deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Links: Windows (2021-03)

Browse Source
This commit is contained in:
David Coulter
2021-03-25 10:07:47 -07:00
parent b820895b06
commit e967b61aa9
995 changed files with 5433 additions and 6267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/privacy/Microsoft-DiagnosticDataViewer.md
View File

@ -45,7 +45,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate
### Install the Diagnostic Data Viewer for PowerShell
>[!IMPORTANT]
>It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module.
>It is recommended to visit the documentation on [Getting Started](/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module.
To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session:
```powershell
@ -105,9 +105,9 @@ The Diagnostic Data Viewer for PowerShell provides you with the following featur
- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](./configure-windows-diagnostic-data-in-your-organization.md), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
- <a id="view-diagnostic-event-categories" />**View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data).
- <a id="view-diagnostic-event-categories" />**View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](./windows-diagnostic-data.md).
To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command:
@ -185,4 +185,4 @@ When resetting the size of your data history to a lower value, be sure to turn o
## Related Links
- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)
- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps)
- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps)

6
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -62,7 +62,7 @@ Additionally, you will see the following policy changes in an upcoming release o
A final set of changes includes two new policies that can help you fine-tune diagnostic data collection within your organization. These policies let you limit the amount of optional diagnostic data thats sent back to Microsoft.
- The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
- The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
- MDM policy: System/LimitDumpCollection
- The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
@ -87,5 +87,5 @@ With the Enhanced diagnostic data level being split out into new policies, we're
Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
The following provides information on the current configurations:
- [Microsoft Managed Desktop](https://aka.ms/mmd-diagnostic-data-level)
- [Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)
- [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)

22
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -67,7 +67,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be
- Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component.
- Crash reporting and crash dumps, managed by [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
- Crash reporting and crash dumps, managed by [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
Later in this document we provide further details about how to control whats collected and what data can be included in these different types of diagnostic data.
@ -82,9 +82,9 @@ The following table lists the endpoints related to how you can manage the collec
| Windows service | Endpoint |
| - | - |
|Connected User Experiences and Telemetry | v10.events.data.microsoft.com <br></br> v10c.events.data.microsoft.com <br></br> v10.vortex-win.data.microsoft.com |
| [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com <br></br> watson.microsoft.com <br></br> umwatsonc.telemetry.microsoft.com <br></br> umwatsonc.events.data.microsoft.com <br></br> *-umwatsonc.events.data.microsoft.com <br></br> ceuswatcab01.blob.core.windows.net <br></br> ceuswatcab02.blob.core.windows.net <br></br> eaus2watcab01.blob.core.windows.net <br></br> eaus2watcab02.blob.core.windows.net <br></br> weus2watcab01.blob.core.windows.net <br></br> weus2watcab02.blob.core.windows.net |
| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com <br></br> watson.microsoft.com <br></br> umwatsonc.telemetry.microsoft.com <br></br> umwatsonc.events.data.microsoft.com <br></br> *-umwatsonc.events.data.microsoft.com <br></br> ceuswatcab01.blob.core.windows.net <br></br> ceuswatcab02.blob.core.windows.net <br></br> eaus2watcab01.blob.core.windows.net <br></br> eaus2watcab02.blob.core.windows.net <br></br> weus2watcab01.blob.core.windows.net <br></br> weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com <br></br> <br></br> IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
| [Online Crash Analysis](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com <br></br> oca.microsoft.com <br></br> kmwatsonc.telemetry.microsoft.com <br></br> *-kmwatsonc.telemetry.microsoft.com |
| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com <br></br> oca.microsoft.com <br></br> kmwatsonc.telemetry.microsoft.com <br></br> *-kmwatsonc.telemetry.microsoft.com |
|Settings | settings-win.data.microsoft.com <br></br> <br></br> IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data |
### Data access
@ -110,7 +110,7 @@ Heres a summary of the types of data that is included with each setting:
| --- | --- | --- | --- | --- |
| **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
| **Crash Metadata** | N/A | Yes | Yes | Yes |
| **Crash Dumps** | N/A | No | Triage dumps only <br></br>For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting). | Full memory dumps <br></br>For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting). |
| **Crash Dumps** | N/A | No | Triage dumps only <br></br>For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps <br></br>For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). |
| **Diagnostic logs** | N/A | No | No | Yes |
| **Data collection** | N/A | 100% | Sampling applies | Sampling applies |
@ -167,7 +167,7 @@ Enhanced diagnostic data includes data about the websites you browse, how Window
- Device-specific events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
- All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
### Optional diagnostic data
@ -184,14 +184,14 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed
- Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred). Crash data is never used for Tailored experiences.
>[!Note]
>Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
>Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
## Manage enterprise diagnostic data
Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization.
>[!IMPORTANT]
>These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
>These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
You can configure your device's diagnostic data settings using the management tools youre already using, such as Group Policy or MDM.
@ -222,14 +222,14 @@ You can use Group Policy to set your organizations diagnostic data setting:
### Use MDM to manage diagnostic data collection
Use [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
## Limit optional diagnostic data for Desktop Analytics
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enable-data-sharing).
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing).
## Change privacy settings on a single server
You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](https://docs.microsoft.com/azure-stack/hci/manage/change-privacy-settings).
You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings).
To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).
To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).

8
windows/privacy/deploy-data-processor-service-windows.md
View File

@ -57,9 +57,9 @@ The following endpoints need to be reachable from devices enrolled into the data
For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version:
[Windows 10, version 1809 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1809-endpoints)
[Windows 10, version 1809 endpoints](./manage-windows-1809-endpoints.md)
[Windows 10, version 1903 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1903-endpoints)
[Windows 10, version 1903 endpoints](./manage-windows-1903-endpoints.md)
### Deploying data processor service for Windows Enterprise
You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices.
@ -68,7 +68,7 @@ In Group Policy, to enable data collection through the data processor service fo
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration:
To use an MDM solution, such as [Microsoft Intune](/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
@ -88,7 +88,7 @@ To perform user-based DSRs, the data processor service for Windows Enterprise re
If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you dont need to take any further action.
If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join.
To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis).
To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide).

2
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -44,7 +44,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
> [!Important]
> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](./microsoft-diagnosticdataviewer.md).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.

8
windows/privacy/index.yml
View File

@ -152,7 +152,7 @@ productDirectory:
# summary: cardsummary3
# url: file1.md OR https://docs.microsoft.com/file3
# # footer (optional)
# footer: "footertext [linktext](https://docs.microsoft.com/footerfile)"
# footer: "footertext [linktext](/footerfile)"
# additionalContent section (optional)
# Card with links style
@ -164,7 +164,7 @@ additionalContent:
- title: View and manage Windows 10 connection endpoints
links:
- text: Manage Windows 10 connection endpoints
url: manage-windows-endpoints.md
url: ./manage-windows-2004-endpoints.md
- text: Manage connection endpoints for non-Enterprise editions of Windows 10
url: windows-endpoints-2004-non-enterprise-editions.md
- text: Manage connections from Windows to Microsoft services
@ -175,8 +175,8 @@ additionalContent:
- text: Windows 10 on Trust Center
url: https://www.microsoft.com/en-us/trustcenter/cloudservices/windows10
- text: GDPR on Microsoft 365 Compliance solutions
url: https://docs.microsoft.com/microsoft-365/compliance/gdpr
url: /microsoft-365/compliance/gdpr
- text: Support for GDPR Accountability on Service Trust Portal
url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted
# footer (optional)
# footer: "footertext [linktext](https://docs.microsoft.com/footerfile)"
# footer: "footertext [linktext](/footerfile)"

142
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -21,22 +21,22 @@ ms.date: 12/1/2020
- Windows 10 Enterprise 1903 version and newer
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
>[!IMPORTANT]
>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
>[!Warning]
>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the >Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required.
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/).
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
@ -45,31 +45,31 @@ We are always striving to improve our documentation and welcome your feedback. Y
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
For Windows 10, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. **Automatic Root Certificates Update**
1. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices.
1. **Cortana and Search**
1. MDM Policy: [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana). Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
1. MDM Policy: [Search/AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation). Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
1. MDM Policy: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana). Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
1. MDM Policy: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation). Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
1. **Date & Time**
1. MDM Policy: [Settings/AllowDateTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime). Allows the user to change date and time settings. **Set to 0 (zero)**
1. MDM Policy: [Settings/AllowDateTime](/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime). Allows the user to change date and time settings. **Set to 0 (zero)**
1. **Device metadata retrieval**
1. MDM Policy: [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
1. MDM Policy: [DeviceInstallation/PreventDeviceMetadataFromNetwork](/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
1. **Find My Device**
1. MDM Policy: [Experience/AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice). This policy turns on Find My Device. **Set to 0 (zero)**
1. MDM Policy: [Experience/AllowFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice). This policy turns on Find My Device. **Set to 0 (zero)**
1. **Font streaming**
1. MDM Policy: [System/AllowFontProviders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowfontproviders). Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
1. MDM Policy: [System/AllowFontProviders](/windows/client-management/mdm/policy-csp-system#system-allowfontproviders). Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
1. **Insider Preview builds**
1. MDM Policy: [System/AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview). This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
1. MDM Policy: [System/AllowBuildPreview](/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview). This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer)
1. MDM Policy: [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the users browsing activity. **Set to Disabled**
1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](/windows/client-management/mdm/policy-csp-internetexplorer)
1. MDM Policy: [InternetExplorer/AllowSuggestedSites](/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the users browsing activity. **Set to Disabled**
1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value:
1. **\<enabled/>\<data id=”IE9SafetyFilterOptions” value=”1”/>**
1. MDM Policy: [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature). Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled**
@ -79,84 +79,84 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. **\<enabled/>\<data id=”FirstRunOptions” value=”1”/>**
1. **Live Tiles**
1. MDM Policy: [Notifications/DisallowTileNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1**
1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1**
1. **Mail synchronization**
1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
1. **Microsoft Account**
1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
1. **Microsoft Edge** The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
1. MDM Policy: [Browser/AllowAutoFill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill). Choose whether employees can use autofill on websites. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack). Choose whether employees can send Do Not Track headers. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist). Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager). Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar). Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether Windows Defender SmartScreen is turned on or off. **Set to 0 (zero)**
1. **Microsoft Edge** The following Microsoft Edge MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
1. MDM Policy: [Browser/AllowAutoFill](/windows/client-management/mdm/policy-csp-browser#browser-allowautofill). Choose whether employees can use autofill on websites. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowDoNotTrack](/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack). Choose whether employees can send Do Not Track headers. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowMicrosoftCompatbilityList](/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist). Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowPasswordManager](/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager). Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar). Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)**
1. MDM Policy: [Browser/AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether Windows Defender SmartScreen is turned on or off. **Set to 0 (zero)**
1. **Network Connection Status Indicator**
1. [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests). Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
1. [Connectivity/DisallowNetworkConnectivityActiveTests](/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests). Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
1. **Offline maps**
1. MDM Policy: [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps). Allows the download and update of map data over metered connections. <br /> **Set to 0 (zero)**
1. MDM Policy: [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate). Disables the automatic download and update of map data. **Set to 0 (zero)**
1. MDM Policy: [AllowOfflineMapsDownloadOverMeteredConnection](/windows/client-management/mdm/policy-csp-maps). Allows the download and update of map data over metered connections. <br /> **Set to 0 (zero)**
1. MDM Policy: [EnableOfflineMapsAutoUpdate](/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate). Disables the automatic download and update of map data. **Set to 0 (zero)**
1. **OneDrive**
1. MDM Policy: [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
1. MDM Policy: [DisableOneDriveFileSync](/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\<enabled/>**
1. **Privacy settings** Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
1. General - [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection). This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)**
1. Location - [System/AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowlocation). Specifies whether to allow app access to the Location service. **Set to 0 (zero)**
1. Camera - [Camera/AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-camera#camera-allowcamera). Disables or enables the camera. **Set to 0 (zero)**
