From bd90fb73437b361fa2b1de2be3da2a38837b7615 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:01:25 -0700 Subject: [PATCH 01/29] bug# 11035796 --- ...ting-system-components-to-microsoft-services.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e0cfbed2c9..15e5b8118c 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -382,16 +382,14 @@ Use either Group Policy or MDM policies to manage settings for Microsoft Edge. F Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. -> [!NOTE] -> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Configure autofill | Choose whether employees can use autofill on websites.
Default: Enabled | +| Configure Autofill | Choose whether employees can use autofill on websites.
Default: Enabled | | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled | -| Configure password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | +| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | | Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled | -| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled | | Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | @@ -627,9 +625,11 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. +- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. + In Windows 10, version 1703,apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. -or- From 746c86805743639090ba7b16ea5eb61a26f12fce Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:26:04 -0700 Subject: [PATCH 02/29] adding SmartScreen filter GPO --- ...g-system-components-to-microsoft-services.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 15e5b8118c..666e671997 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,21 +29,15 @@ To help make it easier to deploy settings to restrict connections from Windows 1 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. -## What's new in Windows 10, version 1607 and Windows Server 2016 +## What's new in Windows 10, version 1703 -Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016: +Here's a list of changes that were made to this article for Windows 10, version 1703: -- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). -- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. -- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists). -- Added a new setting in [25. Windows Update](#bkmk-wu). -- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi). -- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account). +- - Added the following Group Policies: - - Turn off unsolicited network traffic on the Offline Maps settings page - - Turn off all Windows spotlight features + - Prevent managing SmartScreen Filter ## Settings @@ -52,7 +46,7 @@ The following sections list the components that make network connections to Micr If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch. -### Settings for Windows 10 Enterprise, version 1607 +### Settings for Windows 10 Enterprise, version 1703 See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. @@ -329,6 +323,7 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| +| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | There are two more Group Policy objects that are used by Internet Explorer: From 09503b610afbe4b86fb9a84596317d3438bfde66 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:35:20 -0700 Subject: [PATCH 03/29] bug# 11031857 --- ...dows-operating-system-components-to-microsoft-services.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 666e671997..cc53236858 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -38,6 +38,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added the following Group Policies: - Prevent managing SmartScreen Filter + - Turn off Compatibility View ## Settings @@ -329,7 +330,9 @@ There are two more Group Policy objects that are used by Internet Explorer: | Path | Policy | Description | | - | - | - | -| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether +an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | ### 7.1 ActiveX control blocking From a75ebac9ea6cc4d3655a040f943598111e2fc1b4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:40:09 -0700 Subject: [PATCH 04/29] bug# 10765050 --- ...rating-system-components-to-microsoft-services.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index cc53236858..bc9040bd73 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -33,7 +33,7 @@ We are always striving to improve our documentation and welcome your feedback. Y Here's a list of changes that were made to this article for Windows 10, version 1703: -- +- Added an MDM policy for Font streaming. - Added the following Group Policies: @@ -263,7 +263,15 @@ To prevent Windows from retrieving device metadata from the Internet, apply the Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. -If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. +If you're running Windows 10, version 1607, Windows Server 2016, or later: + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. + +- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **false**. Font streaming is disabled. + + - **true**. Font streaming is enabled. If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. From 4c524b4eea46aaad3101c11389cf96d82735289d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:45:18 -0700 Subject: [PATCH 05/29] bug# 10757353 --- ...dows-operating-system-components-to-microsoft-services.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bc9040bd73..03954a19f8 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -34,6 +34,7 @@ We are always striving to improve our documentation and welcome your feedback. Y Here's a list of changes that were made to this article for Windows 10, version 1703: - Added an MDM policy for Font streaming. +- Added an MDM policy for Network Connection Status Indicator. - Added the following Group Policies: @@ -433,10 +434,12 @@ Network Connection Status Indicator (NCSI) detects Internet connectivity and cor In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com. -You can turn off NCSI through Group Policy: +You can turn off NCSI by doing one of the following: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. + > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. From f8d8bf23304e2e7be09740fdf132a711d964dd63 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:49:43 -0700 Subject: [PATCH 06/29] bug# 10756556 --- ...ws-operating-system-components-to-microsoft-services.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 03954a19f8..16ed4bfac9 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -35,6 +35,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for Font streaming. - Added an MDM policy for Network Connection Status Indicator. +- Added an MDM policy for the Micosoft Account Sign-In Assistant. - Added the following Group Policies: @@ -50,7 +51,7 @@ If you're running Windows 10, they will be included in the next update for the L ### Settings for Windows 10 Enterprise, version 1703 -See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. +See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703. | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | @@ -380,6 +381,10 @@ To prevent communication to the Microsoft Account cloud authentication service. - Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4. +To disable the Microsoft Account Sign-In Assistant: + +- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 11. Microsoft Edge From 9db3448347b79594b7089f3b8eeee63a5bc59050 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:51:41 -0700 Subject: [PATCH 07/29] bug# 10756556 --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 16ed4bfac9..5635ee830d 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -64,7 +64,7 @@ See the following table for a summary of the management settings for Windows 10 | [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | | [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | | [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | | [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | From a2bb7cebbfb0e53395ea56473fab44917fd1a10a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 18:32:23 -0700 Subject: [PATCH 08/29] bug# 10214974 --- ...system-components-to-microsoft-services.md | 34 ++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5635ee830d..4638350b80 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -41,6 +41,12 @@ Here's a list of changes that were made to this article for Windows 10, version - Prevent managing SmartScreen Filter - Turn off Compatibility View + - Turn off Automatic Download and Install of updates + - Do not connect to any Windows Update locations + - Turn off access to all Windows Update features + - Specify Intranet Microsoft update service location + - Enable Windows NTP client + - Turn off Automatic download of the ActiveX VersionList ## Settings @@ -57,7 +63,7 @@ See the following table for a summary of the management settings for Windows 10 | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | @@ -107,7 +113,7 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | @@ -132,7 +138,7 @@ See the following table for a summary of the management settings for Windows Ser | Setting | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [3. Date & Time](#bkmk-datetime) | | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | | [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | @@ -255,6 +261,10 @@ You can prevent Windows from setting the time automatically. -or- +- Disable the Group Policy: **System\\Windows Time Service\\Time Providers!!Enable Windows NTP Client** + + -or- + - Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. ### 4. Device metadata retrieval @@ -347,7 +357,15 @@ an employee can swipe across a screen or click forward to go to the next pre-loa ### 7.1 ActiveX control blocking -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. + +You can turn this off by: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** + + - or - + +- Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). @@ -1281,6 +1299,8 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. + ### 25. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1352,6 +1372,12 @@ You can turn off Windows Update by setting the following registry entries: - Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to **,**. + You can turn off automatic updates by doing one of the following. This is not recommended. From 3f0929ac5c2ccd3e92c988f036005b0b6def9bd3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:07:57 -0700 Subject: [PATCH 09/29] instructions for removing the sticky notes app --- ...-operating-system-components-to-microsoft-services.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4638350b80..2c1ec4f7f4 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,6 +36,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for Font streaming. - Added an MDM policy for Network Connection Status Indicator. - Added an MDM policy for the Micosoft Account Sign-In Assistant. +- Added instructions for removing the Sticky Notes app. - Added the following Group Policies: @@ -594,6 +595,14 @@ To remove the Get Skype app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** +To remove the Sticky notes app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** + ### 16. Settings > Privacy Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. From cba4504cc7825c8e1d52f6fcf52a2c1bcd950537 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:12:51 -0700 Subject: [PATCH 10/29] bug# 10866362 --- ...s-operating-system-components-to-microsoft-services.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2c1ec4f7f4..a97f65a67b 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1199,7 +1199,7 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr You can disconnect from the Microsoft Antimalware Protection Service. -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** -or- @@ -1215,7 +1215,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. You can stop sending file samples back to Microsoft. -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. -or- @@ -1235,11 +1235,11 @@ You can stop sending file samples back to Microsoft. You can stop downloading definition updates: -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. -and- -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. +- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. For Windows 10 only, you can stop Enhanced Notifications: From 05ee300ff5a0fcc4e29086f8dc3cf60e87f43bf8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:15:53 -0700 Subject: [PATCH 11/29] bug# 10215399 --- ...s-operating-system-components-to-microsoft-services.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a97f65a67b..45d81242ad 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -841,7 +841,7 @@ To turn off **Let apps access my notifications**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** - Set the **Select a setting** box to **Force Deny**. @@ -1118,7 +1118,7 @@ Enterprise customers can manage their Windows activation status with volume lice For Windows 10: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- @@ -1126,7 +1126,7 @@ For Windows 10: For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. @@ -1296,7 +1296,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. From b5160a9312019882eea05df0dc62686dd3f49869 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:19:59 -0700 Subject: [PATCH 12/29] bug# 10980994 --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 45d81242ad..8b1a5ec6d4 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -48,6 +48,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Specify Intranet Microsoft update service location - Enable Windows NTP client - Turn off Automatic download of the ActiveX VersionList + - Allow Automatic Update of Speech Data ## Settings @@ -868,6 +869,9 @@ To turn off the functionality: - Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). +If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models: + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatically update of Speech Data** If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models: From 0db2f63916184463183aa93f8cdaf83b6425e823 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:28:29 -0700 Subject: [PATCH 13/29] bug# 10980531 --- ...system-components-to-microsoft-services.md | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8b1a5ec6d4..bcb8b27a83 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -646,6 +646,37 @@ Use Settings > Privacy to configure some settings that may be important to yo **General** includes options that don't fall into other areas. +#### Windows 10, version 1703 options + +To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**: + +> [!NOTE] +> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + +To turn off **Let websites provide locally relevant content by access my language list**: + +- Turn off the feature in the UI. + +To turn off **Let Windows track app launches to improve Start and search results**: + +- Turn off the feature in the UI. + + -or- + +- Create a REG_DWORD registry setting called **Start_TrackProgs** with value of 0 (zero) in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** + +#### Windows Server 2016 and Windows 10, version 1607 and earlier options + To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: > [!NOTE] @@ -668,7 +699,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window -or- - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703,apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. + In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. From d2f5bb171b78b9c7f3b35f18808e8c8a6815f1dd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 15:58:42 -0700 Subject: [PATCH 14/29] bug# 10215117 --- ...system-components-to-microsoft-services.md | 288 +++++++++++++++--- 1 file changed, 251 insertions(+), 37 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bcb8b27a83..495075dd53 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -37,6 +37,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for Network Connection Status Indicator. - Added an MDM policy for the Micosoft Account Sign-In Assistant. - Added instructions for removing the Sticky Notes app. +- Added registry paths for some Group Policies - Added the following Group Policies: @@ -64,47 +65,47 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | -| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [16. Settings > Privacy](#bkmk-settingssection) | | | | | | |     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | -|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | +|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ### Settings for Windows Server 2016 with Desktop Experience @@ -114,23 +115,23 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | | [16. Settings > Privacy](#bkmk-settingssection) | | | | | |     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -214,6 +215,16 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad | Don't search the web or display web results in Search| Choose whether to search the web from Cortana.

Enable this policy to stop web queries and results from showing in Search. | | Set what information is shared in Search | Control what information is shared with Bing in Search.

If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. | +You can also apply the Group Policies using the following registry keys: + +| Policy | Registry Path | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowCortana
REG_DWORD: 0| +| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
REG_DWORD: 0 | +| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 | +| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
REG_DWORD: 0 | +| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 | + In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. >[!IMPORTANT] @@ -265,6 +276,10 @@ You can prevent Windows from setting the time automatically. - Disable the Group Policy: **System\\Windows Time Service\\Time Providers!!Enable Windows NTP Client** + - or - + +- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero). + -or- - Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. @@ -273,6 +288,8 @@ You can prevent Windows from setting the time automatically. To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). + ### 5. Font streaming Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. @@ -315,6 +332,10 @@ To turn off Insider Preview builds for Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + - or - + +- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero) + -or- - Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: @@ -348,6 +369,17 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| | Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | +Alternatively, you could use the registry to set the Group Policies. + +| Policy | Registry path | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
REG_DWORD: 0| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
REG_DWORD: 0| +| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** | +| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
REG_DWORD: 1 | +| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 | +| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | + There are two more Group Policy objects that are used by Internet Explorer: | Path | Policy | Description | @@ -357,6 +389,15 @@ There are two more Group Policy objects that are used by Internet Explorer: an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | +You can also use registry entries to set these Group Policies. + +| Policy | Registry path | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
REG_DWORD: 0| +| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0| + +AllowServicePoweredQSA + ### 7.1 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. @@ -377,6 +418,10 @@ To turn off Live Tiles: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). + ### 9. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -395,6 +440,10 @@ To turn off the Windows Mail app: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero). + ### 10. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. @@ -438,6 +487,19 @@ The Windows 10, version 1511 Microsoft Edge Group Policy names are: | Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | | Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | +Alternatively, you can configure the Microsoft Group Policies using the following registry entries: + +| Policy | Registry path | +| - | - | +| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **about:blank** | +| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 | +| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** | +| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **no**| +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
REG_DWORD: 0 | +| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
REG_DWORD: 0 | +| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0| + + ### 11.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -468,22 +530,38 @@ You can turn off NCSI by doing one of the following: > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero). + ### 13. Offline maps You can turn off the ability to download and update offline maps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero). + -and- - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero). + ### 14. OneDrive To turn off OneDrive in your organization: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one). + ### 15. Preinstalled apps Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -663,10 +741,18 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba - Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). -To turn off **Let websites provide locally relevant content by access my language list**: + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). + +To turn off **Let websites provide locally relevant content by accessing my language list**: - Turn off the feature in the UI. + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + To turn off **Let Windows track app launches to improve Start and search results**: - Turn off the feature in the UI. @@ -692,6 +778,10 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). + To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - Turn off the feature in the UI. @@ -720,6 +810,10 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window - Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero). + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero). + To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: > [!NOTE] @@ -753,6 +847,10 @@ To turn off **Let apps on my other devices open apps and continue experiences on - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero). + To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - Turn off the feature in the UI. @@ -769,6 +867,10 @@ To turn off **Location for this device**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessLocation**, with a value of 2 (two). + -or- - Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: @@ -798,6 +900,10 @@ To turn off **Location**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors!DisableLocation**, with a value of 1 (one). + -or- To turn off **Location history**: @@ -822,6 +928,10 @@ To turn off **Let apps use my camera**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCamera**, with a value of 2 (two). + -or- - Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: @@ -859,6 +969,10 @@ To turn off **Let apps use my microphone**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two) + To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. @@ -877,6 +991,10 @@ To turn off **Let apps access my notifications**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two) + ### 16.6 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -892,6 +1010,10 @@ To turn off the functionality: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization!RestrictImplicitInkCollection**, with a value of 1 (one). + -or- - Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). @@ -928,6 +1050,10 @@ To turn off **Let apps access my name, picture, and other account info**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). To turn off **Choose the apps that can access your account info**: @@ -961,6 +1087,10 @@ To turn off **Let apps access my calendar**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two). + To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. @@ -979,6 +1109,10 @@ To turn off **Let apps access my call history**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two). + ### 16.11 Email In the **Email** area, you can choose which apps have can access and send email. @@ -993,6 +1127,10 @@ To turn off **Let apps access and send email**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two). + ### 16.12 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -1007,6 +1145,10 @@ To turn off **Let apps read or send messages (text or MMS)**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two). + To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. @@ -1024,6 +1166,11 @@ To turn off **Let apps control radios**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two). + To turn off **Choose apps that can control radios**: @@ -1041,6 +1188,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two). + To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - Turn off the feature in the UI. @@ -1070,6 +1221,10 @@ To change how frequently **Windows should ask for my feedback**: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!DoNotShowFeedbackNotifications**, with a value of 1 (one). + + -or- + - Create the registry keys (REG\_DWORD type): - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds @@ -1103,6 +1258,10 @@ To change the level of diagnostic and usage data sent when you **Send your devic -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero). + + -or- + - Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Maps to the **Security** level. @@ -1147,6 +1306,10 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). + ### 17. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: @@ -1157,12 +1320,20 @@ For Windows 10: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). + + -or- + - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform!NoGenTicket**, with a value of 1 (one). + The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. ### 18. Sync your settings @@ -1177,6 +1348,10 @@ You can control if your settings are synchronized: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSync**, with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride**, with a value of 1 (one). + + -or- + - Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. -or- @@ -1202,6 +1377,10 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. -or- +- Create a new REG\_SZ registry setting called in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition!Teredo_State**, with a value of **Disabled**. + + -or- + - From an elevated command prompt, run **netsh interface teredo set state disabled** ### 20. Wi-Fi Sense @@ -1238,6 +1417,10 @@ You can disconnect from the Microsoft Antimalware Protection Service. -or- +- Delete the registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!DefinitionUpdateFileSharesSources**. + + -or- + - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -or- @@ -1248,6 +1431,8 @@ You can disconnect from the Microsoft Antimalware Protection Service. From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** + + You can stop sending file samples back to Microsoft. - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. @@ -1276,6 +1461,10 @@ You can stop downloading definition updates: - Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + -or- + +- Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!FallbackOrder**, with a value of **FileShares**. + For Windows 10 only, you can stop Enhanced Notifications: - Turn off the feature in the UI. @@ -1304,6 +1493,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). + If you're not running Windows 10, version 1607 or later, you can use the other options in this section. - Configure the following in **Settings**: @@ -1329,12 +1522,23 @@ If you're not running Windows 10, version 1607 or later, you can use the other o > [!NOTE] > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + -or- + + - Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableSoftLanding**, with a value of 1 (one). + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one). + For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### 24. Windows Store @@ -1343,8 +1547,16 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!DisableStoreApps**, with a value of 1 (one). + - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). + ### 25. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1373,6 +1585,8 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| +You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred). + ### 25.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). From 5f8522d31e9cdb5545305bc376dcbb0525780318 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:09:04 -0700 Subject: [PATCH 15/29] bug# 9978051 --- ...indows-operating-system-components-to-microsoft-services.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 495075dd53..20b3405473 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -50,6 +50,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Enable Windows NTP client - Turn off Automatic download of the ActiveX VersionList - Allow Automatic Update of Speech Data + - Accounts: Block Microsoft Accounts ## Settings @@ -448,7 +449,7 @@ To turn off the Windows Mail app: To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. -- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4. +- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. To disable the Microsoft Account Sign-In Assistant: From d6c43a9a80f8d865966bf4d3eb4ea9c7e209c6d6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:20:14 -0700 Subject: [PATCH 16/29] bug# 10070280 --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 20b3405473..5237867f1d 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -171,6 +171,10 @@ A certificate trust list is a predefined list of items, such as a list of certif To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. +> [!CAUTION] +> By not automatically downloading the root certificates, the device might have not be able to connect to some websites. + + For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** From f4689acc4810ff963c5f47f9899f471221dec36f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:23:14 -0700 Subject: [PATCH 17/29] bug# 10980772 --- ...ows-operating-system-components-to-microsoft-services.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5237867f1d..30855a3b17 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1296,8 +1296,12 @@ In the **Background Apps** area, you can choose which apps can run in the backgr To turn off **Let apps run in the background**: - Turn off the feature in the UI for each app. + + -or- - - Set the **Select a setting** box to **Force Deny**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in background** + + - Set the **Select a setting** box to **Force Deny**. ### 16.17 Motion From be5a51b0bda3886fd3bdb1a45507446b45a12955 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:28:43 -0700 Subject: [PATCH 18/29] bug# 10980748 --- ...ng-system-components-to-microsoft-services.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 30855a3b17..a6b4fc36ec 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -51,6 +51,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Turn off Automatic download of the ActiveX VersionList - Allow Automatic Update of Speech Data - Accounts: Block Microsoft Accounts + - Do not use diagnostic data for tailored experiences ## Settings @@ -1250,12 +1251,7 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - - > [!NOTE] - > You can't use the UI to change the telemetry level to **Security**. - - +- Click either the **Basic** or **Full** options. -or- @@ -1289,6 +1285,14 @@ To change the level of diagnostic and usage data sent when you **Send your devic - **3**. Maps to the **Full** level. +To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** + ### 16.16 Background apps In the **Background Apps** area, you can choose which apps can run in the background. From 219065908da383f64a3c8cd2fc7f32ef22d3d9c5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:39:28 -0700 Subject: [PATCH 19/29] bug# 10980800 --- ...system-components-to-microsoft-services.md | 262 +++++++++--------- 1 file changed, 138 insertions(+), 124 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a6b4fc36ec..21b9f91a90 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -38,6 +38,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for the Micosoft Account Sign-In Assistant. - Added instructions for removing the Sticky Notes app. - Added registry paths for some Group Policies +- Added the Find My Device section - Added the following Group Policies: @@ -70,45 +71,46 @@ See the following table for a summary of the management settings for Windows 10 | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | -|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | +|     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [23. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [24. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [25. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [26. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ### Settings for Windows Server 2016 with Desktop Experience @@ -120,21 +122,21 @@ See the following table for a summary of the management settings for Windows Ser | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [23. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -144,12 +146,12 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | -| [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | +| [18. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | +| [20. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [22. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Nano Server @@ -159,8 +161,8 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | ## Settings @@ -296,7 +298,19 @@ To prevent Windows from retrieving device metadata from the Internet, apply the You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). -### 5. Font streaming +### 5. Find My Device + +To turn off Find My Device: + +- Turn off the feature in the UI + + -or + +- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** + +You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). + +### 6. Font streaming Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. @@ -316,7 +330,7 @@ If you're running Windows 10, version 1507 or Windows 10, version 1511, create a > After you apply this policy, you must restart the device for it to take effect. -### 6. Insider Preview builds +### 7. Insider Preview builds The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. @@ -362,7 +376,7 @@ To turn off Insider Preview builds for Windows 10: - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. -### 7. Internet Explorer +### 8. Internet Explorer Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. @@ -404,7 +418,7 @@ You can also use registry entries to set these Group Policies. AllowServicePoweredQSA -### 7.1 ActiveX control blocking +### 8.1 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. @@ -418,7 +432,7 @@ You can turn this off by: For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). -### 8. Live Tiles +### 9. Live Tiles To turn off Live Tiles: @@ -428,7 +442,7 @@ To turn off Live Tiles: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). -### 9. Mail synchronization +### 10. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -450,7 +464,7 @@ To turn off the Windows Mail app: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero). -### 10. Microsoft Account +### 11. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. @@ -461,11 +475,11 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. -### 11. Microsoft Edge +### 12. Microsoft Edge Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). -### 11.1 Microsoft Edge Group Policies +### 12.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. @@ -506,7 +520,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0| -### 11.2 Microsoft Edge MDM policies +### 12.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -521,7 +535,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). -### 12. Network Connection Status Indicator +### 13. Network Connection Status Indicator Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). @@ -540,7 +554,7 @@ You can turn off NCSI by doing one of the following: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero). -### 13. Offline maps +### 14. Offline maps You can turn off the ability to download and update offline maps. @@ -558,7 +572,7 @@ You can turn off the ability to download and update offline maps. - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero). -### 14. OneDrive +### 15. OneDrive To turn off OneDrive in your organization: @@ -568,7 +582,7 @@ To turn off OneDrive in your organization: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one). -### 15. Preinstalled apps +### 16. Preinstalled apps Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -688,45 +702,45 @@ To remove the Sticky notes app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** -### 16. Settings > Privacy +### 17. Settings > Privacy Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [16.1 General](#bkmk-general) +- [17.1 General](#bkmk-general) -- [16.2 Location](#bkmk-priv-location) +- [17.2 Location](#bkmk-priv-location) -- [16.3 Camera](#bkmk-priv-camera) +- [17.3 Camera](#bkmk-priv-camera) -- [16.4 Microphone](#bkmk-priv-microphone) +- [17.4 Microphone](#bkmk-priv-microphone) -- [16.5 Notifications](#bkmk-priv-notifications) +- [17.5 Notifications](#bkmk-priv-notifications) -- [16.6 Speech, inking, & typing](#bkmk-priv-speech) +- [17.6 Speech, inking, & typing](#bkmk-priv-speech) -- [16.7 Account info](#bkmk-priv-accounts) +- [17.7 Account info](#bkmk-priv-accounts) -- [16.8 Contacts](#bkmk-priv-contacts) +- [17.8 Contacts](#bkmk-priv-contacts) -- [16.9 Calendar](#bkmk-priv-calendar) +- [17.9 Calendar](#bkmk-priv-calendar) -- [16.10 Call history](#bkmk-priv-callhistory) +- [17.10 Call history](#bkmk-priv-callhistory) -- [16.11 Email](#bkmk-priv-email) +- [17.11 Email](#bkmk-priv-email) -- [16.12 Messaging](#bkmk-priv-messaging) +- [17.12 Messaging](#bkmk-priv-messaging) -- [16.13 Radios](#bkmk-priv-radios) +- [17.13 Radios](#bkmk-priv-radios) -- [16.14 Other devices](#bkmk-priv-other-devices) +- [17.14 Other devices](#bkmk-priv-other-devices) -- [16.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [16.16 Background apps](#bkmk-priv-background) +- [17.16 Background apps](#bkmk-priv-background) -- [16.17 Motion](#bkmk-priv-motion) +- [17.17 Motion](#bkmk-priv-motion) -### 16.1 General +### 17.1 General **General** includes options that don't fall into other areas. @@ -861,7 +875,7 @@ To turn off **Let apps on my other devices use Bluetooth to open apps and contin - Turn off the feature in the UI. -### 16.2 Location +### 17.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -920,7 +934,7 @@ To turn off **Choose apps that can use your location**: - Turn off each app using the UI. -### 16.3 Camera +### 17.3 Camera In the **Camera** area, you can choose which apps can access a device's camera. @@ -961,7 +975,7 @@ To turn off **Choose apps that can use your camera**: - Turn off the feature in the UI for each app. -### 16.4 Microphone +### 17.4 Microphone In the **Microphone** area, you can choose which apps can access a device's microphone. @@ -983,7 +997,7 @@ To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. -### 16.5 Notifications +### 17.5 Notifications In the **Notifications** area, you can choose which apps have access to notifications. @@ -1001,7 +1015,7 @@ To turn off **Let apps access my notifications**: - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two) -### 16.6 Speech, inking, & typing +### 17.6 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -1043,7 +1057,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/ - Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero). -### 16.7 Account info +### 17.7 Account info In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. @@ -1065,7 +1079,7 @@ To turn off **Choose the apps that can access your account info**: - Turn off the feature in the UI for each app. -### 16.8 Contacts +### 17.8 Contacts In the **Contacts** area, you can choose which apps can access an employee's contacts list. @@ -1079,7 +1093,7 @@ To turn off **Choose apps that can access contacts**: - Set the **Select a setting** box to **Force Deny**. -### 16.9 Calendar +### 17.9 Calendar In the **Calendar** area, you can choose which apps have access to an employee's calendar. @@ -1101,7 +1115,7 @@ To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. -### 16.10 Call history +### 17.10 Call history In the **Call history** area, you can choose which apps have access to an employee's call history. @@ -1119,7 +1133,7 @@ To turn off **Let apps access my call history**: - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two). -### 16.11 Email +### 17.11 Email In the **Email** area, you can choose which apps have can access and send email. @@ -1137,7 +1151,7 @@ To turn off **Let apps access and send email**: - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two). -### 16.12 Messaging +### 17.12 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -1159,7 +1173,7 @@ To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. -### 16.13 Radios +### 17.13 Radios In the **Radios** area, you can choose which apps can turn a device's radio on or off. @@ -1182,7 +1196,7 @@ To turn off **Choose apps that can control radios**: - Turn off the feature in the UI for each app. -### 16.14 Other devices +### 17.14 Other devices In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. @@ -1208,7 +1222,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co - Set the **Select a setting** box to **Force Deny**. -### 16.15 Feedback & diagnostics +### 17.15 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -1293,7 +1307,7 @@ To turn off tailored experiences with relevant tips and recommendations by using - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** -### 16.16 Background apps +### 17.16 Background apps In the **Background Apps** area, you can choose which apps can run in the background. @@ -1307,7 +1321,7 @@ To turn off **Let apps run in the background**: - Set the **Select a setting** box to **Force Deny**. -### 16.17 Motion +### 17.17 Motion In the **Motion** area, you can choose which apps have access to your motion data. @@ -1323,7 +1337,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). -### 17. Software Protection Platform +### 18. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: @@ -1349,7 +1363,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. -### 18. Sync your settings +### 19. Sync your settings You can control if your settings are synchronized: @@ -1379,7 +1393,7 @@ To turn off Messaging cloud sync: - Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). -### 19. Teredo +### 20. Teredo You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). @@ -1396,7 +1410,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. - From an elevated command prompt, run **netsh interface teredo set state disabled** -### 20. Wi-Fi Sense +### 21. Wi-Fi Sense Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. @@ -1422,7 +1436,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 21. Windows Defender +### 22. Windows Defender You can disconnect from the Microsoft Antimalware Protection Service. @@ -1484,7 +1498,7 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. -### 22. Windows Media Player +### 23. Windows Media Player To remove Windows Media Player on Windows 10: @@ -1498,7 +1512,7 @@ To remove Windows Media Player on Windows Server 2016: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** -### 23. Windows spotlight +### 24. Windows spotlight Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. @@ -1554,7 +1568,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). -### 24. Windows Store +### 25. Windows Store You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps. @@ -1570,7 +1584,7 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). -### 25. Windows Update Delivery Optimization +### 26. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1580,13 +1594,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below. -### 25.1 Settings > Update & security +### 26.1 Settings > Update & security You can set up Delivery Optimization from the **Settings** UI. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. -### 25.2 Delivery Optimization Group Policies +### 26.2 Delivery Optimization Group Policies You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. @@ -1600,7 +1614,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred). -### 25.3 Delivery Optimization MDM policies +### 26.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -1613,7 +1627,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| -### 25.4 Delivery Optimization Windows Provisioning +### 26.4 Delivery Optimization Windows Provisioning If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies @@ -1629,7 +1643,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). -### 26. Windows Update +### 27. Windows Update You can turn off Windows Update by setting the following registry entries: From e6c0a2417b63297e498d2e5f08ff8ab80ce695a7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:42:52 -0700 Subject: [PATCH 20/29] bug# 10980704 --- ...g-system-components-to-microsoft-services.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 21b9f91a90..c1203cbadd 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -39,6 +39,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added instructions for removing the Sticky Notes app. - Added registry paths for some Group Policies - Added the Find My Device section +- Added the Tasks section - Added the following Group Policies: @@ -101,6 +102,7 @@ See the following table for a summary of the management settings for Windows 10 |     [17.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | |     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.18 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -740,6 +742,8 @@ Use Settings > Privacy to configure some settings that may be important to yo - [17.17 Motion](#bkmk-priv-motion) +- [17.18 Tasks](#bkmk-priv-tasks) + ### 17.1 General **General** includes options that don't fall into other areas. @@ -1337,6 +1341,19 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). +### 17.18 Tasks + +In the **Tasks** area, you can choose which apps have access to your tasks. + +To turn this off: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** + + ### 18. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: From fe8b0304d1c2577b272a6a456a5abdb067a676bb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:46:30 -0700 Subject: [PATCH 21/29] bug# 10980781 --- ...g-system-components-to-microsoft-services.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c1203cbadd..ac398c6a26 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -40,6 +40,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added registry paths for some Group Policies - Added the Find My Device section - Added the Tasks section +- Added the App Diagnostics section - Added the following Group Policies: @@ -103,6 +104,7 @@ See the following table for a summary of the management settings for Windows 10 |     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | |     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [17.18 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.19 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -132,7 +134,7 @@ See the following table for a summary of the management settings for Windows Ser | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | | [17. Settings > Privacy](#bkmk-settingssection) | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | @@ -744,6 +746,8 @@ Use Settings > Privacy to configure some settings that may be important to yo - [17.18 Tasks](#bkmk-priv-tasks) +- [17.19 App Diagnostics](#bkmk-priv-diag) + ### 17.1 General **General** includes options that don't fall into other areas. @@ -1353,6 +1357,17 @@ To turn this off: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** +### 17.19 App Diagnostics + +In the **App diagnostics** area, you can choose which apps have access to your diagnostic information. + +To turn this off: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** ### 18. Software Protection Platform From 4eda4488ab4f1419a72bd91f7db36e0d00f90031 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 30 Mar 2017 13:48:17 -0700 Subject: [PATCH 22/29] bug# 11420882 --- ...system-components-to-microsoft-services.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index ac398c6a26..64217c2478 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -286,7 +286,7 @@ You can prevent Windows from setting the time automatically. -or- -- Disable the Group Policy: **System\\Windows Time Service\\Time Providers!!Enable Windows NTP Client** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Enable Windows NTP Client** - or - @@ -356,7 +356,7 @@ To turn off Insider Preview builds for Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - - or - + -or - - Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero) @@ -402,12 +402,12 @@ Alternatively, you could use the registry to set the Group Policies. | Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** | | Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
REG_DWORD: 1 | | Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 | -| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | +| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9
REG_DWORD: 0 | -There are two more Group Policy objects that are used by Internet Explorer: +There are three more Group Policy objects that are used by Internet Explorer: -| Path | Policy | Description | -| - | - | - | +| Path | Description | +| - | - | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | @@ -417,10 +417,10 @@ You can also use registry entries to set these Group Policies. | Policy | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
REG_DWORD: 0| +| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation!MSCompatibilityMode
REG_DWORD: 0| | Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0| +| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
DWORD:0 | -AllowServicePoweredQSA ### 8.1 ActiveX control blocking @@ -430,7 +430,7 @@ You can turn this off by: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** - - or - + -or - - Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). @@ -554,7 +554,7 @@ You can turn off NCSI by doing one of the following: > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. - -or- +-or- - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero). @@ -1327,7 +1327,7 @@ To turn off **Let apps run in the background**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in background** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. ### 17.17 Motion From d1bec68ad9a8f92d8107cd2fd47c7c80b79c1c39 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 30 Mar 2017 13:51:07 -0700 Subject: [PATCH 23/29] bug# 11421096 --- ...s-operating-system-components-to-microsoft-services.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 64217c2478..febf96fe74 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1689,11 +1689,17 @@ You can turn off Windows Update by setting the following registry entries: - Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. + -or- + - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. + -and- + - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to **,**. + -and- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to "". You can turn off automatic updates by doing one of the following. This is not recommended. From 49e53a3c4c99ed2a030f9bbef1be0917332ea1be Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 30 Mar 2017 13:53:13 -0700 Subject: [PATCH 24/29] bug# 10980772 --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index febf96fe74..c8e141096b 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1325,7 +1325,7 @@ To turn off **Let apps run in the background**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in background** +- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** - Set the **Select a setting** box to **Force Deny**. From 20cad0ad6888a0e8030931a546b350587b6d2221 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 30 Mar 2017 13:54:00 -0700 Subject: [PATCH 25/29] bug# 10980704 --- ...windows-operating-system-components-to-microsoft-services.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c8e141096b..31882157e2 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1357,6 +1357,8 @@ To turn this off: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** + - Set the **Select a setting** box to **Force Deny**. + ### 17.19 App Diagnostics In the **App diagnostics** area, you can choose which apps have access to your diagnostic information. From 7bb3ab0ca2b65b2ed3657694552538f204e5601f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 30 Mar 2017 14:01:33 -0700 Subject: [PATCH 26/29] bug# 11394447 --- ...indows-operating-system-components-to-microsoft-services.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 31882157e2..8f62d23a67 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -883,6 +883,7 @@ To turn off **Let apps on my other devices use Bluetooth to open apps and contin - Turn off the feature in the UI. + ### 17.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -1618,6 +1619,8 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). +Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy* > **Configure web-to-app linking with URI handlers** + ### 26. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. From da74b16ceddcc8b5d68217f6013748447d0f4c74 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 31 Mar 2017 08:37:17 -0700 Subject: [PATCH 27/29] bug# 10215117 --- ...s-operating-system-components-to-microsoft-services.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8f62d23a67..3919f82921 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -233,9 +233,9 @@ You can also apply the Group Policies using the following registry keys: |------------------------------------------------------|---------------------------------------------------------------------------------------| | Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowCortana
REG_DWORD: 0| | Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
REG_DWORD: 0 | -| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 | +| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 | | Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
REG_DWORD: 0 | -| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 | +| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 | In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. @@ -515,10 +515,10 @@ Alternatively, you can configure the Microsoft Group Policies using the followin | Policy | Registry path | | - | - | -| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **about:blank** | +| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **about:blank** | | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** | -| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **no**| +| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal
REG_DWORD: 0| | Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
REG_DWORD: 0 | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
REG_DWORD: 0 | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0| From 97a37f8487dcc5f1445e43e1a1da5ae009eec86b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 31 Mar 2017 08:46:30 -0700 Subject: [PATCH 28/29] testing fix --- ...system-components-to-microsoft-services.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 3919f82921..2969b3256f 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -288,7 +288,7 @@ You can prevent Windows from setting the time automatically. - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Enable Windows NTP Client** - - or - + -or - - Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero). @@ -406,11 +406,10 @@ Alternatively, you could use the registry to set the Group Policies. There are three more Group Policy objects that are used by Internet Explorer: -| Path | Description | -| - | - | +| Path | Policy | Description | +| - | - | - | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled | -| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether -an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | You can also use registry entries to set these Group Policies. @@ -1584,12 +1583,12 @@ If you're not running Windows 10, version 1607 or later, you can use the other o > [!NOTE] > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. - -or- + > -or- - - Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). - + > - Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). + - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + > - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. -or- @@ -1619,7 +1618,7 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). -Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy* > **Configure web-to-app linking with URI handlers** +Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** ### 26. Windows Update Delivery Optimization From 477c7510bf63f50ce8f722a4c75abb40cdbf429f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 31 Mar 2017 08:52:52 -0700 Subject: [PATCH 29/29] testing another fix --- ...s-operating-system-components-to-microsoft-services.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2969b3256f..86503c42e8 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1581,14 +1581,10 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. - - > -or- - - > - Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). + > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). - > - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. -or-