diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index e0cfbed2c9..86503c42e8 100644
--- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -29,21 +29,32 @@ To help make it easier to deploy settings to restrict connections from Windows 1
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-## What's new in Windows 10, version 1607 and Windows Server 2016
+## What's new in Windows 10, version 1703
-Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016:
+Here's a list of changes that were made to this article for Windows 10, version 1703:
-- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech).
-- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy.
-- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
-- Added a new setting in [25. Windows Update](#bkmk-wu).
-- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
-- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account).
+- Added an MDM policy for Font streaming.
+- Added an MDM policy for Network Connection Status Indicator.
+- Added an MDM policy for the Micosoft Account Sign-In Assistant.
+- Added instructions for removing the Sticky Notes app.
+- Added registry paths for some Group Policies
+- Added the Find My Device section
+- Added the Tasks section
+- Added the App Diagnostics section
- Added the following Group Policies:
- - Turn off unsolicited network traffic on the Offline Maps settings page
- - Turn off all Windows spotlight features
+ - Prevent managing SmartScreen Filter
+ - Turn off Compatibility View
+ - Turn off Automatic Download and Install of updates
+ - Do not connect to any Windows Update locations
+ - Turn off access to all Windows Update features
+ - Specify Intranet Microsoft update service location
+ - Enable Windows NTP client
+ - Turn off Automatic download of the ActiveX VersionList
+ - Allow Automatic Update of Speech Data
+ - Accounts: Block Microsoft Accounts
+ - Do not use diagnostic data for tailored experiences
## Settings
@@ -52,55 +63,58 @@ The following sections list the components that make network connections to Micr
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
-### Settings for Windows 10 Enterprise, version 1607
+### Settings for Windows 10 Enterprise, version 1703
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607.
+See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) | |  | | | |
-| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |  |
-| [3. Date & Time](#bkmk-datetime) |  | | |  | |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  | | | |
-| [5. Font streaming](#font-streaming) | |  | |  | |
-| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |  |
-| [7. Internet Explorer](#bkmk-ie) |  |  | | | |
-| [8. Live Tiles](#live-tiles) | |  | | | |
-| [9. Mail synchronization](#bkmk-mailsync) |  | |  | | |
-| [10. Microsoft Account](#bkmk-microsoft-account) | | | |  | |
-| [11. Microsoft Edge](#bkmk-edge) |  |  |  | |  |
-| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | | |
-| [13. Offline maps](#bkmk-offlinemaps) |  |  | | | |
-| [14. OneDrive](#bkmk-onedrive) | |  | |  | |
-| [15. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
-| [16. Settings > Privacy](#bkmk-settingssection) | | | | | |
-| [16.1 General](#bkmk-general) |  |  |  |  | |
-| [16.2 Location](#bkmk-priv-location) |  |  |  | | |
-| [16.3 Camera](#bkmk-priv-camera) |  |  |  | | |
-| [16.4 Microphone](#bkmk-priv-microphone) |  |  | | | |
-| [16.5 Notifications](#bkmk-priv-notifications) |  |  | | | |
-| [16.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
-| [16.7 Account info](#bkmk-priv-accounts) |  |  | | | |
-| [16.8 Contacts](#bkmk-priv-contacts) |  |  | | | |
-| [16.9 Calendar](#bkmk-priv-calendar) |  |  | | | |
-| [16.10 Call history](#bkmk-priv-callhistory) |  |  | | | |
-| [16.11 Email](#bkmk-priv-email) |  |  | | | |
-| [16.12 Messaging](#bkmk-priv-messaging) |  |  | | | |
-| [16.13 Radios](#bkmk-priv-radios) |  |  | | | |
-| [16.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
-| [16.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
-| [16.16 Background apps](#bkmk-priv-background) |  | | | | |
-| [16.17 Motion](#bkmk-priv-motion) |  |  | | | |
-| [17. Software Protection Platform](#bkmk-spp) | |  |  | | |
-| [18. Sync your settings](#bkmk-syncsettings) |  |  |  | | |
-| [19. Teredo](#bkmk-teredo) | |  | | |  |
-| [20. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
-| [21. Windows Defender](#bkmk-defender) | |  |  |  | |
-| [22. Windows Media Player](#bkmk-wmp) |  | | | |  |
-| [23. Windows spotlight](#bkmk-spotlight) |  |  | | | |
-| [24. Windows Store](#bkmk-windowsstore) | |  | | | |
-| [25. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  | | |
-| [26. Windows Update](#bkmk-wu) |  |  |  | | |
+| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  | |  | |
+| [5. Find My Device](#find-my-device) | |  | | | |
+| [6. Font streaming](#font-streaming) | |  | |  | |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
+| [9. Live Tiles](#live-tiles) | |  | |  | |
+| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | |  |  | |
+| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  |  |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  | |  | |
+| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
+| [15. OneDrive](#bkmk-onedrive) | |  | |  | |
+| [16. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
+| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |
+| [17.1 General](#bkmk-general) |  |  |  |  | |
+| [17.2 Location](#bkmk-priv-location) |  |  |  |  | |
+| [17.3 Camera](#bkmk-priv-camera) |  |  |  |  | |
+| [17.4 Microphone](#bkmk-priv-microphone) |  |  | |  | |
+| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
+| [17.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
+| [17.7 Account info](#bkmk-priv-accounts) |  |  | |  | |
+| [17.8 Contacts](#bkmk-priv-contacts) |  |  | |  | |
+| [17.9 Calendar](#bkmk-priv-calendar) |  |  | |  | |
+| [17.10 Call history](#bkmk-priv-callhistory) |  |  | |  | |
+| [17.11 Email](#bkmk-priv-email) |  |  | |  | |
+| [17.12 Messaging](#bkmk-priv-messaging) |  |  | |  | |
+| [17.13 Radios](#bkmk-priv-radios) |  |  | |  | |
+| [17.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
+| [17.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
+| [17.16 Background apps](#bkmk-priv-background) |  | | | | |
+| [17.17 Motion](#bkmk-priv-motion) |  |  | |  | |
+| [17.18 Tasks](#bkmk-priv-tasks) |  |  | |  | |
+| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  | |  | |
+| [18. Software Protection Platform](#bkmk-spp) | |  |  |  | |
+| [19. Sync your settings](#bkmk-syncsettings) |  |  |  |  | |
+| [20. Teredo](#bkmk-teredo) | |  | |  |  |
+| [21. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
+| [22. Windows Defender](#bkmk-defender) | |  |  |  | |
+| [23. Windows Media Player](#bkmk-wmp) |  | | | |  |
+| [24. Windows spotlight](#bkmk-spotlight) |  |  | |  | |
+| [25. Windows Store](#bkmk-windowsstore) | |  | |  | |
+| [26. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |  | |
+| [27. Windows Update](#bkmk-wu) |  |  |  | | |
### Settings for Windows Server 2016 with Desktop Experience
@@ -109,24 +123,24 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) | |  |  | |
-| [2. Cortana and Search](#bkmk-cortana) |  |  | | |
-| [3. Date & Time](#bkmk-datetime) |  | |  | |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  | | |
-| [5. Font streaming](#font-streaming) | |  |  | |
-| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  | | |
-| [7. Internet Explorer](#bkmk-ie) |  |  | | |
-| [8. Live Tiles](#live-tiles) | |  | | |
-| [10. Microsoft Account](#bkmk-microsoft-account) | | |  | |
-| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | |
-| [14. OneDrive](#bkmk-onedrive) | |  | | |
-| [16. Settings > Privacy](#bkmk-settingssection) | | | | |
-| [16.1 General](#bkmk-general) |  |  |  | |
-| [17. Software Protection Platform](#bkmk-spp) | |  | | |
-| [19. Teredo](#bkmk-teredo) | |  | |  |
-| [21. Windows Defender](#bkmk-defender) | |  |  | |
-| [22. Windows Media Player](#bkmk-wmp) | | | |  |
-| [24. Windows Store](#bkmk-windowsstore) | |  | | |
-| [26. Windows Update](#bkmk-wu) | |  |  | |
+| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |
+| [3. Date & Time](#bkmk-datetime) |  |  |  | |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  |  | |
+| [6. Font streaming](#font-streaming) | |  |  | |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |
+| [8. Internet Explorer](#bkmk-ie) |  |  |  | |
+| [9. Live Tiles](#live-tiles) | |  |  | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | |  | |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  |  | |
+| [15. OneDrive](#bkmk-onedrive) | |  | | |
+| [17. Settings > Privacy](#bkmk-settingssection) | | | | |
+| [17.1 General](#bkmk-general) |  |  |  | |
+| [18. Software Protection Platform](#bkmk-spp) | |  |  | |
+| [20. Teredo](#bkmk-teredo) | |  |  |  |
+| [22. Windows Defender](#bkmk-defender) | |  |  | |
+| [23. Windows Media Player](#bkmk-wmp) | | | |  |
+| [25. Windows Store](#bkmk-windowsstore) | |  |  | |
+| [27. Windows Update](#bkmk-wu) | |  |  | |
### Settings for Windows Server 2016 Server Core
@@ -135,13 +149,13 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | Group Policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) |  |  | |
-| [3. Date & Time](#bkmk-datetime) | |  | |
-| [5. Font streaming](#font-streaming) |  |  | |
-| [12. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
-| [17. Software Protection Platform](#bkmk-spp) |  | | |
-| [19. Teredo](#bkmk-teredo) |  | |  |
-| [21. Windows Defender](#bkmk-defender) |  |  | |
-| [26. Windows Update](#bkmk-wu) |  |  | |
+| [3. Date & Time](#bkmk-datetime) |  |  | |
+| [6. Font streaming](#font-streaming) |  |  | |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
+| [18. Software Protection Platform](#bkmk-spp) |  | | |
+| [20. Teredo](#bkmk-teredo) |  | |  |
+| [22. Windows Defender](#bkmk-defender) |  |  | |
+| [27. Windows Update](#bkmk-wu) |  |  | |
### Settings for Windows Server 2016 Nano Server
@@ -151,8 +165,8 @@ See the following table for a summary of the management settings for Windows Ser
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) |  | |
| [3. Date & Time](#bkmk-datetime) |  | |
-| [19. Teredo](#bkmk-teredo) | |  |
-| [26. Windows Update](#bkmk-wu) |  | |
+| [20. Teredo](#bkmk-teredo) | |  |
+| [27. Windows Update](#bkmk-wu) |  | |
## Settings
@@ -164,6 +178,10 @@ A certificate trust list is a predefined list of items, such as a list of certif
To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
+> [!CAUTION]
+> By not automatically downloading the root certificates, the device might have not be able to connect to some websites.
+
+
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
@@ -209,6 +227,16 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad
| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search. |
| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. |
+You can also apply the Group Policies using the following registry keys:
+
+| Policy | Registry Path |
+|------------------------------------------------------|---------------------------------------------------------------------------------------|
+| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowCortana
REG_DWORD: 0|
+| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
REG_DWORD: 0 |
+| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 |
+| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
REG_DWORD: 0 |
+| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 |
+
In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
>[!IMPORTANT]
@@ -258,17 +286,47 @@ You can prevent Windows from setting the time automatically.
-or-
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Enable Windows NTP Client**
+
+ -or -
+
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+
+ -or-
+
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### 4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-### 5. Font streaming
+You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
+
+### 5. Find My Device
+
+To turn off Find My Device:
+
+- Turn off the feature in the UI
+
+ -or
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
+
+You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
+
+### 6. Font streaming
Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
-If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+If you're running Windows 10, version 1607, Windows Server 2016, or later:
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+
+- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **false**. Font streaming is disabled.
+
+ - **true**. Font streaming is enabled.
If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
@@ -276,7 +334,7 @@ If you're running Windows 10, version 1507 or Windows 10, version 1511, create a
> After you apply this policy, you must restart the device for it to take effect.
-### 6. Insider Preview builds
+### 7. Insider Preview builds
The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10.
@@ -298,6 +356,10 @@ To turn off Insider Preview builds for Windows 10:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+ -or -
+
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero)
+
-or-
- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
@@ -318,7 +380,7 @@ To turn off Insider Preview builds for Windows 10:
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-### 7. Internet Explorer
+### 8. Internet Explorer
Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
@@ -329,27 +391,61 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
+| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled |
-There are two more Group Policy objects that are used by Internet Explorer:
+Alternatively, you could use the registry to set the Group Policies.
+
+| Policy | Registry path |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
REG_DWORD: 0|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
REG_DWORD: 0|
+| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** |
+| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
REG_DWORD: 1 |
+| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 |
+| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9
REG_DWORD: 0 |
+
+There are three more Group Policy objects that are used by Internet Explorer:
| Path | Policy | Description |
| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled |
-### 7.1 ActiveX control blocking
+You can also use registry entries to set these Group Policies.
-ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+| Policy | Registry path |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation!MSCompatibilityMode
REG_DWORD: 0|
+| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0|
+| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
DWORD:0 |
+
+
+### 8.1 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked.
+
+You can turn this off by:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
+
+ -or -
+
+- Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
-### 8. Live Tiles
+### 9. Live Tiles
To turn off Live Tiles:
- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
-### 9. Mail synchronization
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
+
+### 10. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@@ -367,31 +463,37 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-### 10. Microsoft Account
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero).
+
+### 11. Microsoft Account
To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
-- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4.
+- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
+
+To disable the Microsoft Account Sign-In Assistant:
+
+- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-### 11. Microsoft Edge
+### 12. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682).
-### 11.1 Microsoft Edge Group Policies
+### 12.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
-> [!NOTE]
-> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Configure autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Configure Autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled |
-| Configure password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled |
-| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
| Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
@@ -408,7 +510,20 @@ The Windows 10, version 1511 Microsoft Edge Group Policy names are:
| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
-### 11.2 Microsoft Edge MDM policies
+Alternatively, you can configure the Microsoft Group Policies using the following registry entries:
+
+| Policy | Registry path |
+| - | - |
+| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **about:blank** |
+| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 |
+| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** |
+| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal
REG_DWORD: 0|
+| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
REG_DWORD: 0 |
+| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
REG_DWORD: 0 |
+| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0|
+
+
+### 12.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -423,36 +538,54 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-### 12. Network Connection Status Indicator
+### 13. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com.
-You can turn off NCSI through Group Policy:
+You can turn off NCSI by doing one of the following:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy.
+
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
-### 13. Offline maps
+-or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero).
+
+### 14. Offline maps
You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero).
+
-and-
- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
-### 14. OneDrive
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero).
+
+### 15. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-### 15. Preinstalled apps
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one).
+
+### 16. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@@ -564,48 +697,99 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-### 16. Settings > Privacy
+To remove the Sticky notes app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage**
+
+### 17. Settings > Privacy
Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-- [16.1 General](#bkmk-general)
+- [17.1 General](#bkmk-general)
-- [16.2 Location](#bkmk-priv-location)
+- [17.2 Location](#bkmk-priv-location)
-- [16.3 Camera](#bkmk-priv-camera)
+- [17.3 Camera](#bkmk-priv-camera)
-- [16.4 Microphone](#bkmk-priv-microphone)
+- [17.4 Microphone](#bkmk-priv-microphone)
-- [16.5 Notifications](#bkmk-priv-notifications)
+- [17.5 Notifications](#bkmk-priv-notifications)
-- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
+- [17.6 Speech, inking, & typing](#bkmk-priv-speech)
-- [16.7 Account info](#bkmk-priv-accounts)
+- [17.7 Account info](#bkmk-priv-accounts)
-- [16.8 Contacts](#bkmk-priv-contacts)
+- [17.8 Contacts](#bkmk-priv-contacts)
-- [16.9 Calendar](#bkmk-priv-calendar)
+- [17.9 Calendar](#bkmk-priv-calendar)
-- [16.10 Call history](#bkmk-priv-callhistory)
+- [17.10 Call history](#bkmk-priv-callhistory)
-- [16.11 Email](#bkmk-priv-email)
+- [17.11 Email](#bkmk-priv-email)
-- [16.12 Messaging](#bkmk-priv-messaging)
+- [17.12 Messaging](#bkmk-priv-messaging)
-- [16.13 Radios](#bkmk-priv-radios)
+- [17.13 Radios](#bkmk-priv-radios)
-- [16.14 Other devices](#bkmk-priv-other-devices)
+- [17.14 Other devices](#bkmk-priv-other-devices)
-- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
+- [17.15 Feedback & diagnostics](#bkmk-priv-feedback)
-- [16.16 Background apps](#bkmk-priv-background)
+- [17.16 Background apps](#bkmk-priv-background)
-- [16.17 Motion](#bkmk-priv-motion)
+- [17.17 Motion](#bkmk-priv-motion)
-### 16.1 General
+- [17.18 Tasks](#bkmk-priv-tasks)
+
+- [17.19 App Diagnostics](#bkmk-priv-diag)
+
+### 17.1 General
**General** includes options that don't fall into other areas.
+#### Windows 10, version 1703 options
+
+To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**:
+
+> [!NOTE]
+> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+To turn off **Let Windows track app launches to improve Start and search results**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a REG_DWORD registry setting called **Start_TrackProgs** with value of 0 (zero) in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced**
+
+#### Windows Server 2016 and Windows 10, version 1607 and earlier options
+
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
> [!NOTE]
@@ -621,15 +805,21 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
+
To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
- Turn off the feature in the UI.
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
+- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
+ In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+ In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+ In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**.
-or-
@@ -647,6 +837,10 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero).
+
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> [!NOTE]
@@ -680,11 +874,16 @@ To turn off **Let apps on my other devices open apps and continue experiences on
- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero).
+
To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
- Turn off the feature in the UI.
-### 16.2 Location
+
+### 17.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@@ -696,6 +895,10 @@ To turn off **Location for this device**:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessLocation**, with a value of 2 (two).
+
-or-
- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
@@ -725,6 +928,10 @@ To turn off **Location**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors!DisableLocation**, with a value of 1 (one).
+
-or-
To turn off **Location history**:
@@ -735,7 +942,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
-### 16.3 Camera
+### 17.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@@ -749,6 +956,10 @@ To turn off **Let apps use my camera**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCamera**, with a value of 2 (two).
+
-or-
- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
@@ -772,7 +983,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
-### 16.4 Microphone
+### 17.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@@ -786,11 +997,15 @@ To turn off **Let apps use my microphone**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two)
+
To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
-### 16.5 Notifications
+### 17.5 Notifications
In the **Notifications** area, you can choose which apps have access to notifications.
@@ -800,11 +1015,15 @@ To turn off **Let apps access my notifications**:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications**
- Set the **Select a setting** box to **Force Deny**.
-### 16.6 Speech, inking, & typing
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two)
+
+### 17.6 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
@@ -819,6 +1038,10 @@ To turn off the functionality:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization!RestrictImplicitInkCollection**, with a value of 1 (one).
+
-or-
- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
@@ -827,6 +1050,9 @@ To turn off the functionality:
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models:
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatically update of Speech Data**
If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
@@ -839,7 +1065,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/
- Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero).
-### 16.7 Account info
+### 17.7 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@@ -852,12 +1078,16 @@ To turn off **Let apps access my name, picture, and other account info**:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
- Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two).
To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
-### 16.8 Contacts
+### 17.8 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@@ -871,7 +1101,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
-### 16.9 Calendar
+### 17.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@@ -885,11 +1115,15 @@ To turn off **Let apps access my calendar**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two).
+
To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
-### 16.10 Call history
+### 17.10 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@@ -903,7 +1137,11 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
-### 16.11 Email
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two).
+
+### 17.11 Email
In the **Email** area, you can choose which apps have can access and send email.
@@ -917,7 +1155,11 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
-### 16.12 Messaging
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two).
+
+### 17.12 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@@ -931,11 +1173,15 @@ To turn off **Let apps read or send messages (text or MMS)**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
+
To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
-### 16.13 Radios
+### 17.13 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@@ -948,12 +1194,17 @@ To turn off **Let apps control radios**:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
- Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two).
+
To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
-### 16.14 Other devices
+### 17.14 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@@ -965,6 +1216,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two).
+
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
- Turn off the feature in the UI.
@@ -975,7 +1230,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-### 16.15 Feedback & diagnostics
+### 17.15 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@@ -994,6 +1249,10 @@ To change how frequently **Windows should ask for my feedback**:
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!DoNotShowFeedbackNotifications**, with a value of 1 (one).
+
+ -or-
+
- Create the registry keys (REG\_DWORD type):
- HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
@@ -1014,12 +1273,7 @@ To change how frequently **Windows should ask for my feedback**:
To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
-- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
-
- > [!NOTE]
- > You can't use the UI to change the telemetry level to **Security**.
-
-
+- Click either the **Basic** or **Full** options.
-or-
@@ -1027,6 +1281,10 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero).
+
+ -or-
+
- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- **0**. Maps to the **Security** level.
@@ -1049,17 +1307,29 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the **Full** level.
-### 16.16 Background apps
+To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
+
+### 17.16 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background**
- Set the **Select a setting** box to **Force Deny**.
-### 16.17 Motion
+### 17.17 Motion
In the **Motion** area, you can choose which apps have access to your motion data.
@@ -1071,25 +1341,63 @@ To turn off **Let Windows and your apps use your motion data and collect motion
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
-### 17. Software Protection Platform
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two).
+
+### 17.18 Tasks
+
+In the **Tasks** area, you can choose which apps have access to your tasks.
+
+To turn this off:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 17.19 App Diagnostics
+
+In the **App diagnostics** area, you can choose which apps have access to your diagnostic information.
+
+To turn this off:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
+
+### 18. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
For Windows 10:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two).
+
+ -or-
+
- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform!NoGenTicket**, with a value of 1 (one).
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-### 18. Sync your settings
+### 19. Sync your settings
You can control if your settings are synchronized:
@@ -1101,6 +1409,10 @@ You can control if your settings are synchronized:
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSync**, with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride**, with a value of 1 (one).
+
+ -or-
+
- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
-or-
@@ -1115,7 +1427,7 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-### 19. Teredo
+### 20. Teredo
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
@@ -1126,9 +1438,13 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
-or-
+- Create a new REG\_SZ registry setting called in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition!Teredo_State**, with a value of **Disabled**.
+
+ -or-
+
- From an elevated command prompt, run **netsh interface teredo set state disabled**
-### 20. Wi-Fi Sense
+### 21. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
@@ -1154,11 +1470,15 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-### 21. Windows Defender
+### 22. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- Delete the registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!DefinitionUpdateFileSharesSources**.
-or-
@@ -1172,9 +1492,11 @@ You can disconnect from the Microsoft Antimalware Protection Service.
From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
+
+
You can stop sending file samples back to Microsoft.
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
-or-
@@ -1194,11 +1516,15 @@ You can stop sending file samples back to Microsoft.
You can stop downloading definition updates:
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and-
-- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+ -or-
+
+- Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!FallbackOrder**, with a value of **FileShares**.
For Windows 10 only, you can stop Enhanced Notifications:
@@ -1206,7 +1532,7 @@ For Windows 10 only, you can stop Enhanced Notifications:
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-### 22. Windows Media Player
+### 23. Windows Media Player
To remove Windows Media Player on Windows 10:
@@ -1220,7 +1546,7 @@ To remove Windows Media Player on Windows Server 2016:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-### 23. Windows spotlight
+### 24. Windows spotlight
Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
@@ -1228,6 +1554,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
+
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:
@@ -1251,23 +1581,42 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
- Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
> [!NOTE]
- > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+ > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one).
+
-
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableSoftLanding**, with a value of 1 (one).
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
+
For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md).
-### 24. Windows Store
+### 25. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-### 25. Windows Update Delivery Optimization
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!DisableStoreApps**, with a value of 1 (one).
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**.
+
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two).
+
+Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers**
+
+### 26. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@@ -1277,13 +1626,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive
In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
-### 25.1 Settings > Update & security
+### 26.1 Settings > Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-### 25.2 Delivery Optimization Group Policies
+### 26.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
@@ -1295,7 +1644,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 25.3 Delivery Optimization MDM policies
+You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred).
+
+### 26.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -1308,7 +1659,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 25.4 Delivery Optimization Windows Provisioning
+### 26.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@@ -1324,7 +1675,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
-### 26. Windows Update
+### 27. Windows Update
You can turn off Windows Update by setting the following registry entries:
@@ -1338,6 +1689,18 @@ You can turn off Windows Update by setting the following registry entries:
- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**.
+
+ -and-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**.
+
+ -and-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to "".
+
You can turn off automatic updates by doing one of the following. This is not recommended.