1. Microphone - [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone). Specifies whether Windows apps can access the microphone. **Set to 2 (two)**
1. Notifications - [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications). Specifies whether Windows apps can access notifications. **Set to 2 (two)**
1. General - [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection). This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)**
1. Location - [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation). Specifies whether to allow app access to the Location service. **Set to 0 (zero)**
1. Camera - [Camera/AllowCamera](/windows/client-management/mdm/policy-csp-camera#camera-allowcamera). Disables or enables the camera. **Set to 0 (zero)**
1. Microphone - [Privacy/LetAppsAccessMicrophone](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone). Specifies whether Windows apps can access the microphone. **Set to 2 (two)**
1. Notifications - [Privacy/LetAppsAccessNotifications](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications). Specifies whether Windows apps can access notifications. **Set to 2 (two)**
1. Notifications - [Settings/AllowOnlineTips]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips). Enables or disables the retrieval of online tips and help for the Settings app. **Integer value 0**
1. Speech, Inking, & Typing - [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization). This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)**
1. Speech, Inking, & Typing - [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection). This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)**
1. Account info - [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo). Specifies whether Windows apps can access account information. **Set to 2 (two)**
1. Contacts - [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts). Specifies whether Windows apps can access contacts. **Set to 2 (two)**
1. Calendar - [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar). Specifies whether Windows apps can access the calendar. **Set to 2 (two)**
1. Call history - [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory). Specifies whether Windows apps can access account information. **Set to 2 (two)**
1. Email - [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail). Specifies whether Windows apps can access email. **Set to 2 (two)**
1. Messaging - [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging). Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)**
1. Phone calls - [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone). Specifies whether Windows apps can make phone calls. **Set to 2 (two)**
1. Radios - [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios). Specifies whether Windows apps have access to control radios. **Set to 2 (two)**
1. Other devices - [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices). Specifies whether Windows apps can sync with devices. **Set to 2 (two)**
1. Other devices - [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices). Specifies whether Windows apps can access trusted devices. **Set to 2 (two)**
1. Feedback & diagnostics - [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)**
1. Feedback & diagnostics - [Experience/DoNotShowFeedbackNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications). Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)**
1. Background apps - [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground). Specifies whether Windows apps can run in the background. **Set to 2 (two)**
1. Motion - [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion). Specifies whether Windows apps can access motion data. **Set to 2 (two)**
1. Tasks - [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks). Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)**
1. App Diagnostics - [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo). Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
1. **Software Protection Platform** - [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation). Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
1. **Storage Health** - [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates). Allows disk health model updates. **Set to 0 (zero)**
1. **Sync your settings** - [Experience/AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)**
1. Speech, Inking, & Typing - [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization). This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)**
1. Speech, Inking, & Typing - [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection). This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)**
1. Account info - [Privacy/LetAppsAccessAccountInfo](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo). Specifies whether Windows apps can access account information. **Set to 2 (two)**
1. Contacts - [Privacy/LetAppsAccessContacts](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts). Specifies whether Windows apps can access contacts. **Set to 2 (two)**
1. Calendar - [Privacy/LetAppsAccessCalendar](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar). Specifies whether Windows apps can access the calendar. **Set to 2 (two)**
1. Call history - [Privacy/LetAppsAccessCallHistory](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory). Specifies whether Windows apps can access account information. **Set to 2 (two)**
1. Email - [Privacy/LetAppsAccessEmail](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail). Specifies whether Windows apps can access email. **Set to 2 (two)**
1. Messaging - [Privacy/LetAppsAccessMessaging](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging). Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)**
1. Phone calls - [Privacy/LetAppsAccessPhone](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone). Specifies whether Windows apps can make phone calls. **Set to 2 (two)**
1. Radios - [Privacy/LetAppsAccessRadios](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios). Specifies whether Windows apps have access to control radios. **Set to 2 (two)**
1. Other devices - [Privacy/LetAppsSyncWithDevices](/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices). Specifies whether Windows apps can sync with devices. **Set to 2 (two)**
1. Other devices - [Privacy/LetAppsAccessTrustedDevices](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices). Specifies whether Windows apps can access trusted devices. **Set to 2 (two)**
1. Feedback & diagnostics - [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)**
1. Feedback & diagnostics - [Experience/DoNotShowFeedbackNotifications](/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications). Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)**
1. Background apps - [Privacy/LetAppsRunInBackground](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground). Specifies whether Windows apps can run in the background. **Set to 2 (two)**
1. Motion - [Privacy/LetAppsAccessMotion](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion). Specifies whether Windows apps can access motion data. **Set to 2 (two)**
1. Tasks - [Privacy/LetAppsAccessTasks](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks). Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)**
1. App Diagnostics - [Privacy/LetAppsGetDiagnosticInfo](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo). Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
1. **Software Protection Platform** - [Licensing/DisallowKMSClientOnlineAVSValidation](/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation). Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
1. **Storage Health** - [Storage/AllowDiskHealthModelUpdates](/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates). Allows disk health model updates. **Set to 0 (zero)**
1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)**
1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
1. **Windows Defender**
1. [Defender/AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
1. [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)**
1. [Defender/EnableSmartScreenInShell](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)**
1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)**
1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
1. [Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares**
1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)**
1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
1. [Defender/SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)**
1. [Defender/EnableSmartScreenInShell](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)**
1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)**
1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
1. [Defender/SignatureUpdateFallbackOrder](). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares**
1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)**
1. **Microsoft Store**
1. [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps). Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
1. [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
1. [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)**
1. [ApplicationManagement/DisableStoreOriginatedApps](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps). Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
1. [ApplicationManagement/AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. [DeliveryOptimization/DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)**
1. **Windows Update**
1. [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)**
1. Windows Update Allow Update Service - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)**
1. Windows Update Allow Update Service - [Update/AllowUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\<Replace>\<CmdID>$CmdID$</CmdID>\<Item>\<Meta>\<Format>chr</Format>\<Type>text/plain</Type>\</Meta>\<Target> \<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>\</Target>\<Data>http://abcd-srv:8530</Data>\</Item>\</Replace>**
### <a href="" id="bkmk-mdm-allowedtraffic"></a> Allowed traffic for Microsoft Intune / MDM configurations
@ -174,4 +174,4 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
|ocsp.digicert.com/*|
|r.manage.microsoft.com|
|tile-service.weather.microsoft.com|
|settings-win.data.microsoft.com|
|settings-win.data.microsoft.com|

18
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -42,7 +42,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
> - During update or upgrade of Windows, egress traffic may occur.
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md)
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
@ -227,7 +227,7 @@ Use the following sections for more information about how to configure each sett
### <a href="" id="automatic-root-certificates-update"></a>1. Automatic Root Certificates Update
The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available.
For more information, see [Automatic Root Certificates Update Configuration](https://technet.microsoft.com/library/cc733922.aspx).
For more information, see [Automatic Root Certificates Update Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733922(v=ws.10)).
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
@ -495,7 +495,7 @@ You can turn this off by:
- Changing the REG_DWORD registry setting **HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to **0 (zero)**.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/library/dn761713.aspx).
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
### <a href="" id="bkmk-licmgr"></a>9. License Manager
@ -544,7 +544,7 @@ To turn off the Windows Mail app:
### <a href="" id="bkmk-microsoft-account"></a>12. Microsoft Account
Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
To disable the Microsoft Account Sign-In Assistant:
@ -553,7 +553,7 @@ To disable the Microsoft Account Sign-In Assistant:
### <a href="" id="bkmk-edge"></a>13. Microsoft Edge
Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge).
Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](/DeployEdge/configure-microsoft-edge).
### <a href="" id="bkmk-edgegp"></a>13.1 Microsoft Edge Group Policies
@ -590,7 +590,7 @@ Alternatively, you can configure the following Registry keys as described:
| Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation<br/>REG_DWORD: MSCompatibilityMode <br />Value: **0**|
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
### <a href="" id="bkmk-ncsi"></a>14. Network Connection Status Indicator
@ -1557,7 +1557,7 @@ To turn off Messaging cloud sync:
### <a href="" id="bkmk-teredo"></a>22. Teredo
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx).
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](/previous-versions/windows/it-pro/windows-vista/cc722030(v=ws.10)).
>[!NOTE]
>If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
@ -1838,7 +1838,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](/windows/deployment/update/waas-delivery-optimization-reference).
### <a href="" id="bkmk-wudo-mdm"></a>28.3 Delivery Optimization
@ -1918,4 +1918,4 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
|www.microsoft.com/pkiops/*|
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
To learn more, see [Device update management](/windows/client-management/mdm/device-update-management) and [Configure Automatic Updates by using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).

2
windows/privacy/manage-windows-1709-endpoints.md
View File

@ -456,4 +456,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

2
windows/privacy/manage-windows-1803-endpoints.md
View File

@ -461,4 +461,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

4
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -399,7 +399,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
## Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
@ -497,4 +497,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

4
windows/privacy/manage-windows-1903-endpoints.md
View File

@ -187,6 +187,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

2
windows/privacy/manage-windows-1909-endpoints.md
View File

@ -137,4 +137,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

2
windows/privacy/manage-windows-2004-endpoints.md
View File

@ -138,4 +138,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

2
windows/privacy/manage-windows-20H2-endpoints.md
View File

@ -156,4 +156,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

44
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -49,7 +49,7 @@ The following table provides an overview of the Windows 10 privacy settings pres
| Feature/Setting | Description | Supporting Content | Privacy Statement |
| --- | --- | --- | --- |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004).</li><li>**Optional diagnostic data**<br />Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
@ -57,7 +57,7 @@ The following table provides an overview of the Windows 10 privacy settings pres
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
| Activity History/Timeline Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
| Cortana | <p>Cortana is Microsofts personal digital assistant, which helps busy people get things done, even while theyre at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.<br /><br />Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.</p> | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)<br /><br />[Cortana integration in your business or enterprise](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
| Cortana | <p>Cortana is Microsofts personal digital assistant, which helps busy people get things done, even while theyre at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.<br /><br />Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.</p> | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)<br /><br />[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
### 1.2 Data collection monitoring
@ -85,15 +85,15 @@ The following table provides an overview of the privacy settings discussed earli
| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection |
|---|---|---|---|
| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:<br />**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**<br /><br />MDM: [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**<br /><br />MDM: [Privacy/LetAppsAccessLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**<br /><br />MDM: [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions:<br />Required diagnostic data (Windows 10, version 1903 and later)<br /><br />Server editions:<br />Required diagnostic data | Security and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:<br />**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**<br /><br />MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**<br /><br />MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions:<br />Required diagnostic data (Windows 10, version 1903 and later)<br /><br />Server editions:<br />Required diagnostic data | Security and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
### 2.3 Guidance for configuration options
@ -103,7 +103,7 @@ This section provides general details and links to more detailed information, as
Windows deployment can be configured using several different methods that provide an administrator with options for control, including how a device is set up, which options are enabled by default, and what the user is able to change on the device after they log on.
If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](https://docs.microsoft.com/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](https://docs.microsoft.com/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](https://docs.microsoft.com/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
@ -121,11 +121,11 @@ For more details, see [Manage connections from Windows operating system componen
Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](https://docs.microsoft.com/windows/privacy/) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](./index.yml) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
#### _2.3.4 Limited functionality baseline_
An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that dont want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that dont want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
>[!IMPORTANT]
>We recommend that you fully test any modifications to these settings before deploying them in your organization.
@ -140,7 +140,7 @@ Windows 10, version 1803 and newer allows users to change their diagnostic data
#### _2.3.7 Diagnostic data: Managing device-based data delete_
Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
An administrator can disable a users ability to delete their devices diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
@ -151,7 +151,7 @@ This section discusses the different methods Microsoft provides for users and ad
### 3.1 Delete
Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
### 3.2 View
@ -183,28 +183,28 @@ Windows Server follows the same mechanisms as Windows 10 for handling of persona
### 5.2 Surface Hub
[Surface Hub](https://docs.microsoft.com/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store
[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store
>[!IMPORTANT]
>Apps and services that run on Windows but are not considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services.
An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](/surface-hub/manage-settings-with-mdm-for-surface-hub).
### 5.3 Desktop Analytics
[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
### 5.4 Microsoft Managed Desktop
[Microsoft Managed Desktop (MMD)](https://docs.microsoft.com/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
## Additional Resources
* [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview)
* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
* [Windows IT Pro Docs](https://docs.microsoft.com/windows/#pivot=it-pro)
* [Windows IT Pro Docs](/windows/#pivot=it-pro)
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
* [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

8
windows/privacy/windows-diagnostic-data-1703.md
View File

@ -21,7 +21,7 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1703
Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the users needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) and [Windows 10, version 1703 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703).
Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the users needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](./basic-level-windows-diagnostic-events-and-fields-1709.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](./basic-level-windows-diagnostic-events-and-fields-1703.md).
The data covered in this article is grouped into the following categories:
@ -42,7 +42,7 @@ Most diagnostic events contain a header of common data:
| Category Name | Examples |
| - | - |
| Common Data | Information that is added to most diagnostic events, if relevant and available:<br><ul><li>OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)</li><li>User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data</li><li>Xbox UserID</li><li>Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.</li><li>The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags</li><li>HTTP header information, including the IP address. This IP address is the source address thats provided by the network packet header and received by the diagnostics ingestion service.</li><li>Various IDs that are used to correlate and sequence related events together.</li><li>Device ID. This ID is not the user provided device name, but an ID that is unique for that device.</li><li>Device class - Desktop, Server, or Mobile</li><li>Event collection time</li><li>Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into</li></ul> |
| Common Data | Information that is added to most diagnostic events, if relevant and available:<br><ul><li>OS name, version, build, and [locale](/windows/win32/intl/locales-and-languages)</li><li>User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data</li><li>Xbox UserID</li><li>Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.</li><li>The diagnostic event name, Event ID, [ETW](/windows/win32/etw/event-tracing-portal) opcode, version, schema signature, keywords, and flags</li><li>HTTP header information, including the IP address. This IP address is the source address thats provided by the network packet header and received by the diagnostics ingestion service.</li><li>Various IDs that are used to correlate and sequence related events together.</li><li>Device ID. This ID is not the user provided device name, but an ID that is unique for that device.</li><li>Device class - Desktop, Server, or Mobile</li><li>Event collection time</li><li>Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into</li></ul> |
## Device, Connectivity, and Configuration data
@ -53,7 +53,7 @@ This type of data includes details about the device, its configuration and conne
| Device properties | Information about the OS and device hardware, such as:<br><ul><li> OS - version name, Edition</li><li>Installation type, subscription status, and genuine OS status</li><li>Processor architecture, speed, number of cores, manufacturer, and model</li><li>OEM details - manufacturer, model, and serial number<li>Device identifier and Xbox serial number</li><li>Firmware/BIOS - type, manufacturer, model, and version</li><li>Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory</li><li>Storage - total capacity and disk type</li><li>Battery - charge capacity and InstantOn support</li><li>Hardware chassis type, color, and form factor</li><li>Is this machine a virtual machine?</li></ul> |
| Device capabilities | Information about the specific device capabilities such as:<br/><ul><li>Camera - whether the device has a front facing, a rear facing camera, or both.</li><li>Touch screen - does the device include a touch screen? If so, how many hardware touch points are supported?</li><li>Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2</li><li>Trusted Platform Module (TPM) whether present and what version</li><li>Virtualization hardware - whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware</li><li>Voice whether voice interaction is supported and the number of active microphones</li><li>Number of displays, resolutions, DPI</li><li>Wireless capabilities</li><li>OEM or platform face detection</li><li>OEM or platform video stabilization and quality level set</li><li>Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability</li></ul> |
| Device preferences and settings | Information about the device settings and user preferences such as:<br><ul><li>User Settings System, Device, Network &amp; Internet, Personalization, Cortana, Apps, Accounts, Time &amp; Language, Gaming, Ease of Access, Privacy, Update &amp; Security</li><li>User-provided device name</li><li>Whether device is domain-joined, or cloud-domain joined (that is, part of a company-managed network)</li><li>Hashed representation of the domain name</li><li>MDM (mobile device management) enrollment settings and status</li><li>BitLocker, Secure Boot, encryption settings, and status</li><li>Windows Update settings and status</li><li>Developer Unlock settings and status</li><li>Default app choices</li><li>Default browser choice</li><li>Default language settings for app, input, keyboard, speech, and display</li><li>App store update settings</li><li>Enterprise OrganizationID, Commercial ID</li></ul> |
| Device peripherals | Information about the device peripherals such as:<br><ul><li>Peripheral name, device model, class, manufacturer, and description</li><li>Peripheral device state, install state, and checksum</li><li>Driver name, package name, version, and manufacturer</li><li>HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)</li><li>Driver state, problem code, and checksum</li><li>Whether driver is kernel mode, signed, and image size</li></ul> |
| Device peripherals | Information about the device peripherals such as:<br><ul><li>Peripheral name, device model, class, manufacturer, and description</li><li>Peripheral device state, install state, and checksum</li><li>Driver name, package name, version, and manufacturer</li><li>HWID - A hardware vendor defined ID to match a device to a driver [INF file](/windows-hardware/drivers/install/hardware-ids)</li><li>Driver state, problem code, and checksum</li><li>Whether driver is kernel mode, signed, and image size</li></ul> |
| Device network info | Information about the device network configuration such as:<br><ul><li>Network system capabilities</li><li>Local or Internet connectivity status</li><li>Proxy, gateway, DHCP, DNS details, and addresses</li><li>Paid or free network</li><li>Wireless driver is emulated or not</li><li>Access point mode capable</li><li>Access point manufacturer, model, and MAC address</li><li>WDI Version</li><li>Name of networking driver service</li><li>Wi-Fi Direct details</li><li>Wi-Fi device hardware ID and manufacturer</li><li>Wi-Fi scan attempt counts and item counts</li><li>Mac randomization is supported/enabled or not</li><li>Number of spatial streams and channel frequencies supported</li><li>Manual or Auto Connect enabled</li><li>Time and result of each connection attempt</li><li>Airplane mode status and attempts</li><li>Interface description provided by the manufacturer</li><li>Data transfer rates</li><li>Cipher algorithm</li><li>Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)</li><li>Mobile operator and service provider name</li><li>Available SSIDs and BSSIDs</li><li>IP Address type - IPv4 or IPv6</li><li>Signal Quality percentage and changes</li><li>Hotspot presence detection and success rate</li><li>TCP connection performance</li><li>Miracast device names</li><li>Hashed IP address</li></ul>
## Product and Service Usage data
@ -107,4 +107,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
| Voice, inking, and typing | Information about voice, inking, and typing features such as:<br><ul><li>Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double-click, pan, zoom, rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text of speech recognition results - result codes and recognized text</li><li>Language and model of the recognizer, System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and Success/Failure of speech recognition</li></ul> |
| Voice, inking, and typing | Information about voice, inking, and typing features such as:<br><ul><li>Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double-click, pan, zoom, rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text of speech recognition results - result codes and recognized text</li><li>Language and model of the recognizer, System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and Success/Failure of speech recognition</li></ul> |

8
windows/privacy/windows-diagnostic-data.md
View File

@ -26,7 +26,7 @@ Applies to:
- Windows 10, version 1803
- Windows 10, version 1709
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
@ -141,7 +141,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://docs.microsoft.com/windows-hardware/drivers/install/hardware-ids)
- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](/windows-hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
@ -249,7 +249,7 @@ This type of data includes details about the health of the device, operating sys
**For Diagnostics:**<br>
[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
- Data about the reliability of content that appears in the [Windows Spotlight](/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening performance.
- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
@ -512,4 +512,4 @@ Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference
- **<a name="pseudo">Pseudonymized Data</a>** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **<a name="anon">Anonymized Data</a>** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
- **<a name="aggregate">Aggregated Data</a>** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
- **<a name="aggregate">Aggregated Data</a>** 8.3.6 Aggregated data. Microsoft usage notes are as defined.

4
windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
View File

@ -23,7 +23,7 @@ ms.reviewer:
- Windows 10 Professional, version 1709
- Windows 10 Education, version 1709
In addition to the endpoints listed for [Windows 10 Enterprise](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services), the following endpoints are available on other editions of Windows 10, version 1709.
In addition to the endpoints listed for [Windows 10 Enterprise](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md), the following endpoints are available on other editions of Windows 10, version 1709.
We used the following methodology to derive these network endpoints:
@ -292,4 +292,4 @@ We used the following methodology to derive these network endpoints:
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

4
windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
View File

@ -23,7 +23,7 @@ ms.reviewer:
- Windows 10 Professional, version 1803
- Windows 10 Education, version 1803
In addition to the endpoints listed for [Windows 10 Enterprise](https://docs.microsoft.com/windows/privacy/manage-windows-1803-endpoints ), the following endpoints are available on other editions of Windows 10, version 1803.
In addition to the endpoints listed for [Windows 10 Enterprise](./manage-windows-1803-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
@ -162,4 +162,4 @@ We used the following methodology to derive these network endpoints:
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |