Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1,5 +1,5 @@
 --- 
-title: Manage connections from Windows operating system components to Microsoft services (Windows 10)
+title: Manage connections from Windows 10 operating system components to Microsoft services
 description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
 ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
 ms.reviewer: 
@@ -14,7 +14,7 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 8/21/2019
+ms.date: 8/23/2019
 ---
 
 # Manage connections from Windows operating system components to Microsoft services
@@ -25,23 +25,22 @@ ms.date: 8/21/2019
 - Windows Server 2016
 - Windows Server 2019
 
-This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and Registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, there are a range of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article.
+This article describes the egress network connections that Windows 10 components make to Microsoft services, and it also provides the Windows settings, Group Policies and Registry settings available to IT Professionals to help manage those connections. If you would like to minimize the connections made from Windows 10 to Microsoft services, or custom configure certain Windows components to prevent egress network connections, there are several settings described in this article which you need to consider for your specific needs. For example, using the instructions in this article you could configure diagnostic data to the lowest level and individually evaluate each of the other connections Windows 10 makes to Microsoft services. 
 
-Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+Note: CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) egress traffic is currently allowed traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities and there are others such as DigiCert, Google, Symantec, Thawte, and VeriSign.
 
-Note: For security reasons, it is important to take care in deciding which settings to configure as many of them will result in a less secure device. Examples of settings that can lead to a less secure device configuration are: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. We do not recommended disabling any of these features.
+For security reasons, it is important to carefully decide which settings to configure since several important settings will result in a less secure device. Examples of these settings are: Windows Update, Automatic Root Certificates Update, and Windows Defender. We do not recommended disabling any of these features as they help Microsoft deliver a secure, reliable, and more delightful personalized experience.
 
-You can configure diagnostic data to the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to reduce the amount of data sent from Windows 10 to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists, which is why we **strongly** recommend against disabling these settings. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+However, if you still wish to quickly configure all of the settings covered in this article you can do so by running the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) script on devices in your organization. This is an automated script to help IT Professionals apply all the settings easily and accurately. **Before running the script ensure that Windows 10 and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. Here are a few important deployment notes in the event you decide to run the Windows Restricted Traffic Limited Functionality Baseline script: 
+•	You should not extract this package to the windows\system32 folder because it will not apply correctly 
+•	It is recommended that you restart the device after making configuration changes to it.
+•	**Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline has been applied.
 
-To deploy the complete list of settings below to restrict connections from Windows 10 to Microsoft, you can apply the  [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) when running as an Admin user, but **before application please ensure that Windows and Windows Defender are fully up to date**.  Failure to do so may result in errors.  Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\system32 folder because it will not apply correctly.
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
 
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp@microsoft.com**.
 
-To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-The "Allowed Traffic" endpoints for are listed here: [Allowed Traffic](#bkmk-allowedtraffic) 
+The "Allowed Traffic" endpoints  are listed at the bottom of this article.  To jump to that section click: [Allowed Traffic](#bkmk-allowedtraffic) 
 
 
 ## <a href="" id="bkmk-othersettings"></a>Management options for each setting
@@ -259,7 +258,7 @@ On Windows Server 2016 Nano Server:
 - Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
 
 >[!NOTE]
->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces.  CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces.  CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
 
 ### <a href="" id="bkmk-cortana"></a>2. Cortana and Search
 
@@ -389,7 +388,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
 
 
 > [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
 
 To turn off Insider Preview builds for a released version of Windows 10: