mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
Merged PR 12677: Updates for zero exhaust
This commit is contained in:
Dani Halfin 📬🔨
@ -18,6 +18,7 @@ ms.date: 06/05/2018
|
|||||||
|
|
||||||
- Windows 10 Enterprise, version 1607 and newer
|
- Windows 10 Enterprise, version 1607 and newer
|
||||||
- Windows Server 2016
|
- Windows Server 2016
|
||||||
|
- Windows Server 2019
|
||||||
|
|
||||||
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
|
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
|
||||||
|
|
||||||
@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W
|
|||||||
|
|
||||||
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
|
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
|
||||||
|
|
||||||
|
## What's new in Windows 10, version 1809 Enterprise edition
|
||||||
|
|
||||||
|
Here's a list of changes that were made to this article for Windows 10, version 1809:
|
||||||
|
|
||||||
|
- Added a policy to disable Windows Defender SmartScreen
|
||||||
|
|
||||||
## What's new in Windows 10, version 1803 Enterprise edition
|
## What's new in Windows 10, version 1803 Enterprise edition
|
||||||
|
|
||||||
Here's a list of changes that were made to this article for Windows 10, version 1803:
|
Here's a list of changes that were made to this article for Windows 10, version 1803:
|
||||||
@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi
|
|||||||
|
|
||||||
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
|
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
|
||||||
| - | :-: | :-: | :-: | :-: | :-: |
|
| - | :-: | :-: | :-: | :-: | :-: |
|
||||||
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  | | | |
|
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  | |  | |
|
||||||
| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  | |
|
| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  | |
|
||||||
| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
|
| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
|
||||||
| [4. Device metadata retrieval](#bkmk-devinst) | |  | |  | |
|
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |  | |
|
||||||
| [5. Find My Device](#find-my-device) | |  | | | |
|
| [5. Find My Device](#find-my-device) |  |  | |  | |
|
||||||
| [6. Font streaming](#font-streaming) | |  | |  | |
|
| [6. Font streaming](#font-streaming) | |  |  |  | |
|
||||||
| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  | |
|
| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  | |
|
||||||
| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
|
| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
|
||||||
| [9. Live Tiles](#live-tiles) | |  | |  | |
|
| [9. Live Tiles](#live-tiles) | |  | |  | |
|
||||||
| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
|
| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
|
||||||
| [11. Microsoft Account](#bkmk-microsoft-account) | |  |  |  | |
|
| [11. Microsoft Account](#bkmk-microsoft-account) | |  |  |  | |
|
||||||
| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  | |
|
| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  | |
|
||||||
| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  | |  | |
|
| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |  | |
|
||||||
| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
|
| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
|
||||||
| [15. OneDrive](#bkmk-onedrive) | |  | |  | |
|
| [15. OneDrive](#bkmk-onedrive) | |  | |  | |
|
||||||
| [16. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
|
| [16. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
|
||||||
@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi
|
|||||||
| [21. Teredo](#bkmk-teredo) | |  | |  |  |
|
| [21. Teredo](#bkmk-teredo) | |  | |  |  |
|
||||||
| [22. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
|
| [22. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
|
||||||
| [23. Windows Defender](#bkmk-defender) | |  |  |  | |
|
| [23. Windows Defender](#bkmk-defender) | |  |  |  | |
|
||||||
|
| [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  |  | |
|
||||||
| [24. Windows Media Player](#bkmk-wmp) |  | | | |  |
|
| [24. Windows Media Player](#bkmk-wmp) |  | | | |  |
|
||||||
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |  | |
|
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |  | |
|
||||||
| [26. Microsoft Store](#bkmk-windowsstore) | |  | |  | |
|
| [26. Microsoft Store](#bkmk-windowsstore) | |  | |  | |
|
||||||
@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser
|
|||||||
| [21. Teredo](#bkmk-teredo) | |  |
|
| [21. Teredo](#bkmk-teredo) | |  |
|
||||||
| [28. Windows Update](#bkmk-wu) |  | |
|
| [28. Windows Update](#bkmk-wu) |  | |
|
||||||
|
|
||||||
|
### Settings for Windows Server 2019
|
||||||
|
|
||||||
|
See the following table for a summary of the management settings for Windows Server 2019.
