deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdrs

Browse Source
This commit is contained in:
jdeckerMS
2016-07-27 09:44:13 -07:00
parent 21ffd08a51 c39a99b712
commit c42b3f0809
70 changed files with 1626 additions and 522 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/manage/TOC.md
View File

@ -3,6 +3,7 @@
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

1
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -26,6 +26,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
| ---|---|
| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | New |
| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |

21
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -94,10 +94,10 @@ Windows telemetry also helps Microsoft better understand how customers use (or d
**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
<!--
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called Windows 10 Upgrade Analytics, will be available in Summer 2016.
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
#### Windows 10 Upgrade Analytics
@ -119,7 +119,6 @@ Use Upgrade Analytics to get:
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-->
## How is telemetry data handled by Microsoft?
### Data collection
@ -180,7 +179,8 @@ The levels are cumulative and are illustrated in the following diagram. Also, th
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
> **Note:**  If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
@ -192,14 +192,15 @@ The data gathered at this level includes:
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
>**Note:**  You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
> [!NOTE]
> You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
 
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
**Note**  
This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
> [!NOTE]
> This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
@ -300,7 +301,8 @@ IT pros can use various methods, including Group Policy and Mobile Device Manage
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
>**Important:**  These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
> [!IMPORTANT]
> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
@ -368,7 +370,8 @@ There are a few more settings that you can turn off that may send telemetry info
- Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
>**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
## Additional resources

2
windows/manage/connect-to-remote-aadj-pc.md
View File

@ -24,7 +24,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guardmd), a new feature in Windows 10, version 1607, is turned off on the client PC.
- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.

BIN
windows/manage/images/settings-table.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/manage/images/spotlight2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 257 KiB

BIN
windows/manage/images/twain.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 227 KiB

510
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -22,9 +22,9 @@ Learn about the network connections that Windows components make to Microsoft an
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, Windows 10, version 1507, and Windows 10, version 1511. However, you must use Windows 10 Enterprise, version 1607 or Windows 10 Education, version 1607 to manage them all.
In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
@ -32,224 +32,164 @@ Here's what's covered in this article:
- [Info management settings](#bkmk-othersettings)
- [1. Cortana](#bkmk-cortana)
- [1. Certificate trust lists](#certificate-trust-lists)
- [1.1 Cortana Group Policies](#bkmk-cortana-gp)
- [2. Cortana](#bkmk-cortana)
- [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
- [2.1 Cortana Group Policies](#bkmk-cortana-gp)
- [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
- [2.2 Cortana MDM policies](#bkmk-cortana-mdm)
- [2. Date & Time](#bkmk-datetime)
- [2.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
- [3. Device metadata retrieval](#bkmk-devinst)
- [3. Date & Time](#bkmk-datetime)
- [4. Font streaming](#font-streaming)
- [4. Device metadata retrieval](#bkmk-devinst)
- [5. Insider Preview builds](#bkmk-previewbuilds)
- [5. Font streaming](#font-streaming)
- [6. Internet Explorer](#bkmk-ie)
- [6. Insider Preview builds](#bkmk-previewbuilds)
- [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
- [7. Internet Explorer](#bkmk-ie)
- [6.2 ActiveX control blocking](#bkmk-ie-activex)
- [7.1 Internet Explorer Group Policies](#bkmk-ie-gp)
- [7. Live Tiles](#live-tiles)
- [7.2 ActiveX control blocking](#bkmk-ie-activex)
- [8. Live Tiles](#live-tiles)
- [8. Mail synchronization](#bkmk-mailsync)
- [9. Mail synchronization](#bkmk-mailsync)
- [9. Microsoft Edge](#bkmk-edge)
- [10. Microsoft Edge](#bkmk-edge)
- [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- [10.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- [10.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- [10.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- [10. Network Connection Status Indicator](#bkmk-ncsi)
- [11. Network Connection Status Indicator](#bkmk-ncsi)
- [11. Offline maps](#bkmk-offlinemaps)
- [12. Offline maps](#bkmk-offlinemaps)
- [12. OneDrive](#bkmk-onedrive)
- [13. OneDrive](#bkmk-onedrive)
- [13. Preinstalled apps](#bkmk-preinstalledapps)
- [14. Preinstalled apps](#bkmk-preinstalledapps)
- [14. Settings &gt; Privacy](#bkmk-settingssection)
- [15. Settings &gt; Privacy](#bkmk-settingssection)
- [14.1 General](#bkmk-priv-general)
- [15.1 General](#bkmk-priv-general)
- [14.2 Location](#bkmk-priv-location)
- [15.2 Location](#bkmk-priv-location)
- [14.3 Camera](#bkmk-priv-camera)
- [15.3 Camera](#bkmk-priv-camera)
- [14.4 Microphone](#bkmk-priv-microphone)
- [15.4 Microphone](#bkmk-priv-microphone)
- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
- [15.5 Notifications](#bkmk-priv-notifications)
- [14.6 Account info](#bkmk-priv-accounts)
- [15.6 Speech, inking, & typing](#bkmk-priv-speech)
- [14.7 Contacts](#bkmk-priv-contacts)
- [15.7 Account info](#bkmk-priv-accounts)
- [14.8 Calendar](#bkmk-priv-calendar)
- [15.8 Contacts](#bkmk-priv-contacts)
- [14.9 Call history](#bkmk-priv-callhistory)
- [15.9 Calendar](#bkmk-priv-calendar)
- [14.10 Email](#bkmk-priv-email)
- [15.10 Call history](#bkmk-priv-callhistory)
- [14.11 Messaging](#bkmk-priv-messaging)
- [15.11 Email](#bkmk-priv-email)
- [14.12 Radios](#bkmk-priv-radios)
- [15.12 Messaging](#bkmk-priv-messaging)
- [14.13 Other devices](#bkmk-priv-other-devices)
- [15.13 Radios](#bkmk-priv-radios)
- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [15.14 Other devices](#bkmk-priv-other-devices)
- [14.15 Background apps](#bkmk-priv-background)
- [15.15 Feedback & diagnostics](#bkmk-priv-feedback)
- [15. Software Protection Platform](#bkmk-spp)
- [15.16 Background apps](#bkmk-priv-background)
- [16. Sync your settings](#bkmk-syncsettings)
- [16. Software Protection Platform](#bkmk-spp)
- [17. Teredo](#bkmk-teredo)
- [17. Sync your settings](#bkmk-syncsettings)
- [18. Wi-Fi Sense](#bkmk-wifisense)
- [18. Teredo](#bkmk-teredo)
- [19. Windows Defender](#bkmk-defender)
- [19. Wi-Fi Sense](#bkmk-wifisense)
- [20. Windows Media Player](#bkmk-wmp)
- [20. Windows Defender](#bkmk-defender)
- [21. Windows spotlight](#bkmk-spotlight)
- [21. Windows Media Player](#bkmk-wmp)
- [22. Windows Store](#bkmk-windowsstore)
- [22. Windows spotlight](#bkmk-spotlight)
- [23. Windows Update Delivery Optimization](#bkmk-updates)
- [23. Windows Store](#bkmk-windowsstore)
- [23.1 Settings &gt; Update & security](#bkmk-wudo-ui)
- [24. Windows Update Delivery Optimization](#bkmk-updates)
- [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- [24.1 Settings &gt; Update & security](#bkmk-wudo-ui)
- [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
- [24.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
- [24.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
- [24. Windows Update](#bkmk-wu)
- [24.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
## What's new in Windows 10, version 1511
- [25. Windows Update](#bkmk-wu)
## What's new in Windows 10, version 1607
Here's a list of changes that were made to this article for Windows 10, version 1511:
Here's a list of changes that were made to this article for Windows 10, version 1607:
- Added the following new sections:
- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech).
- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy.
- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
- Added a new setting in [25. Windows Update](#bkmk-wu).
- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
- [Mail synchronization](#bkmk-mailsync)
- Added the following Group Policies:
- [Offline maps](#bkmk-offlinemaps)
- [Windows spotlight](#bkmk-spotlight)
- [Windows Store](#bkmk-windowsstore)
- Added the following Group Policies:
- Open a new tab with an empty tab
- Configure corporate Home pages
- Let Windows apps access location
- Let Windows apps access the camera
- Let Windows apps access the microphone
- Let Windows apps access account information
- Let Windows apps access contacts
- Let Windows apps access the calendar
- Let Windows apps access messaging
- Let Windows apps control radios
- Let Windows apps access trusted devices
- Do not show feedback notifications
- Turn off Automatic Download and Update of Map Data
- Force a specific default lock screen image
- Added the AllowLinguisticDataCollection MDM policy.
- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
- Changed the Windows Update section to apply system-wide settings, and not just per user.
- Turn off unsolicited network traffic on the Offline Maps settings page
- Turn off all Windows spotlight features
## <a href="" id="bkmk-othersettings"></a>Info management settings
This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
- [1. Cortana](#bkmk-cortana)
- [2. Date & Time](#bkmk-datetime)
- [3. Device metadata retrieval](#bkmk-devinst)
- [4. Font streaming](#font-streaming)
- [5. Insider Preview builds](#bkmk-previewbuilds)
- [6. Internet Explorer](#bkmk-ie)
- [7. Live Tiles](#live-tiles)
- [8. Mail synchronization](#bkmk-mailsync)
- [9. Microsoft Edge](#bkmk-edge)
- [10. Network Connection Status Indicator](#bkmk-ncsi)
- [11. Offline maps](#bkmk-offlinemaps)
- [12. OneDrive](#bkmk-onedrive)
- [13. Preinstalled apps](#bkmk-preinstalledapps)
- [14. Settings &gt; Privacy](#bkmk-settingssection)
- [15. Software Protection Platform](#bkmk-spp)
- [16. Sync your settings](#bkmk-syncsettings)
- [17. Teredo](#bkmk-teredo)
- [18. Wi-Fi Sense](#bkmk-wifisense)
- [19. Windows Defender](#bkmk-defender)
- [20. Windows Media Player](#bkmk-wmp)
- [21. Windows spotlight](#bkmk-spotlight)
- [22. Windows Store](#bkmk-windowsstore)
- [23. Windows Update Delivery Optimization](#bkmk-updates)
- [24. Windows Update](#bkmk-wu)
The settings in this section assume you are using Windows 10, version 1607. They will also be included in the next update for the Long Term Servicing Branch.
See the following table for a summary of the management settings. For more info, see its corresponding section.
![Management settings table](images/settings-table.png)
### <a href="" id="bkmk-cortana"></a>1. Cortana
### <a href="" id="certificate-trust-lists"></a>1. Certificate trust lists
A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available.
To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
-or-
- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate**, with a value of 1.
After that, do the following in a Group Policy:
1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
2. Double-click **Certificate Path Validation Settings**.
3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
### <a href="" id="bkmk-cortana"></a>2. Cortana
Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
### <a href="" id="bkmk-cortana-gp"></a>2.1 Cortana Group Policies
Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
@ -261,7 +201,10 @@ Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Ad
| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. |
| Set what information is shared in Search | Control what information is shared with Bing in Search. |
When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
In Windows 10, version 1507 and Windows 10, version 1511, When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
>[!IMPORTANT]
>These steps are not required for devices running Windows 10, version 1607.
1. Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Firewall with Advanced Security** &gt; **Windows Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**.
@ -287,9 +230,9 @@ When you enable the **Don't search the web or display web results in Search** Gr
- For **Remote port**, choose **All ports**.
> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
### <a href="" id="bkmk-cortana-mdm"></a>2.2 Cortana MDM policies
The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -298,11 +241,11 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn
| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results. <br /> Default: Allowed|
### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
### <a href="" id="bkmk-cortana-prov"></a>2.3 Cortana Windows Provisioning
To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
### <a href="" id="bkmk-datetime"></a>2. Date & Time
### <a href="" id="bkmk-datetime"></a>3. Date & Time
You can prevent Windows from setting the time automatically.
@ -312,19 +255,20 @@ You can prevent Windows from setting the time automatically.
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### <a href="" id="bkmk-devinst"></a>3. Device metadata retrieval
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
### <a href="" id="font-streaming"></a>4. Font streaming
### <a href="" id="font-streaming"></a>5. Font streaming
Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
> **Note:** This may change in future versions of Windows.
> [!NOTE]
> This may change in future versions of Windows.
### <a href="" id="bkmk-previewbuilds"></a>5. Insider Preview builds
### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
@ -354,11 +298,11 @@ To turn off Insider Preview builds if you're running a released version of Windo
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
### <a href="" id="bkmk-ie"></a>6. Internet Explorer
### <a href="" id="bkmk-ie"></a>7. Internet Explorer
Use Group Policy to manage settings for Internet Explorer.
### <a href="" id="bkmk-ie-gp"></a>6.1 Internet Explorer Group Policies
### <a href="" id="bkmk-ie-gp"></a>7.1 Internet Explorer Group Policies
Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
@ -370,19 +314,26 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
### <a href="" id="bkmk-ie-activex"></a>6.2 ActiveX control blocking
There are two more Group Policy objects that are used by Internet Explorer:
| Path | Policy | Description |
| - | - | - |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website. <br /> Default: Enabled |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices. <br /> Default: Enabled |
### <a href="" id="bkmk-ie-activex"></a>7.2 ActiveX control blocking
ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
### <a href="" id="live-tiles"></a>7. Live Tiles
### <a href="" id="live-tiles"></a>8. Live Tiles
To turn off Live Tiles:
- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
### <a href="" id="bkmk-mailsync"></a>8. Mail synchronization
### <a href="" id="bkmk-mailsync"></a>9. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@ -400,15 +351,29 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
### <a href="" id="bkmk-edge"></a>9. Microsoft Edge
### <a href="" id="bkmk-edge"></a>10. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
### <a href="" id="bkmk-edgegp"></a>9.1 Microsoft Edge Group Policies
### <a href="" id="bkmk-edgegp"></a>10.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
> [!NOTE]
> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Configure autofill | Choose whether employees can use autofill on websites. <br /> Default: Enabled |
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.<br /> Default: Disabled |
| Configure password manager | Choose whether employees can save passwords locally on their devices. <br /> Default: Enabled |
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions. <br /> Default: Enabled |
| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off. <br /> Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure Home pages | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank** |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -420,7 +385,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Open a new tab with an empty tab | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank** |
### <a href="" id="bkmk-edge-mdm"></a>9.2 Microsoft Edge MDM policies
### <a href="" id="bkmk-edge-mdm"></a>10.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -432,35 +397,42 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions.. <br /> Default: Allowed |
| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off. <br /> Default: Allowed |
### <a href="" id="bkmk-edge-prov"></a>9.3 Microsoft Edge Windows Provisioning
### <a href="" id="bkmk-edge-prov"></a>10.3 Microsoft Edge Windows Provisioning
Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
### <a href="" id="bkmk-ncsi"></a>10. Network Connection Status Indicator
### <a href="" id="bkmk-ncsi"></a>11. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com.
You can turn off NCSI through Group Policy:
- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
> **Note** After you apply this policy, you must restart the device for the policy setting to take effect.
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
### <a href="" id="bkmk-offlinemaps"></a>11. Offline maps
### <a href="" id="bkmk-offlinemaps"></a>12. Offline maps
You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
### <a href="" id="bkmk-onedrive"></a>12. OneDrive
-and-
- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
### <a href="" id="bkmk-onedrive"></a>13. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
### <a href="" id="bkmk-preinstalledapps"></a>13. Preinstalled apps
### <a href="" id="bkmk-preinstalledapps"></a>14. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@ -572,47 +544,50 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
### <a href="" id="bkmk-settingssection"></a>14. Settings &gt; Privacy
### <a href="" id="bkmk-settingssection"></a>15. Settings &gt; Privacy
Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- [14.1 General](#bkmk-general)
- [15.1 General](#bkmk-general)
- [14.2 Location](#bkmk-priv-location)
- [15.2 Location](#bkmk-priv-location)
- [14.3 Camera](#bkmk-priv-camera)
- [15.3 Camera](#bkmk-priv-camera)
- [14.4 Microphone](#bkmk-priv-microphone)
- [15.4 Microphone](#bkmk-priv-microphone)
- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
- [15.5 Notifications](#bkmk-priv-notifications)
- [14.6 Account info](#bkmk-priv-accounts)
- [15.6 Speech, inking, & typing](#bkmk-priv-speech)
- [14.7 Contacts](#bkmk-priv-contacts)
- [15.7 Account info](#bkmk-priv-accounts)
- [14.8 Calendar](#bkmk-priv-calendar)
- [15.8 Contacts](#bkmk-priv-contacts)
- [14.9 Call history](#bkmk-priv-callhistory)
- [15.9 Calendar](#bkmk-priv-calendar)
- [14.10 Email](#bkmk-priv-email)
- [15.10 Call history](#bkmk-priv-callhistory)
- [14.11 Messaging](#bkmk-priv-messaging)
- [15.11 Email](#bkmk-priv-email)
- [14.12 Radios](#bkmk-priv-radios)
- [15.12 Messaging](#bkmk-priv-messaging)
- [14.13 Other devices](#bkmk-priv-other-devices)
- [15.13 Radios](#bkmk-priv-radios)
- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [15.14 Other devices](#bkmk-priv-other-devices)
- [14.15 Background apps](#bkmk-priv-background)
- [15.15 Feedback & diagnostics](#bkmk-priv-feedback)
### <a href="" id="bkmk-general"></a>14.1 General
- [15.16 Background apps](#bkmk-priv-background)
### <a href="" id="bkmk-general"></a>15.1 General
**General** includes options that don't fall into other areas.
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
> [!NOTE]
> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
- Turn off the feature in the UI.
@ -648,11 +623,12 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
-or-
- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
> [!NOTE]
> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
@ -674,7 +650,15 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
### <a href="" id="bkmk-priv-location"></a>14.2 Location
To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
- Turn off the feature in the UI.
To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
- Turn off the feature in the UI.
### <a href="" id="bkmk-priv-location"></a>15.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@ -696,8 +680,8 @@ To turn off **Location for this device**:
- **2**. Turned on and the employee can't turn it off.
**Note**
You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
> [!NOTE]
> You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-or-
@ -725,7 +709,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
### <a href="" id="bkmk-priv-camera"></a>14.3 Camera
### <a href="" id="bkmk-priv-camera"></a>15.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@ -747,8 +731,8 @@ To turn off **Let apps use my camera**:
- **1**. Apps can use the camera.
**Note**
You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
> [!NOTE]
> You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-or-
@ -762,7 +746,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-microphone"></a>14.4 Microphone
### <a href="" id="bkmk-priv-microphone"></a>15.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@ -780,13 +764,26 @@ To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-speech"></a>14.5 Speech, inking, & typing
### <a href="" id="bkmk-priv-notifications"></a>15.5 Notifications
In the **Notifications** area, you can choose which apps have access to notifications.
To turn off **Let apps access my notifications**:
- Turn off the feature in the UI.
-or-
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-speech"></a>15.6 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
> [!NOTE]
> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
To turn off the functionality:
@ -802,9 +799,21 @@ To turn off the functionality:
-and-
Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
### <a href="" id="bkmk-priv-accounts"></a>14.6 Account info
If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
- **0** (default). Not allowed.
- **1**. Allowed.
-or-
- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
### <a href="" id="bkmk-priv-accounts"></a>15.7 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@ -822,7 +831,7 @@ To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-contacts"></a>14.7 Contacts
### <a href="" id="bkmk-priv-contacts"></a>15.8 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@ -836,7 +845,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-calendar"></a>14.8 Calendar
### <a href="" id="bkmk-priv-calendar"></a>15.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@ -854,7 +863,7 @@ To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-callhistory"></a>14.9 Call history
### <a href="" id="bkmk-priv-callhistory"></a>15.10 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@ -868,7 +877,7 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-email"></a>14.10 Email
### <a href="" id="bkmk-priv-email"></a>15.11 Email
In the **Email** area, you can choose which apps have can access and send email.
@ -882,7 +891,7 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-messaging"></a>14.11 Messaging
### <a href="" id="bkmk-priv-messaging"></a>15.12 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@ -900,7 +909,7 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-radios"></a>14.12 Radios
### <a href="" id="bkmk-priv-radios"></a>15.13 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@ -918,7 +927,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-other-devices"></a>14.13 Other devices
### <a href="" id="bkmk-priv-other-devices"></a>15.14 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@ -936,14 +945,14 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-feedback"></a>14.14 Feedback & diagnostics
### <a href="" id="bkmk-priv-feedback"></a>15.15 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
To change how frequently **Windows should ask for my feedback**:
**Note**
Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
> [!NOTE]
> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
@ -977,7 +986,8 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
> **Note:** You can't use the UI to change the telemetry level to **Security**.
> [!NOTE]
> You can't use the UI to change the telemetry level to **Security**.
@ -1009,7 +1019,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the **Full** level.
### <a href="" id="bkmk-priv-background"></a>14.15 Background apps
### <a href="" id="bkmk-priv-background"></a>15.16 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@ -1017,7 +1027,7 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-spp"></a>15. Software Protection Platform
### <a href="" id="bkmk-spp"></a>16. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
@ -1025,7 +1035,7 @@ Enterprise customers can manage their Windows activation status with volume lice
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### <a href="" id="bkmk-syncsettings"></a>16. Sync your settings
### <a href="" id="bkmk-syncsettings"></a>17. Sync your settings
You can control if your settings are synchronized:
@ -1051,13 +1061,13 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
### <a href="" id="bkmk-teredo"></a>17. Teredo
### <a href="" id="bkmk-teredo"></a>18. Teredo
You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
- From an elevated command prompt, run **netsh interface teredo set state disabled**
### <a href="" id="bkmk-wifisense"></a>18. Wi-Fi Sense
### <a href="" id="bkmk-wifisense"></a>19. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the persons contacts have shared with them.
@ -1083,7 +1093,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but theyre non-functional and they cant be controlled by the employee.
### <a href="" id="bkmk-defender"></a>19. Windows Defender
### <a href="" id="bkmk-defender"></a>20. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
@ -1127,11 +1137,15 @@ You can stop downloading definition updates:
-and-
- Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
- Disable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
You can stop Enhanced Notifications:
- Turn off the feature in the UI.
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
### <a href="" id="bkmk-wmp"></a>20. Windows Media Player
### <a href="" id="bkmk-wmp"></a>21. Windows Media Player
To remove Windows Media Player:
@ -1141,9 +1155,15 @@ To remove Windows Media Player:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
### <a href="" id="bkmk-spotlight"></a>21. Windows spotlight
### <a href="" id="bkmk-spotlight"></a>22. Windows spotlight
Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:
@ -1162,7 +1182,8 @@ Windows spotlight provides different background images and text on the lock scre
- Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
**Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
> [!NOTE]
> This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
@ -1170,15 +1191,15 @@ Windows spotlight provides different background images and text on the lock scre
- **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
For more info, see [Manage user experiences in Windows 10, version 1607](../manage/manage-user-experiences-windows-10.md).
### <a href="" id="bkmk-windowsstore"></a>22. Windows Store
### <a href="" id="bkmk-windowsstore"></a>23. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
### <a href="" id="bkmk-updates"></a>23. Windows Update Delivery Optimization
### <a href="" id="bkmk-updates"></a>24. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@ -1186,38 +1207,40 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will only
Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
### <a href="" id="bkmk-wudo-ui"></a>23.1 Settings &gt; Update & security
In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
### <a href="" id="bkmk-wudo-ui"></a>24.1 Settings &gt; Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
### <a href="" id="bkmk-wudo-gp"></a>23.2 Delivery Optimization Group Policies
### <a href="" id="bkmk-wudo-gp"></a>24.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li></ul>|
| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> ** Note** This ID must be a GUID.|
| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>Simple</strong>. Simple download mode with no peering.</p></li><li><p><strong>Bypass</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note:** This ID must be a GUID.|
| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
### <a href="" id="bkmk-wudo-mdm"></a>23.3 Delivery Optimization MDM policies
### <a href="" id="bkmk-wudo-mdm"></a>24.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li></ul>|
| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>99</strong>. Simple download mode with no peering.</p></li><li><p><strong>100</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note** This ID must be a GUID.|
| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
### <a href="" id="bkmk-wudo-prov"></a>23.4 Delivery Optimization Windows Provisioning
### <a href="" id="bkmk-wudo-prov"></a>24.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@ -1233,7 +1256,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
### <a href="" id="bkmk-wu"></a>24. Windows Update
### <a href="" id="bkmk-wu"></a>25. Windows Update
You can turn off Windows Update by setting the following registry entries:
@ -1243,6 +1266,11 @@ You can turn off Windows Update by setting the following registry entries:
- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-and-
- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
You can turn off automatic updates by doing one of the following. This is not recommended.
- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.

1
windows/manage/manage-corporate-devices.md
View File

@ -115,6 +115,7 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
## Related topics
[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
- [New policies for Windows 10](new-policies-for-windows-10.md)

63
windows/manage/manage-tips-and-suggestions.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
description: Windows 10 provides organizations with various options to manage auser experiences to provide a consistent and predictable experience for employees.
keywords: ["device management"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
---
# Manage Windows 10 and Windows Store tips, tricks, and suggestions
**Applies to**
- Windows 10
> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, we well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include:
* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover.
* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Windows Store.
* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the users experience.
* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario.
* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration.
Windows 10 tips, tricks, and suggestions and Windows Store suggestions can be turned on or off by users. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows.
Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.
## Options available to manage Windows 10 tips and tricks and Windows Store suggestions
| Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps |
| --- | --- | --- | --- |
| Windows 10 Pro | No | Yes | Yes (default) |
| Windows 10 Enterprise | Yes | Yes | Yes (default) |
| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) |
| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
## Related topics
- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md)
- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers)