacy Compliance:<br />A Guide for IT and Compliance Professionals
Applies to:
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
- Windows Server 2016 and newer
- Windows 10 and 11 Enterprise
- Windows 10 and 11 Education
- Windows 10 and 11 Professional
- Windows Server 2016 and later
## Overview
At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10.
At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows.
Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
Microsoft collects data through multiple interactions with users of Windows devices. This information can contain personal data that may be used to provide, secure, and improve Windows services. To help users and organizations control the collection of personal data, Windows provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR)
This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR).
## 1. Windows 10 data collection transparency
## 1. Windows data collection transparency
Transparency is an important part of the data collection process in Windows 10. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up.
Transparency is an important part of the data collection process in Windows. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up.
### 1.1 Device set up experience and support for layered transparency
When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
The following table provides an overview of the Windows 10 and Windows 11 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
> [!NOTE]
> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
> This table is limited to the privacy settings that are most commonly avaialable when setting up a current version of Windows 10 or newer. For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
| Feature/Setting | Description | Supporting Content | Privacy Statement |
| --- | --- | --- | --- |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Find my device | Use your devices location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
| Activity History/Timeline Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
| Cortana | <p>Cortana is Microsofts personal digital assistant, which helps busy people get things done, even while theyre at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content, and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.<br /><br />Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.</p> | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)<br /><br />[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
### 1.2 Data collection monitoring
[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and newer) that lets a user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data thats being collected.
[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and later and Windows 11) that lets a user review the Windows diagnostic data that is being collected on their Windows device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data thats being collected.
An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information.
> [!Note]
> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular users device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights).
## 2. Windows 10 data collection management
## 2. Windows data collection management
Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start > Settings > Privacy**). The organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
Windows provides the ability to manage privacy settings through several different methods. Users can change their privacy settings by opening the Settings app in Windows, or the organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
### 2.1 Privacy setting options for users
Once a Windows 10 device is set up, a user can manage data collection settings by navigating to **Start > Settings > Privacy**. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to **Start > Settings > Privacy**. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
Once a Windows device is set up, a user can manage data collection settings by opening the Settings app in Windows. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to the Settings page. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
### 2.2 Privacy setting controls for administrators
@ -82,15 +80,15 @@ Administrators can configure and control privacy settings across their organizat
The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If youre interested in minimizing data collection, we also provide the recommended value to set.
> [!NOTE]
> This is not a complete list of settings that involve connecting to Microsoft services. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
> This is not a complete list of settings that involve managing data collection or connecting to Microsoft services. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection |
|---|---|---|---|
| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:<br />**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**<br /><br />MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**<br /><br />MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**<br /><br />MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later and Windows 11) | Off |
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)<br /><br />**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)<br /><br />Server editions:<br />Enhanced diagnostic data | Security (Off) and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)<br /><br />**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)<br /><br />Server editions:<br />Enhanced diagnostic data | Security (Off) and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off |
| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
@ -108,7 +106,7 @@ If you want the ability to fully control and apply restrictions on data being se
Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10:
You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows:
- [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot)
- [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process)
@ -119,11 +117,11 @@ Administrators can manage the data sent from their organization to Microsoft by
For more details, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable.
#### _2.3.3 Managing Windows 10 connections_
#### _2.3.3 Managing Windows connections_
Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
The **Manage Windows connection endpoints** section on the left-hand navigation menu provides a list of endpoints for the latest Windows releases, along with descriptions of any functionality that would be impacted by restricting data collection.
#### _2.3.4 Limited functionality baseline_
@ -131,19 +129,19 @@ An organization may want to minimize the amount of data sent back to Microsoft o
>[!IMPORTANT]
> - We recommend that you fully test any modifications to these settings before deploying them in your organization.
> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off.
> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying it to ensure the Windows diagnostic setting is not turned off.
#### _2.3.5 Diagnostic data: Managing notifications for change of level at logon_
Starting with Windows 10, version 1803, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`.
Starting with Windows 10, version 1803 and Windows 11, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`.
#### _2.3.6 Diagnostic data: Managing end user choice for changing the setting_
Windows 10, version 1803 and newer allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by going into **Settings** > **Privacy** > **Diagnostics & feedback**. Administrators can restrict a users ability to change the setting using **Setting** > **Privacy** by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`.
Windows 10, version 1803 and later and Windows 11 allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by opening the Settings app in Windows. Administrators can restrict a users ability to change the setting by enabling the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`.
#### _2.3.7 Diagnostic data: Managing device-based data delete_
Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
Windows 10, version 1809 and later and Windows 11 allow a user to delete diagnostic data collected from their device by opening the Settings app in Windows and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
An administrator can disable a users ability to delete their devices diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
@ -154,9 +152,10 @@ An administrator can disable a users ability to delete their devices diagn
**Applies to:**
- Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer
- Windows 11 Enterprise, Professional, and Education editions
- Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer
The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, youre able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
@ -174,20 +173,20 @@ For more information on how Microsoft can help you honor rights and fulfill obli
## 3. The process for exercising data subject rights
This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows 10 device.
This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows device.
For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the sections below.
### 3.1 Delete
Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
Users can delete their device-based data by opening the Windows settings app and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
>[!Note]
>If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal.
### 3.2 View
The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows 10 device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet.
The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet.
>[!Note]
>If the Windows diagnostic data processor configuration is enabled, IT administrators can view the diagnostic data that is associated with a user from the admin portal.
@ -216,7 +215,7 @@ The following sections provide details about how privacy data is collected and m
### 5.1 Windows Server 2016 and newer
Windows Server follows the same mechanisms as Windows 10 for handling of personal data.
Windows Server follows the same mechanisms as Windows 10 (and newer versions) for handling of personal data.
>[!Note]
>The Windows diagnostic data processor configuration is not available for Windows Server.
@ -235,15 +234,15 @@ An administrator can configure privacy-related settings, such as choosing to onl
### 5.3 Desktop Analytics
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows and is dependent on enabling a minimum set of data collection on the device to function.
### 5.4 Microsoft Managed Desktop
[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services.
### 5.5 Update Compliance
[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows 10 Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows 10 diagnostic data for all its reporting.
[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting.
## Additional Resources

246
windows/privacy/windows-11-endpoints-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,246 @@
---
title: Windows 11 connection endpoints for non-Enterprise editions
description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/17/2020
---
# Windows 11 connection endpoints for non-Enterprise editions
**Applies to**
- Windows 11
In addition to the endpoints listed for [Windows 11 Enterprise](manage-windows-11-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 11.
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 11 Family
| **Area** | **Description** | **Protocol** | **Destination** |
|-----------|--------------- |------------- |-----------------|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|
|||HTTPS/HTTP|k-ring.msedge.net|
|||TLSv1.2|b-ring.msedge.net|
|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content|
|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net|
|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net|
|||HTTPS/HTTP|dev.virtualearth.net|
|||HTTPS/HTTP|ecn.dev.virtualearth.net|
|||HTTPS/HTTP|ssl.bing.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoint to contact external websites.|HTTPS/HTTP|edge.activity.windows.com </br> edge.microsoft.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
|||TLSv1.2/HTTPS|office.com|
|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
|||HTTP/HTTPS|*.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|||HTTP|roaming.officeapps.live.com|
|||HTTPS/HTTP|substrate.office.com|
|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
|||TLSv1.2/HTTPS|oneclient.sfx.ms|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
|||HTTPS/HTTP|windows.policies.live.net|
|||HTTPS/HTTP|api.onedrive.com|
|||HTTPS/HTTP|skydrivesync.policies.live.net|
|||HTTPS/HTTP|*storage.live.com|
|||HTTPS/HTTP|*settings.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com </br>wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
|||TLSv1.2|definitionupdates.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*</br>ris.api.iris.microsoft.com|
|||HTTPS|mucp.api.account.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
|||HTTPS|www.xboxab.com|
## Windows 11 Pro
| **Area** | **Description** | **Protocol** | **Destination** |
| --- | --- | --- | ---|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
|||TLSv1.2/HTTPS|office.com|
|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
|||HTTP/HTTPS|*.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
|||HTTPS/HTTP|substrate.office.com|
|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
|||TLSv1.2/HTTPS|oneclient.sfx.ms|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
|||HTTPS/HTTP|windows.policies.live.net|
|||HTTPS/HTTP|*storage.live.com|
|||HTTPS/HTTP|*settings.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com</br>wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*</br>ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
## Windows 11 Education
| **Area** | **Description** | **Protocol** | **Destination** |
| --- | --- | --- | ---|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|
|||TLSv1.2|odinvzc.azureedge.net|
|||TLSv1.2|b-ring.msedge.net|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
|||TLSv1.2/HTTPS|oneclient.sfx.ms|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com</br>wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*</br>ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|

42
windows/privacy/windows-diagnostic-data.md
View File

@ -1,5 +1,5 @@
---
title: Windows 10, version 1709 and newer optional diagnostic data (Windows 10)
title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10)
description: Use this article to learn about the types of optional diagnostic data that is collected.
keywords: privacy,Windows 10
ms.prod: w10
@ -15,9 +15,10 @@ ms.topic: article
ms.reviewer:
---
# Windows 10, version 1709 and newer optional diagnostic data
# Windows 10, version 1709 and later and Windows 11 optional diagnostic data
Applies to:
- Windows 11
- Windows 10, version 20H2
- Windows 10, version 2004
- Windows 10, version 1909
@ -26,7 +27,7 @@ Applies to:
- Windows 10, version 1803
- Windows 10, version 1709
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of optional diagnostic data collected by Windows, with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 11 required diagnostic events and fields](/windows/privacy/required-windows-11-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
@ -44,7 +45,7 @@ The data covered in this article is grouped into the following types:
Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944-1:2020.
**Data Use for Common data extensions**
Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10 and Windows 11, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
### Data Description for Common data extensions type
@ -52,7 +53,7 @@ Header data supports the use of data associated with all diagnostic events. Ther
Information that is added to most diagnostic events, if relevant and available:
- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
- Diagnostic level - Required or Optional, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
- Event collection time (8.2.3.2.2 Telemetry data)
- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
@ -71,7 +72,7 @@ This type of data includes details about the device, its configuration and conne
### Data Use for Device, Connectivity, and Configuration data
**For Diagnostics:**<br>
[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example:
[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft products and services. For example:
- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
@ -81,10 +82,10 @@ This type of data includes details about the device, its configuration and conne
- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users.
**With (optional) Tailored experiences:**<br>
If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11users. For example:
- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
@ -183,17 +184,17 @@ This type of data includes details about the usage of the device, operating syst
### Data Use for Product and Service Usage data
**For Diagnostics:**<br>
[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps.
- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps.
- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users.
- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
**With (optional) Tailored experiences:**<br>
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example:
- If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature.
- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid.
@ -247,7 +248,7 @@ This type of data includes details about the health of the device, operating sys
### Data Use for Product and Service Performance data
**For Diagnostics:**<br>
[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about the reliability of content that appears in the [Windows Spotlight](/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening performance.
@ -255,7 +256,7 @@ This type of data includes details about the health of the device, operating sys
- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
**With (optional) Tailored experiences:**<br>
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users.
- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
@ -360,7 +361,7 @@ This type of data includes software installation and update information on the d
### Data Use for Software Setup and Inventory data
**For Diagnostics:**<br>
[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update.
- Data about when a download starts and finishes on a device is used to understand and address download problems.
@ -368,7 +369,7 @@ This type of data includes software installation and update information on the d
- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
**With (optional) Tailored experiences:**<br>
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example:
- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
@ -402,7 +403,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
### Data Use for Browsing History data
**For Diagnostics:**<br>
[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
[Pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
@ -411,7 +412,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
**With (optional) Tailored experiences:**<br>
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example:
- We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
@ -434,13 +435,13 @@ This type of data gathers details about the voice, inking, and typing input feat
### Data Use for Inking, Typing, and Speech Utterance data
**For Diagnostics:**<br>
[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 and Windows 11 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
- Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature.
- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
**With (optional) Tailored experiences:**
@ -455,7 +456,6 @@ This type of data gathers details about the voice, inking, and typing input feat
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer and the System Speech language
- App ID using speech features

260
windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,260 @@
---
title: Windows 10, version 21H1, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 21H1.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/17/2020
---
# Windows 10, version 21H1, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 21H1
- Windows 10 Professional, version 21H1
- Windows 10 Education, version 21H1
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-21H1-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 21H1.
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Area** | **Description** | **Protocol** | **Destination** |
|-----------|--------------- |------------- |-----------------|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|
|||HTTPS/HTTP|k-ring.msedge.net|
|||TLSv1.2|b-ring.msedge.net|
|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content|
|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net|
|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net|
|||HTTPS/HTTP|dev.virtualearth.net|
|||HTTPS/HTTP|ecn.dev.virtualearth.net|
|||HTTPS/HTTP|ssl.bing.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.|HTTPS/HTTP|edge.activity.windows.com|
|||HTTPS/HTTP|edge.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|HTTP|go.microsoft.com/fwlink/|
|||TLSv1.2/HTTPS/HTTP|go.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
|||TLSv1.2/HTTPS|office.com|
|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
|||HTTP/HTTPS|*.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|||HTTP|roaming.officeapps.live.com|
|||HTTPS/HTTP|substrate.office.com|
|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
|||TLSv1.2/HTTPS|oneclient.sfx.ms|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
|||HTTPS/HTTP|windows.policies.live.net|
|||HTTPS/HTTP|api.onedrive.com|
|||HTTPS/HTTP|skydrivesync.policies.live.net|
|||HTTPS/HTTP|*storage.live.com|
|||HTTPS/HTTP|*settings.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
||||wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
|||TLSv1.2|definitionupdates.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
|||HTTPS|mucp.api.account.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|
|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
|||HTTPS|www.xboxab.com|
|
## Windows 10 Pro
| **Area** | **Description** | **Protocol** | **Destination** |
| --- | --- | --- | ---|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
|||TLSv1.2/HTTPS|office.com|
|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
|||HTTP/HTTPS|*.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
|||HTTPS/HTTP|substrate.office.com|
|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
|||TLSv1.2/HTTPS|oneclient.sfx.ms|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
|||HTTPS/HTTP|windows.policies.live.net|
|||HTTPS/HTTP|*storage.live.com|
|||HTTPS/HTTP|*settings.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
||||wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|
|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
|
## Windows 10 Education
| **Area** | **Description** | **Protocol** | **Destination** |
| --- | --- | --- | ---|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|
|||TLSv1.2|odinvzc.azureedge.net|
|||TLSv1.2|b-ring.msedge.net|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
|||TLSv1.2/HTTPS|oneclient.sfx.ms|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
||||wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|
|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|

2
windows/security/index.yml
View File

@ -1,7 +1,7 @@
### YamlMime:Landing
title: Windows security # < 60 chars
summary: Windows is a Zero Trust-ready operating system that provides security from chip to cloud. # < 160 chars
summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. # < 160 chars
metadata:
title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars.

3
windows/security/threat-protection/intelligence/criteria.md
View File

@ -13,6 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/04/2021
search.appverid: met150
ms.technology: mde
---
@ -174,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft
* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
* **Cryptomining software (Enterprise only):** Software that uses your device resources to mine cryptocurrencies.
* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.

4
windows/whats-new/TOC.yml
View File

@ -3,8 +3,8 @@
- name: Windows 11
expanded: true
items:
- name: Windows 11 overview
href: windows-11.md
- name: What's new in Windows 11
href: windows-11-whats-new.md
- name: Windows 11 requirements
href: windows-11-requirements.md
- name: Plan for Windows 11

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.9 KiB

4
windows/whats-new/index.yml
View File

@ -27,8 +27,8 @@ landingContent:
linkLists:
- linkListType: overview
links:
- text: Windows 11 overview
url: windows-11.md
- text: What's new
url: windows-11-whats-new.md
- text: Windows 11 requirements
url: windows-11-requirements.md
- text: Plan for Windows 11

2
windows/whats-new/windows-11-prepare.md
View File

@ -54,7 +54,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil
- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you arent ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
> [!NOTE]
> Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicllty configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy.
> Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy.
## Cloud-based management

22
windows/whats-new/windows-11-requirements.md
View File

@ -2,7 +2,7 @@
title: Windows 11 requirements
description: Hardware requirements to deploy Windows 11
ms.reviewer:
manager: laurawi
manager: dougeby
ms.audience: itpro
author: greg-lindsay
ms.author: greglin
@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020
- Windows 11
This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM).
This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
## Hardware requirements
@ -80,6 +80,22 @@ Some features in Windows 11 have requirements beyond those listed above. See the
- **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct.
- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
## Virtual machine support
The following configuration requirements apply to VMs running Windows 11.
- Generation: 2<b> \*</b>
- Storage: 64 GB or greater
- Security: Secure Boot capable, virtual TPM enabled
- Memory: 4 GB or greater
- Processor: 2 or more virtual processors
The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements).
<b>\*</b> In-place upgrade of existing generation 1 VMs to Windows 11 is not possible.
> [!NOTE]
> Procedures to configure required VM settings depend on the VM host type. For VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version.
## Next steps
@ -89,5 +105,5 @@ Some features in Windows 11 have requirements beyond those listed above. See the
## See also
[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)<br>
[Windows 11 overview](windows-11.md)
[What's new in Windows 11 overview](windows-11-whats-new.md)

210
windows/whats-new/windows-11-whats-new.md Normal file
View File

@ -0,0 +1,210 @@
---
title: Windows 11, what's new and overview for administrators
description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
ms.audience: itpro
author: MandiOhlinger
ms.author: mandia
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
audience: itpro
ms.topic: article
ms.custom:
---
# What's new in Windows 11
**Applies to**:
- Windows 11
Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition and update to what you know, and what you're familiar with.
It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Endpoint Manager. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows).
## Security and scanning
The security and privacy features in Windows 11 are similar to Windows 10. Security for your devices starts with the hardware, and includes OS security, application security, and user & identity security. There are features available in the Windows OS to help in these areas. This section describes some of these features. For a more comprehensive view, including zero trust, see [Windows security](/windows/security/).
- The **Windows Security** app is built into the OS. This app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more.
For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
- **Security baselines** includes security settings that already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines.
For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines).
- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If your devices are managed with Endpoint Manager, you can create policies based on threat levels found in Microsoft Defender for Endpoint.
For more information, see:
- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
- [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection)
- The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more.
For more information, see [Windows application security](/windows/security/apps).
- **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices.
As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Endpoint Manager work together to remove passwords, create more secure policies, and help enforce compliance.
For more information, see:
- [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview)
- [Trusted Platform Module Technology Overview](/windows/security/information-protection/tpm/trusted-platform-module-overview)
- [Integrate Windows Hello for Business with Endpoint Manager](/mem/intune/protect/windows-hello)
For more information on the security features you can configure, manage, and enforce using Endpoint Manager, see [Protect data and devices with Microsoft Endpoint Manager](/mem/intune/protect/device-protect).
## Easier access to new services, and services you already use
- **Windows 365** is a desktop operating system that's also a cloud service. From another internet-connected device, including Android and macOS devices, you can run Windows 365, just like a virtual machine.
For more information, see [What is Windows 365 Enterprise?](/windows-365/overview).
- **Microsoft Teams** is included with the OS, and is automatically available on the taskbar. Users select the chat icon, sign in with their personal Microsoft account, and start a call:
:::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call.":::
This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Endpoint Manager. For more information, see:
- [Get started with Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started)
- [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365)
- [Install Microsoft Teams using Microsoft Endpoint Configuration Manager](/microsoftteams/msi-deployment)
Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11).
- **Power Automate for desktop** is included with the OS. Your users can create flows with this low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more.
For more information, see [Getting started with Power Automate in Windows 11](/power-automate/desktop-flows/getting-started-windows-11).
Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**.
## Customize the desktop experience
- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize/maximize option. When you do, you can select a different layout for the app:
:::image type="content" source="./images/windows-11-whats-new/windows-11-snap-layouts.png" alt-text="In Windows 11, use the minimize or maximize button on an app to see the available snap layouts.":::
This feature allows users to customize the sizes of apps on their desktop. And, when you add other apps to the layout, the snapped layout stays in place.
When you add your apps in a Snap Layout, that layout is saved in a Snap Group. In the taskbar, when you hover over an app in an existing snap layout, it shows all the apps in that layout. This feature is the Snap Group. You can select the group, and the apps are opened in the same layout. As you add more Snap Groups, you can switch between them just by selecting the Snap Group.
Users can manage some snap features using the **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11).
Users can manage some Start menu features using the **Settings** app > **Personalization**. For more information on the end-user experience, see [See what's on the Start menu](https://support.microsoft.com/windows/see-what-s-on-the-start-menu-a8ccb400-ad49-962b-d2b1-93f453785a13).
- **Taskbar**: You can also pin (and unpin) apps on the Taskbar. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
Using policy, you can deploy your customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
Users can manage some Taskbar features using the **Settings** app > **Personalization**. For more information on the end-user experience, see:
- [Customize the taskbar notification area](https://support.microsoft.com/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3)
- [Pin apps and folders to the desktop or taskbar](https://support.microsoft.com/windows/pin-apps-and-folders-to-the-desktop-or-taskbar-f3c749fb-e298-4cf1-adda-7fd635df6bb0)
- **Widgets**: Widgets are available on the Taskbar. It includes a personalized feed that could be weather, calendar, stock prices, news, and more:
:::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-widgets.png" alt-text="On the Windows 11 taskbar, select the widgets icon to open and see the available widgets.":::
You can enable/disable this feature using the `Computer Configuration\Administrative Templates\Windows Components\widgets` Group Policy. You can also deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
For information on the end-user experience, see [Stay up to date with widgets](https://support.microsoft.com/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4).
- **Virtual desktops**: On the Taskbar, you can select the Desktops icon to create a new desktop:
:::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png" alt-text="On the Windows 11 taskbar, select the desktop icon to create many virtual desktops.":::
Use the desktop to open different apps depending on what you're doing. For example, you can create a Travel desktop that includes web sites and apps that are focused on travel.
Using policy, you can deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
Users can manage some desktop features using **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Multiple desktops in Windows](https://support.microsoft.com/windows/multiple-desktops-in-windows-11-36f52e38-5b4a-557b-2ff9-e1a60c976434).
## Use your same apps, improved
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
Using an MDM provider, like Endpoint Manager, you can create policies that also manage some app settings. For a list of settings, see [App Store in Endpoint Manager](/mem/intune/configuration/device-restrictions-windows-10#app-store).
- If you manage devices using Endpoint Manager, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11).
For public and retail apps, continue using the Microsoft Store.
- **Windows Terminal app**: This app is included with the OS. On previous Windows versions, it's a separate download in the Microsoft Store. For more information, see [What is Windows Terminal?](/windows/terminal/).
This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. And when you open a new tab, you can choose your command-line application:
:::image type="content" source="./images/windows-11-whats-new/windows-terminal-app.png" alt-text="On Windows 11, open the Windows Terminal app to use Windows PowerShell, the command prompt, or Azure Cloud Shell to run commands.":::
If users or groups in your organization do a lot with Windows PowerShell or the command prompt, then use policy to add the Windows Terminal app to the [Start menu layout](/windows/configuration/customize-start-menu-layout-windows-11) or the [Taskbar](/windows/configuration/customize-taskbar-windows-11).
Users can also search for the Terminal app, right-select the app, and pin the app to the Start menu and taskbar.
- The **Microsoft Store** has a new look, and includes more public and retail apps. For more information on the end-user experience, see:
- [Get updates for apps and games in Microsoft Store](https://support.microsoft.com/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f)
- [How to open Microsoft Store on Windows](https://support.microsoft.com/account-billing/how-to-open-microsoft-store-on-windows-10-e080b85a-7c9e-46a7-8d8b-3e9a42e32de6)
- The **Microsoft Edge** browser is included with the OS, and is the default browser. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL.
To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`.
Using Group Policy or an MDM provider, such as Endpoint Manager, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge).
## Deployment and servicing
- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Microsoft Deployment Toolkit (MDT), Configuration Manager, and more. Windows 11 will be delivered as an upgrade to eligible devices running Windows 10.
For more information on getting started, see [Windows client deployment resources and documentation](/windows/deployment/) and [Plan for Windows 11](windows-11-plan.md).
For more information on the end-user experience, see [Ways to install Windows 11](https://support.microsoft.com/windows/e0edbbfb-cfc5-4011-868b-2ce77ac7c70e).
- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and pre-configure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins.
If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot).
- **Microsoft Endpoint Manager** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more.
If you currently use Group Policy to manage your Windows 10 devices, you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects.
- **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
Like Windows 10, Windows 11 will receive monthly quality updates.
You have options to install updates on your Windows devices, including Endpoint Manager, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates).
Some updates are large, and use bandwidth. Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more.
For more information, see [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization).
For more information on the end-user experience, see:
- [Installation & updates](https://support.microsoft.com/office/installation-updates-2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)
- [Manage updates in Windows](https://support.microsoft.com/windows/manage-updates-in-windows-643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)
## Next steps
- [Windows 11 requirements](windows-11-requirements.md)
- [Plan for Windows 11](windows-11-plan.md)
- [Prepare for Windows 11](windows-11-prepare.md)
- [Windows release health](https://aka.ms/windowsreleasehealth)

92
windows/whats-new/windows-11.md
View File

@ -1,92 +0,0 @@
---
title: Windows 11 overview
description: Overview of Windows 11
ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
ms.author: greglin
ms.prod: w11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
audience: itpro
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows 11 overview
**Applies to**
- Windows 11
This article provides an introduction to Windows 11, and answers some frequently asked questions.
Also see the following articles to learn more about Windows 11:
- [Windows 11 requirements](windows-11-requirements.md): Requirements to deploy Windows 11.
- [Plan for Windows 11](windows-11-plan.md): Information to help you plan for Windows 11 in your organization.
- [Prepare for Windows 11](windows-11-prepare.md): Procedures to ensure readiness to deploy Windows 11.
## Introduction
Windows 11 is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever.
Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows 11 also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows 11.
## How to get Windows 11
Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5, 2021. Windows 11 will also be available on eligible new devices.
For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md).
For devices that are not managed by an organization, the Windows 11 upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience.
For more information about device eligibility, see [Windows 11 requirements](windows-11-requirements.md).
If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds).
## Before you begin
The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11.
#### Licensing
There are no unique licensing requirements for Windows 11 beyond what is required for Windows 10 devices.
Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows 11 on supported devices. If you have a volume license, it will equally cover Windows 11 and Windows 10 devices before and after upgrade.
#### Compatibility
Most accessories and associated drivers that work with Windows 10 are expected to work with Windows 11. Check with your accessory manufacturer for specific details.
Windows 11 preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows 11. For more information, see [Application compatibility](windows-11-plan.md#application-compatibility).
#### Familiar processes
Windows 11 is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows 11. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows 11.
> [!IMPORTANT]
> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows 11, particularly those providing security or data loss prevention capabilities.
For more information, see [Prepare for Windows 11](windows-11-prepare.md).
#### Servicing Windows 11
Like Windows 10, Windows 11 will receive monthly quality updates. However, it will have a new feature update cadence. Windows 11 feature updates will be released once per year.
When Windows 11 reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows 11 update history page at that time. For more information, see [Servicing and support](windows-11-plan.md#servicing-and-support).
## Next steps
[Windows 11 requirements](windows-11-requirements.md)<br>
[Plan for Windows 11](windows-11-plan.md)<br>
[Prepare for Windows 11](windows-11-prepare.md)
## Also see
[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)<br>
[Windows 11: The Optimization and Performance Improvements](https://www.youtube.com/watch?v=oIYHRRTCVy4)