|
||||||
|
|
||||||
|
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
|
||||||
|
| - | :-: | :-: | :-: | :-: | :-: |
|
||||||
|
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  | |  | |
|
||||||
|
| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  | |
|
||||||
|
| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
|
||||||
|
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |  | |
|
||||||
|
| [5. Find My Device](#find-my-device) |  |  | |  | |
|
||||||
|
| [6. Font streaming](#font-streaming) | |  |  |  | |
|
||||||
|
| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  | |
|
||||||
|
| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
|
||||||
|
| [9. Live Tiles](#live-tiles) | |  | |  | |
|
||||||
|
| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
|
||||||
|
| [11. Microsoft Account](#bkmk-microsoft-account) | |  |  |  | |
|
||||||
|
| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  | |
|
||||||
|
| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |  | |
|
||||||
|
| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
|
||||||
|
| [15. OneDrive](#bkmk-onedrive) | |  | |  | |
|
||||||
|
| [16. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
|
||||||
|
| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |
|
||||||
|
| [17.1 General](#bkmk-general) |  |  |  |  | |
|
||||||
|
| [17.2 Location](#bkmk-priv-location) |  |  |  |  | |
|
||||||
|
| [17.3 Camera](#bkmk-priv-camera) |  |  |  |  | |
|
||||||
|
| [17.4 Microphone](#bkmk-priv-microphone) |  |  |  |  | |
|
||||||
|
| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
|
||||||
|
| [17.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
|
||||||
|
| [17.7 Account info](#bkmk-priv-accounts) |  |  |  |  | |
|
||||||
|
| [17.8 Contacts](#bkmk-priv-contacts) |  |  |  |  | |
|
||||||
|
| [17.9 Calendar](#bkmk-priv-calendar) |  |  |  |  | |
|
||||||
|
| [17.10 Call history](#bkmk-priv-callhistory) |  |  |  |  | |
|
||||||
|
| [17.11 Email](#bkmk-priv-email) |  |  |  |  | |
|
||||||
|
| [17.12 Messaging](#bkmk-priv-messaging) |  |  |  |  | |
|
||||||
|
| [17.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |  | |
|
||||||
|
| [17.14 Radios](#bkmk-priv-radios) |  |  |  |  | |
|
||||||
|
| [17.15 Other devices](#bkmk-priv-other-devices) |  |  |  |  | |
|
||||||
|
| [17.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
|
||||||
|
| [17.17 Background apps](#bkmk-priv-background) |  |  |  | | |
|
||||||
|
| [17.18 Motion](#bkmk-priv-motion) |  |  |  |  | |
|
||||||
|
| [17.19 Tasks](#bkmk-priv-tasks) |  |  |  |  | |
|
||||||
|
| [17.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |  | |
|
||||||
|
| [18. Software Protection Platform](#bkmk-spp) | |  |  |  | |
|
||||||
|
| [19. Storage Health](#bkmk-storage-health) | |  | | | |
|
||||||
|
| [20. Sync your settings](#bkmk-syncsettings) |  |  |  |  | |
|
||||||
|
| [21. Teredo](#bkmk-teredo) | |  | |  |  |
|
||||||
|
| [22. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
|
||||||
|
| [23. Windows Defender](#bkmk-defender) | |  |  |  | |
|
||||||
|
| [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  |  | |
|
||||||
|
| [24. Windows Media Player](#bkmk-wmp) |  | | | |  |
|
||||||
|
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |  | |
|
||||||
|
| [26. Microsoft Store](#bkmk-windowsstore) | |  | |  | |
|
||||||
|
| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
|
||||||
|
| [27. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |  | |
|
||||||
|
| [28. Windows Update](#bkmk-wu) |  |  |  | | |
|
||||||
|
|
||||||
## How to configure each setting
|
## How to configure each setting
|
||||||
|
|
||||||
Use the following sections for more information about how to configure each setting.
|
Use the following sections for more information about how to configure each setting.
|
||||||
@ -336,9 +401,17 @@ After that, configure the following:
|
|||||||
|
|
||||||
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
|
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
|
||||||
|
|
||||||
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
|
To prevent Windows from retrieving device metadata from the Internet:
|
||||||
|
|
||||||
You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
|
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
|
||||||
|
|
||||||
|
-or -
|
||||||
|
|
||||||
|
- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
|
||||||
|
|
||||||
|
-or -
|
||||||
|
|
||||||
|
- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork).
|
||||||
|
|
||||||
### <a href="" id="find-my-device"></a>5. Find My Device
|
### <a href="" id="find-my-device"></a>5. Find My Device
|
||||||
|
|
||||||
@ -608,7 +681,7 @@ You can turn off NCSI by doing one of the following:
|
|||||||
|
|
||||||
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
|
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
|
||||||
|
|
||||||
- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy.
|
- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> After you apply this policy, you must restart the device for the policy setting to take effect.
|
> After you apply this policy, you must restart the device for the policy setting to take effect.
|
||||||
@ -879,31 +952,13 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
|
|||||||
|
|
||||||
-or-
|
-or-
|
||||||
|
|
||||||
- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
|
|
||||||
In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**.
|
|
||||||
|
|
||||||
In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
|
|
||||||
In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**.
|
|
||||||
|
|
||||||
-or-
|
|
||||||
|
|
||||||
- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
|
|
||||||
|
|
||||||
-or-
|
|
||||||
|
|
||||||
- Create a provisioning package, using:
|
- Create a provisioning package, using:
|
||||||
|
- For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen**
|
||||||
- For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
|
- For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen**
|
||||||
|
|
||||||
- For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
|
|
||||||
|
|
||||||
-or-
|
-or-
|
||||||
|
|
||||||
- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero).
|
- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero).
|
||||||
|
|
||||||
-or-
|
|
||||||
|
|
||||||
- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
|
|
||||||
|
|
||||||
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
|
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
|
||||||
|
|
||||||
@ -1793,6 +1848,36 @@ For Windows 10 only, you can stop Enhanced Notifications:
|
|||||||
|
|
||||||
You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
|
You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
|
||||||
|
|
||||||
|
### <a href="" id="bkmk-defender-smartscreen"></a>23.1 Windows Defender SmartScreen
|
||||||
|
|
||||||
|
To disable Windows Defender Smartscreen:
|
||||||
|
|
||||||
|
- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable**
|
||||||
|
|
||||||
|
-or-
|
||||||
|
|
||||||
|
- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable**
|
||||||
|
|
||||||
|
-and-
|
||||||
|
|
||||||
|
- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**
|
||||||
|
|
||||||
|
-or-
|
||||||
|
|
||||||
|
- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero).
|
||||||
|
|
||||||
|
-and-
|
||||||
|
|
||||||
|
- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1.
|
||||||
|
|
||||||
|
-and-
|
||||||
|
|
||||||
|
- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**.
|
||||||
|
|
||||||
|
-or-
|
||||||
|
|
||||||
|
- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
|
||||||
|
|
||||||
### <a href="" id="bkmk-wmp"></a>24. Windows Media Player
|
### <a href="" id="bkmk-wmp"></a>24. Windows Media Player
|
||||||
|
|
||||||
To remove Windows Media Player on Windows 10:
|
To remove Windows Media Player on Windows 10:
|
||||||
|
|||||||
@ -145,13 +145,9 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|
|||||||
|
|
||||||
## Certificates
|
## Certificates
|
||||||
|
|
||||||
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
|
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
|
||||||
|
|
||||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
Additionally, it is used to download certificates that are publicly known to be fraudulent.
|
||||||
|----------------|----------|------------|----------------------------------|
|
|
||||||
| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
|
|
||||||
|
|
||||||
The following endpoints are used to download certificates that are publicly known to be fraudulent.
|
|
||||||
These settings are critical for both Windows security and the overall security of the Internet.
|
These settings are critical for both Windows security and the overall security of the Internet.
|
||||||
We do not recommend blocking this endpoint.
|
We do not recommend blocking this endpoint.
|
||||||
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
|
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
|
||||||
|
|||||||
Reference in New Issue
Block a user