diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 3324e10449..7da90bbb2a 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -17,7 +17,8 @@ #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) #### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) +### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) +### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) ### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) ### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) ### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 8767cf30ff..81182141c2 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -10,145 +10,54 @@ author: jdeckerMS # Change history for Manage and update Windows 10 - This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## May 2016 -New or changed topic | Description | ----|---| -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | +| New or changed topic | Description | +| ---|---| +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | +| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles | +| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content | + ## April 2016 - - - - - - - - - - - - - - - - - - - - - - -
New or changed topicDescription
[Administrative tools in Windows 10](administrative-tools-in-windows-10.md)

Added screenshots of Control Panel and the administrative tools folder.

[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)

Added the font streaming section.

[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)

Made corrections to script and instructions for Shell Launcher.

- -  +| New or changed topic | Description | +| ---|---| +| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) | Added screenshots of Control Panel and the administrative tools folder. | +| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added the font streaming section. | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Made corrections to script and instructions for Shell Launcher. | ## March 2016 - - - - - - - - - - - - - - - - - - - - - - - -
New or changed topicDescription
[Application development for Windows as a service](application-development-for-windows-as-a-service.md)New
[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)

New

[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)

Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration.

- -  +| New or changed topic | Description | +| ---|---| +| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New | +| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New | +| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | ## February 2016 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or changed topicDescription
[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)

Added call history and email to the Settings > Privacy section.

-

Added the Turn off Windows Mail application Group Policy to the Mail synchronization section.

[Customize and export Start layout](customize-and-export-start-layout.md)Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)Added instructions for replacing markup characters with escape characters in Start layout XML
[Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)New
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)New
[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core).
- +| New or changed topic | Description | +| ---|---| +| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section.
Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. | +| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later | +| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML | +| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New | +| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New | +| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |   ## December 2015 - - - - - - - - - - - - - - - - - - - - - - - -
New or changed topicDescription
[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)New
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)New
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- -  +| New or changed topic | Description | +| ---|---| +| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New | +| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New | +|[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | ## November 2015 - | New or changed topic | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| | [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New | @@ -166,11 +75,8 @@ New or changed topic | Description | | [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated | | [New policies for Windows 10](new-policies-for-windows-10.md) | Updated | -  - ## Related topics - [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md) [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) @@ -179,11 +85,4 @@ New or changed topic | Description | [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) -  - -  - - - - - +  \ No newline at end of file diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md new file mode 100644 index 0000000000..df77f2d6aa --- /dev/null +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -0,0 +1,1271 @@ +--- +title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) +description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. +ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 +keywords: privacy, stop data flow to Microsoft +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Configure Windows 10 devices to stop data flow to Microsoft + +**Applies to** + +- Windows 10 + +If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). + +Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. + +If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. + +Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. + +In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. + +Here's what's covered in this article: + +- [Info management settings](#bkmk-othersettings) + + - [1. Cortana](#bkmk-cortana) + + - [1.1 Cortana Group Policies](#bkmk-cortana-gp) + + - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) + + - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) + + - [2. Date & Time](#bkmk-datetime) + + - [3. Device metadata retrieval](#bkmk-devinst) + + - [4. Font streaming](#font-streaming) + + - [5. Insider Preview builds](#bkmk-previewbuilds) + + - [6. Internet Explorer](#bkmk-ie) + + - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp) + + - [6.2 ActiveX control blocking](#bkmk-ie-activex) + + - [7. Live Tiles](#live-tiles) + + - [8. Mail synchronization](#bkmk-mailsync) + + - [9. Microsoft Edge](#bkmk-edge) + + - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp) + + - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) + + - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) + + - [10. Network Connection Status Indicator](#bkmk-ncsi) + + - [11. Offline maps](#bkmk-offlinemaps) + + - [12. OneDrive](#bkmk-onedrive) + + - [13. Preinstalled apps](#bkmk-preinstalledapps) + + - [14. Settings > Privacy](#bkmk-settingssection) + + - [14.1 General](#bkmk-priv-general) + + - [14.2 Location](#bkmk-priv-location) + + - [14.3 Camera](#bkmk-priv-camera) + + - [14.4 Microphone](#bkmk-priv-microphone) + + - [14.5 Speech, inking, & typing](#bkmk-priv-speech) + + - [14.6 Account info](#bkmk-priv-accounts) + + - [14.7 Contacts](#bkmk-priv-contacts) + + - [14.8 Calendar](#bkmk-priv-calendar) + + - [14.9 Call history](#bkmk-priv-callhistory) + + - [14.10 Email](#bkmk-priv-email) + + - [14.11 Messaging](#bkmk-priv-messaging) + + - [14.12 Radios](#bkmk-priv-radios) + + - [14.13 Other devices](#bkmk-priv-other-devices) + + - [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + + - [14.15 Background apps](#bkmk-priv-background) + + - [15. Software Protection Platform](#bkmk-spp) + + - [16. Sync your settings](#bkmk-syncsettings) + + - [17. Teredo](#bkmk-teredo) + + - [18. Wi-Fi Sense](#bkmk-wifisense) + + - [19. Windows Defender](#bkmk-defender) + + - [20. Windows Media Player](#bkmk-wmp) + + - [21. Windows spotlight](#bkmk-spotlight) + + - [22. Windows Store](#bkmk-windowsstore) + + - [23. Windows Update Delivery Optimization](#bkmk-updates) + + - [23.1 Settings > Update & security](#bkmk-wudo-ui) + + - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) + + - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) + + - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) + + - [24. Windows Update](#bkmk-wu) + +## What's new in Windows 10, version 1511 + + +Here's a list of changes that were made to this article for Windows 10, version 1511: + +- Added the following new sections: + + - [Mail synchronization](#bkmk-mailsync) + + - [Offline maps](#bkmk-offlinemaps) + + - [Windows spotlight](#bkmk-spotlight) + + - [Windows Store](#bkmk-windowsstore) + +- Added the following Group Policies: + + - Open a new tab with an empty tab + + - Configure corporate Home pages + + - Let Windows apps access location + + - Let Windows apps access the camera + + - Let Windows apps access the microphone + + - Let Windows apps access account information + + - Let Windows apps access contacts + + - Let Windows apps access the calendar + + - Let Windows apps access messaging + + - Let Windows apps control radios + + - Let Windows apps access trusted devices + + - Do not show feedback notifications + + - Turn off Automatic Download and Update of Map Data + + - Force a specific default lock screen image + +- Added the AllowLinguisticDataCollection MDM policy. + +- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall. + +- Changed the Windows Update section to apply system-wide settings, and not just per user. + +## Info management settings + + +This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. + +- [1. Cortana](#bkmk-cortana) + +- [2. Date & Time](#bkmk-datetime) + +- [3. Device metadata retrieval](#bkmk-devinst) + +- [4. Font streaming](#font-streaming) + +- [5. Insider Preview builds](#bkmk-previewbuilds) + +- [6. Internet Explorer](#bkmk-ie) + +- [7. Live Tiles](#live-tiles) + +- [8. Mail synchronization](#bkmk-mailsync) + +- [9. Microsoft Edge](#bkmk-edge) + +- [10. Network Connection Status Indicator](#bkmk-ncsi) + +- [11. Offline maps](#bkmk-offlinemaps) + +- [12. OneDrive](#bkmk-onedrive) + +- [13. Preinstalled apps](#bkmk-preinstalledapps) + +- [14. Settings > Privacy](#bkmk-settingssection) + +- [15. Software Protection Platform](#bkmk-spp) + +- [16. Sync your settings](#bkmk-syncsettings) + +- [17. Teredo](#bkmk-teredo) + +- [18. Wi-Fi Sense](#bkmk-wifisense) + +- [19. Windows Defender](#bkmk-defender) + +- [20. Windows Media Player](#bkmk-wmp) + +- [21. Windows spotlight](#bkmk-spotlight) + +- [22. Windows Store](#bkmk-windowsstore) + +- [23. Windows Update Delivery Optimization](#bkmk-updates) + +- [24. Windows Update](#bkmk-wu) + + +See the following table for a summary of the management settings. For more info, see its corresponding section. + +![Management settings table](images/settings-table.png) + +### 1. Cortana + +Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). + +### 1.1 Cortana Group Policies + +Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. + +| Policy | Description | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | Choose whether to let Cortana install and run on the device. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled| +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | +| Set what information is shared in Search | Control what information is shared with Bing in Search. | + +When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. + +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. + +2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. + +3. On the **Rule Type** page, click **Program**, and then click **Next**. + +4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. + +5. On the **Action** page, click **Block the connection**, and then click **Next**. + +6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. + +7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** + +8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. + +9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. + + - For **Protocol type**, choose **TCP**. + + - For **Local port**, choose **All Ports**. + + - For **Remote port**, choose **All ports**. + +**Note** +If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. + +### 1.2 Cortana MDM policies + +The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | +| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| + +### 1.3 Cortana Windows Provisioning + +To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. + +### 2. Date & Time + +You can prevent Windows from setting the time automatically. + +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** + + -or- + +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. + +### 3. Device metadata retrieval + +To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + +### 4. Font streaming + +Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. + +To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. + +**Note** +This may change in future versions of Windows. + +### 5. Insider Preview builds + +To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. + +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + + -or- + +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + + -or- + +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + +### 6. Internet Explorer + +Use Group Policy to manage settings for Internet Explorer. + +### 6.1 Internet Explorer Group Policies + +Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | +| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| + +### 6.2 ActiveX control blocking + +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). + +For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). + +### 7. Live Tiles + +To turn off Live Tiles: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** + +### 8. Mail synchronization + +To turn off mail synchronization for Microsoft Accounts that are configured on a device: + +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. + + -or- + +- Remove any Microsoft Accounts from the Mail app. + + -or- + +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. + +To turn off the Windows Mail app: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** + +### 9. Microsoft Edge + +Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). + +### 9.1 Microsoft Edge Group Policies + +Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. + +**Note** +The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | +| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | +| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | +| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled | +| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | +| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | +| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | + +### 9.2 Microsoft Edge MDM policies + +The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed | +| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | +| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | +| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | +| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | + +### 9.3 Microsoft Edge Windows Provisioning + +Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. + +For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). + +### 10. Network Connection Status Indicator + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). + +You can turn off NCSI through Group Policy: + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** + +### 11. Offline maps + +You can turn off the ability to download and update offline maps. + +- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps** + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + +### 12. OneDrive + +To turn off OneDrive in your organization: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + +### 13. Preinstalled apps + +Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. + +To remove the News app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** + +To remove the Weather app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** + +To remove the Money app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** + +To remove the Sports app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** + +To remove the Twitter app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** + +To remove the XBOX app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** + +To remove the Sway app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** + +To remove the OneNote app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** + +To remove the Get Office app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** + +To remove the Get Skype app: + +- Right-click the Sports app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** + +### 14. Settings > Privacy + +Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. + +- [14.1 General](#bkmk-general) + +- [14.2 Location](#bkmk-priv-location) + +- [14.3 Camera](#bkmk-priv-camera) + +- [14.4 Microphone](#bkmk-priv-microphone) + +- [14.5 Speech, inking, & typing](#bkmk-priv-speech) + +- [14.6 Account info](#bkmk-priv-accounts) + +- [14.7 Contacts](#bkmk-priv-contacts) + +- [14.8 Calendar](#bkmk-priv-calendar) + +- [14.9 Call history](#bkmk-priv-callhistory) + +- [14.10 Email](#bkmk-priv-email) + +- [14.11 Messaging](#bkmk-priv-messaging) + +- [14.12 Radios](#bkmk-priv-radios) + +- [14.13 Other devices](#bkmk-priv-other-devices) + +- [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + +- [14.15 Background apps](#bkmk-priv-background) + +### 14.1 General + +**General** includes options that don't fall into other areas. + +To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: + +**Note** +When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + + + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + +To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. + + Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + + -or- + +- Create a provisioning package, using: + + - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** + + - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). + +To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: + +**Note** +If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. + + + +- Turn off the feature in the UI. + + -or- + +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Not allowed + + - **1**. Allowed (default) + +To turn off **Let websites provide locally relevant content by accessing my language list**: + +- Turn off the feature in the UI. + + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + +### 14.2 Location + +In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. + +To turn off **Location for this device**: + +- Click the **Change** button in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + + -or- + +- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Turned off and the employee can't turn it back on. + + - **1**. Turned on, but lets the employee choose whether to use it. (default) + + - **2**. Turned on and the employee can't turn it off. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where + + - **No**. Turns off location service. + + - **Yes**. Turns on location service. (default) + +To turn off **Location**: + +- Turn off the feature in the UI. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +To turn off **Location history**: + +- Erase the history using the **Clear** button in the UI. + +To turn off **Choose apps that can use your location**: + +- Turn off each app using the UI. + +### 14.3 Camera + +In the **Camera** area, you can choose which apps can access a device's camera. + +To turn off **Let apps use my camera**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + +To turn off **Choose apps that can use your camera**: + +- Turn off the feature in the UI for each app. + +### 14.4 Microphone + +In the **Microphone** area, you can choose which apps can access a device's microphone. + +To turn off **Let apps use my microphone**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can use your microphone**: + +- Turn off the feature in the UI for each app. + +### 14.5 Speech, inking, & typing + +In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. + +**Note** +For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. + + + +To turn off the functionality: + +- Click the **Stop getting to know me** button, and then click **Turn off**. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + + -or- + +- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). + + -and- + + Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). + +### 14.6 Account info + +In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. + +To turn off **Let apps access my name, picture, and other account info**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose the apps that can access your account info**: + +- Turn off the feature in the UI for each app. + +### 14.7 Contacts + +In the **Contacts** area, you can choose which apps can access an employee's contacts list. + +To turn off **Choose apps that can access contacts**: + +- Turn off the feature in the UI for each app. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.8 Calendar + +In the **Calendar** area, you can choose which apps have access to an employee's calendar. + +To turn off **Let apps access my calendar**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can access calendar**: + +- Turn off the feature in the UI for each app. + +### 14.9 Call history + +In the **Call history** area, you can choose which apps have access to an employee's call history. + +To turn off **Let apps access my call history**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.10 Email + +In the **Email** area, you can choose which apps have can access and send email. + +To turn off **Let apps access and send email**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.11 Messaging + +In the **Messaging** area, you can choose which apps can read or send messages. + +To turn off **Let apps read or send messages (text or MMS)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can read or send messages**: + +- Turn off the feature in the UI for each app. + +### 14.12 Radios + +In the **Radios** area, you can choose which apps can turn a device's radio on or off. + +To turn off **Let apps control radios**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can control radios**: + +- Turn off the feature in the UI for each app. + +### 14.13 Other devices + +In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. + +To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: + +- Turn off the feature in the UI. + +To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.14 Feedback & diagnostics + +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. + +To change how frequently **Windows should ask for my feedback**: + +**Note** +Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. + + + +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** + + -or- + +- Create the registry keys (REG\_DWORD type): + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + + Based on these settings: + + | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | + |---------------|-----------------------------|-----------------------------| + | Automatically | Delete the registry setting | Delete the registry setting | + | Never | 0 | 0 | + | Always | 100000000 | Delete the registry setting | + | Once a day | 864000000000 | 1 | + | Once a week | 6048000000000 | 1 | + + + +To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: + +- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. + + **Note** + You can't use the UI to change the telemetry level to **Security**. + + + + -or- + +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** + + -or- + +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + +### 14.15 Background apps + +In the **Background Apps** area, you can choose which apps can run in the background. + +To turn off **Let apps run in the background**: + +- Turn off the feature in the UI for each app. + +### 15. Software Protection Platform + +Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: + +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** + +The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. + +### 16. Sync your settings + +You can control if your settings are synchronized: + +- In the UI: **Settings** > **Accounts** > **Sync your settings** + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** + + -or- + +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where + + - **No**. Settings are not synchronized. + + - **Yes**. Settings are synchronized. (default) + +To turn off Messaging cloud sync: + +- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). + +### 17. Teredo + +You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). + +- From an elevated command prompt, run **netsh interface teredo set state disabled** + +### 18. Wi-Fi Sense + +Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. + +To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: + +- Turn off the feature in the UI. + + -or- + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. + + -or- + +- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). + + -or- + +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). + + -or- + +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). + +When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. + +### 19. Windows Defender + +You can opt of the Microsoft Antimalware Protection Service. + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** + + -or- + +- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). + +You can stop sending file samples back to Microsoft. + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. + + -or- + +- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Always prompt. + + - **1**. (default) Send safe samples automatically. + + - **2**. Never send. + + - **3**. Send all samples automatically. + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. + +You can stop downloading definition updates: + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. + + -and- + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + +You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. + +### 20. Windows Media Player + +To remove Windows Media Player: + +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. + + -or- + +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** + +### 21. Windows spotlight + +Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. + +- Configure the following in **Settings**: + + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. + + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + + - **System** > **Notifications & actions** > **Show me tips about Windows**. + + -or- + +- Apply the Group Policies: + + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. + + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + + **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + + + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + +For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). + +### 22. Windows Store + +You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. + +### 23. Windows Update Delivery Optimization + +Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. + +By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. + +Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. + +### 23.1 Settings > Update & security + +You can set up Delivery Optimization from the **Settings** UI. + +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. + +### 23.2 Delivery Optimization Group Policies + +You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including | +| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| +| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| +| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| +| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| + +### 23.3 Delivery Optimization MDM policies + +The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including | +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| +| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| +| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| +| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| + + +### 23.4 Delivery Optimization Windows Provisioning + +If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies + +Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. + +1. Open Windows ICD, and then click **New provisioning package**. + +2. In the **Name** box, type a name for the provisioning package, and then click **Next.** + +3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. + +4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. + +For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). + +### 24. Windows Update + +You can turn off Windows Update by setting the following registry entries: + +- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + + -and- + +- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + +You can turn off automatic updates by doing one of the following. This is not recommended. + +- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. + + -or- + +- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Notify the user before downloading the update. + + - **1**. Auto install the update and then notify the user to schedule a device restart. + + - **2** (default). Auto install and restart. + + - **3**. Auto install and restart at a specified time. + + - **4**. Auto install and restart without end-user control. + + - **5**. Turn off automatic updates. + +To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md new file mode 100644 index 0000000000..58de9307b7 --- /dev/null +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -0,0 +1,295 @@ +--- +description: Use this article to make informed decisions about how you can configure telemetry in your organization. +title: Configure Windows telemetry in your organization (Windows 10) +keywords: privacy +--- + +# Configure Windows telemetry in your organization + +**Applies to** + +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 Technical Preview + +Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. + +**Note**   +This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. + +It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers. + +We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016. + +## Overview + +In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM. + +Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers. + +Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization. + +## How is telemetry data handled by Microsoft? + +### Data collection + +Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings. +4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning. + +Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. + +The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information. + +[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com. + +[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com. + +### Data use and access + +Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history. + +## Telemetry levels + + +This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview. + +The telemetry data is categorized into four levels: + +- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level. + +- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. + +The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview. + +![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png) + +### Security level + +The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. + +**Note**   +If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered. + +  + +The data gathered at this level includes: + +- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + **Note**   + You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + +   + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + **Note**   + This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +   + +For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue. + +### Full level + +The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +### Manage your telemetry settings + +We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. + +**Important**   +These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). + +You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. + +The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.** + +### Configure the operating system telemetry level + +You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings. + +Use the appropriate value in the table below when you configure the management policy. + +| Value | Level | Data gathered | +|-------|----------|---------------------------------------------------------------------------------------------------------------------------| +| **0** | Security | Security data only. | +| **1** | Basic | Security data, and basic system and quality data. | +| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | +| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | + +  + +### Use Group Policy to set the telemetry level + +Use a Group Policy object to set your organization’s telemetry level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the telemetry level + +Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the telemetry level + +Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Configure System Center 2016 telemetry + +For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps: + +- Turn off telemetry by using the System Center UI Console settings workspace. + +- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). + +### Additional telemetry controls + +There are a few more settings that you can turn off that may send telemetry information: + +- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + +- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + **Note**   + Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +   + +## Examples of how Microsoft uses the telemetry data + + +### Drive higher application and driver quality in the ecosystem + +Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications + +### Reduce your total cost of ownership and downtime + +Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates. + +### Build features that address our customers’ needs + +Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft. \ No newline at end of file diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md index 5bfad5466a..2adc6e5005 100644 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ b/windows/manage/disconnect-your-organization-from-microsoft.md @@ -1,1809 +1,4 @@ --- -title: Configure telemetry and other settings in your organization (Windows 10) -description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. -ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -ms.prod: W10 -ms.mktglfcycl: manage -ms.sitesec: library -author: brianlic-msft ---- - -# Configure telemetry and other settings in your organization - - -**Applies to** - -- Windows 10 - -Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. - -If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. - -**Note**  Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows. - -  - -Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. - -In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. - -We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. - -Here's what's covered in this article: - -- [Info management settings](#bkmk-othersettings) - - - [1. Cortana](#bkmk-cortana) - - - [1.1 Cortana Group Policies](#bkmk-cortana-gp) - - - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) - - - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) - - - [2. Date & Time](#bkmk-datetime) - - - [3. Device metadata retrieval](#bkmk-devinst) - - - [4. Font streaming](#font-streaming) - - - [5. Insider Preview builds](#bkmk-previewbuilds) - - - [6. Internet Explorer](#bkmk-ie) - - - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp) - - - [6.2 ActiveX control blocking](#bkmk-ie-activex) - - - [7. Mail synchronization](#bkmk-mailsync) - - - [8. Microsoft Edge](#bkmk-edge) - - - [8.1 Microsoft Edge Group Policies](#bkmk-edgegp) - - - [8.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) - - - [8.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) - - - [9. Network Connection Status Indicator](#bkmk-ncsi) - - - [10. Offline maps](#bkmk-offlinemaps) - - - [11. OneDrive](#bkmk-onedrive) - - - [12. Preinstalled apps](#bkmk-preinstalledapps) - - - [13. Settings > Privacy](#bkmk-settingssection) - - - [13.1 General](#bkmk-general) - - - [13.2 Location](#bkmk-priv-location) - - - [13.3 Camera](#bkmk-priv-camera) - - - [13.4 Microphone](#bkmk-priv-microphone) - - - [13.5 Speech, inking, & typing](#bkmk-priv-speech) - - - [13.6 Account info](#bkmk-priv-accounts) - - - [13.7 Contacts](#bkmk-priv-contacts) - - - [13.8 Calendar](#bkmk-priv-calendar) - - - [13.9 Call history](#bkmk-priv-callhistory) - - - [13.10 Email](#bkmk-priv-email) - - - [13.11 Messaging](#bkmk-priv-messaging) - - - [13.12 Radios](#bkmk-priv-radios) - - - [13.13 Other devices](#bkmk-priv-other-devices) - - - [13.14 Feedback & diagnostics](#bkmk-priv-feedback) - - - [13.15 Background apps](#bkmk-priv-background) - - - [14. Software Protection Platform](#bkmk-spp) - - - [15. Sync your settings](#bkmk-syncsettings) - - - [16. Teredo](#bkmk-teredo) - - - [17. Wi-Fi Sense](#bkmk-wifisense) - - - [18. Windows Defender](#bkmk-defender) - - - [19. Windows Media Player](#bkmk-wmp) - - - [20. Windows spotlight](#bkmk-spotlight) - - - [21. Windows Store](#bkmk-windowsstore) - - - [22. Windows Update Delivery Optimization](#bkmk-updates) - - - [22.1 Settings > Update & security](#bkmk-wudo-ui) - - - [22.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) - - - [22.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) - - - [22.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) - - - [23. Windows Update](#bkmk-wu) - -- [Manage your telemetry settings](#bkmk-utc) - -- [How telemetry works](#bkmk-moreutc) - -## What's new in Windows 10, version 1511 - - -Here's a list of changes that were made to this article for Windows 10, version 1511: - -- Added the following new sections: - - - [Mail synchronization](#bkmk-mailsync) - - - [Offline maps](#bkmk-offlinemaps) - - - [Windows spotlight](#bkmk-spotlight) - - - [Windows Store](#bkmk-windowsstore) - -- Added the following Group Policies: - - - Open a new tab with an empty tab - - - Configure corporate Home pages - - - Let Windows apps access location - - - Let Windows apps access the camera - - - Let Windows apps access the microphone - - - Let Windows apps access account information - - - Let Windows apps access contacts - - - Let Windows apps access the calendar - - - Let Windows apps access messaging - - - Let Windows apps control radios - - - Let Windows apps access trusted devices - - - Do not show feedback notifications - - - Turn off Automatic Download and Update of Map Data - - - Force a specific default lock screen image - -- Added the AllowLinguisticDataCollection MDM policy. - -- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall. - -- Added steps in the [Live tiles](#bkmk-livetiles) section on how to remove the Money and Sports apps. - -- Changed the Windows Update section to apply system-wide settings, and not just per user. - -## Info management settings - - -This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. - -The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. - -- [1. Cortana](#bkmk-cortana) - -- [2. Date & Time](#bkmk-datetime) - -- [3. Device metadata retrieval](#bkmk-devinst) - -- [4. Font streaming](#font-streaming) - -- [5. Insider Preview builds](#bkmk-previewbuilds) - -- [6. Internet Explorer](#bkmk-ie) - -- [7. Mail synchronization](#bkmk-mailsync) - -- [8. Microsoft Edge](#bkmk-edge) - -- [9. Network Connection Status Indicator](#bkmk-ncsi) - -- [10. Offline maps](#bkmk-offlinemaps) - -- [11. OneDrive](#bkmk-onedrive) - -- [12. Preinstalled apps](#bkmk-preinstalledapps) - -- [13. Settings > Privacy](#bkmk-settingssection) - -- [14. Software Protection Platform](#bkmk-spp) - -- [15. Sync your settings](#bkmk-syncsettings) - -- [16. Teredo](#bkmk-teredo) - -- [17. Wi-Fi Sense](#bkmk-wifisense) - -- [18. Windows Defender](#bkmk-defender) - -- [19. Windows Media Player](#bkmk-wmp) - -- [20. Windows spotlight](#bkmk-spotlight) - -- [21. Windows Store](#bkmk-windowsstore) - -- [22. Windows Update](#bkmk-wu) - -- [23. Windows Update Delivery Optimization](#bkmk-updates) - -See the following table for a summary of the management settings. For more info, see its corresponding section. - -![](images/settings-table.png) - -### 1. Cortana - -Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). - -### 1.1 Cortana Group Policies - -Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Allow Cortana

Choose whether to let Cortana install and run on the device.

-

Default: Enabled

Allow search and Cortana to use location

Choose whether Cortana and Search can provide location-aware search results.

-

Default: Enabled

Do not allow web search

Choose whether to search the web from Windows Desktop Search.

-

Default: Disabled

Don't search the web or display web results in Search

Choose whether to search the web from Cortana.

-

Default: Disabled

Set what information is shared in Search

Control what information is shared with Bing in Search.

- -  - -When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. - -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. - -2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. - -3. On the **Rule Type** page, click **Program**, and then click **Next**. - -4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. - -5. On the **Action** page, click **Block the connection**, and then click **Next**. - -6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. - -7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** - -8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. - -9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - - For **Protocol type**, choose **TCP**. - - - For **Local port**, choose **All Ports**. - - - For **Remote port**, choose **All ports**. - -**Note**   -If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. - -  - -### 1.2 Cortana MDM policies - -The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - ---- - - - - - - - - - - - - - - - - -
PolicyDescription

Experience/AllowCortana

Choose whether to let Cortana install and run on the device.

-

Default: Allowed

Search/AllowSearchToUseLocation

Choose whether Cortana and Search can provide location-aware search results.

-

Default: Allowed

- -  - -### 1.3 Cortana Windows Provisioning - -To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. - -### 2. Date & Time - -You can prevent Windows from setting the time automatically. - -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - - -or- - -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. - -### 3. Device metadata retrieval - -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. - -### 4. Font streaming - -Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. - -To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. - -**Note**   -This may change in future versions of Windows. - -  - -### 5. Insider Preview builds - -To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. - -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - - -or- - -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - - -or- - -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -### 6. Internet Explorer - -Use Group Policy to manage settings for Internet Explorer. - -### 6.1 Internet Explorer Group Policies - -Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Turn on Suggested Sites

Choose whether an employee can configure Suggested Sites.

-

Default: Enabled

-

You can also turn this off in the UI by clearing the Internet Options > Advanced > Enable Suggested Sites check box.

Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar

Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.

-

Default: Enabled

Turn off the auto-complete feature for web addresses

Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.

-

Default: Disabled

-

You can also turn this off in the UI by clearing the Internet Options > Advanced > Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog check box.

Disable Periodic Check for Internet Explorer software updates

Choose whether Internet Explorer periodically checks for a new version.

-

Default: Enabled

Turn off browser geolocation

Choose whether websites can request location data from Internet Explorer.

-

Default: Disabled

- -  - -### 6.2 ActiveX control blocking - -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). - -For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). - -### 7. Mail synchronization - -To turn off mail synchronization for Microsoft Accounts that are configured on a device: - -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - - -or- - -- Remove any Microsoft Accounts from the Mail app. - - -or- - -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. - -To turn off the Windows Mail app: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -### 8. Microsoft Edge - -Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). - -### 8.1 Microsoft Edge Group Policies - -Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. - -**Note**   -The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. - -  - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Turn off autofill

Choose whether employees can use autofill on websites.

-

Default: Enabled

Allow employees to send Do Not Track headers

Choose whether employees can send Do Not Track headers.

-

Default: Disabled

Turn off password manager

Choose whether employees can save passwords locally on their devices.

-

Default: Enabled

Turn off address bar search suggestions

Choose whether the address bar shows search suggestions.

-

Default: Enabled

Turn off the SmartScreen Filter

Choose whether SmartScreen is turned on or off.

-

Default: Enabled

Open a new tab with an empty tab

Choose whether a new tab page appears.

-

Default: Enabled

Configure corporate Home pages

Choose the corporate Home page for domain-joined devices.

-

Set this to about:blank

- -  - -### 8.2 Microsoft Edge MDM policies - -The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Browser/AllowAutoFill

Choose whether employees can use autofill on websites.

-

Default: Allowed

Browser/AllowDoNotTrack

Choose whether employees can send Do Not Track headers.

-

Default: Not allowed

Browser/AllowPasswordManager

Choose whether employees can save passwords locally on their devices.

-

Default: Allowed

Browser/AllowSearchSuggestionsinAddressBar

Choose whether the address bar shows search suggestions.

-

Default: Allowed

Browser/AllowSmartScreen

Choose whether SmartScreen is turned on or off.

-

Default: Allowed

- -  - -### 8.3 Microsoft Edge Windows Provisioning - -Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. - -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). - -### 9. Network Connection Status Indicator - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). - -You can turn off NCSI through Group Policy: - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** - -### 10. Offline maps - -You can turn off the ability to download and update offline maps. - -- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps** - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - -### 11. OneDrive - -To turn off OneDrive in your organization: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** - -### 12. Preinstalled apps - -Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. - -To remove the News app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** - -To remove the Weather app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** - -To remove the Money app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** - -To remove the Sports app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** - -To remove the Twitter app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** - -To remove the XBOX app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** - -To remove the Sway app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** - -To remove the OneNote app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** - -To remove the Get Office app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** - -To remove the Get Skype app: - -- Right-click the Sports app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** - -### 13. Settings > Privacy - -Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. - -- [13.1 General](#bkmk-general) - -- [13.2 Location](#bkmk-priv-location) - -- [13.3 Camera](#bkmk-priv-camera) - -- [13.4 Microphone](#bkmk-priv-microphone) - -- [13.5 Speech, inking, & typing](#bkmk-priv-speech) - -- [13.6 Account info](#bkmk-priv-accounts) - -- [13.7 Contacts](#bkmk-priv-contacts) - -- [13.8 Calendar](#bkmk-priv-calendar) - -- [13.9 Call history](#bkmk-priv-callhistory) - -- [13.10 Email](#bkmk-priv-email) - -- [13.11 Messaging](#bkmk-priv-messaging) - -- [13.12 Radios](#bkmk-priv-radios) - -- [13.13 Other devices](#bkmk-priv-other-devices) - -- [13.14 Feedback & diagnostics](#bkmk-priv-feedback) - -- [13.15 Background apps](#bkmk-priv-background) - -### 13.1 General - -**General** includes options that don't fall into other areas. - -To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: - -**Note**   -When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - -  - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). - -To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. - - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - -- Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). - -To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: - -**Note**   -If the telemetry level is set to either [Basic](#bkmk-utc-basic) or [Security](#bkmk-utc-security), this is turned off automatically. - -  - -- Turn off the feature in the UI. - - -or- - -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Not allowed - - - **1**. Allowed (default) - -To turn off **Let websites provide locally relevant content by accessing my language list**: - -- Turn off the feature in the UI. - - -or- - -- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. - -### 13.2 Location - -In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. - -To turn off **Location for this device**: - -- Click the **Change** button in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - - -or- - -- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Turned off and the employee can't turn it back on. - - - **1**. Turned on, but lets the employee choose whether to use it. (default) - - - **2**. Turned on and the employee can't turn it off. - - **Note**   - You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - -   - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - - **No**. Turns off location service. - - - **Yes**. Turns on location service. (default) - -To turn off **Location**: - -- Turn off the feature in the UI. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -To turn off **Location history**: - -- Erase the history using the **Clear** button in the UI. - -To turn off **Choose apps that can use your location**: - -- Turn off each app using the UI. - -### 13.3 Camera - -In the **Camera** area, you can choose which apps can access a device's camera. - -To turn off **Let apps use my camera**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - - **Note**   - You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - -   - - -or- - -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - -To turn off **Choose apps that can use your camera**: - -- Turn off the feature in the UI for each app. - -### 13.4 Microphone - -In the **Microphone** area, you can choose which apps can access a device's microphone. - -To turn off **Let apps use my microphone**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can use your microphone**: - -- Turn off the feature in the UI for each app. - -### 13.5 Speech, inking, & typing - -In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. - -**Note**   -For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. - -  - -To turn off the functionality: - -- Click the **Stop getting to know me** button, and then click **Turn off**. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - - -or- - -- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). - - -and- - - Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). - -### 13.6 Account info - -In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. - -To turn off **Let apps access my name, picture, and other account info**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose the apps that can access your account info**: - -- Turn off the feature in the UI for each app. - -### 13.7 Contacts - -In the **Contacts** area, you can choose which apps can access an employee's contacts list. - -To turn off **Choose apps that can access contacts**: - -- Turn off the feature in the UI for each app. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - - Set the **Select a setting** box to **Force Deny**. - -### 13.8 Calendar - -In the **Calendar** area, you can choose which apps have access to an employee's calendar. - -To turn off **Let apps access my calendar**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can access calendar**: - -- Turn off the feature in the UI for each app. - -### 13.9 Call history - -In the **Call history** area, you can choose which apps have access to an employee's call history. - -To turn off **Let apps access my call history**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - - Set the **Select a setting** box to **Force Deny**. - -### 13.10 Email - -In the **Email** area, you can choose which apps have can access and send email. - -To turn off **Let apps access and send email**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - - Set the **Select a setting** box to **Force Deny**. - -### 13.11 Messaging - -In the **Messaging** area, you can choose which apps can read or send messages. - -To turn off **Let apps read or send messages (text or MMS)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can read or send messages**: - -- Turn off the feature in the UI for each app. - -### 13.12 Radios - -In the **Radios** area, you can choose which apps can turn a device's radio on or off. - -To turn off **Let apps control radios**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can control radios**: - -- Turn off the feature in the UI for each app. - -### 13.13 Other devices - -In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. - -To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: - -- Turn off the feature in the UI. - -To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - - Set the **Select a setting** box to **Force Deny**. - -### 13.14 Feedback & diagnostics - -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. - -To change how frequently **Windows should ask for my feedback**: - -**Note**   -Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. - -  - -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - - -or- - -- Create the registry keys (REG\_DWORD type): - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod - - Based on these settings: - - | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | - |---------------|-----------------------------|-----------------------------| - | Automatically | Delete the registry setting | Delete the registry setting | - | Never | 0 | 0 | - | Always | 100000000 | Delete the registry setting | - | Once a day | 864000000000 | 1 | - | Once a week | 6048000000000 | 1 | - -   - -To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: - -- To change from [Enhanced](#bkmk-utc-enhanced), use the drop-down list in the UI. The other levels are **Basic** and **Full**. For more info about these levels, see [How telemetry works](#bkmk-moreutc). - - **Note**   - You can't use the UI to change the telemetry level to [Security](#bkmk-utc-security). - -   - - -or- - -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** - - -or- - -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Maps to the [Security](#bkmk-utc-security) level. - - - **1**. Maps to the [Basic](#bkmk-utc-basic) level. - - - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. - - - **3**. Maps to the [Full](#bkmk-utc-full) level. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - - **0**. Maps to the [Security](#bkmk-utc-security) level. - - - **1**. Maps to the [Basic](#bkmk-utc-basic) level. - - - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. - - - **3**. Maps to the [Full](#bkmk-utc-full) level. - -### 13.15 Background apps - -In the **Background Apps** area, you can choose which apps can run in the background. - -To turn off **Let apps run in the background**: - -- Turn off the feature in the UI for each app. - -### 14. Software Protection Platform - -Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: - -**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** - -The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. - -### 15. Sync your settings - -You can control if your settings are synchronized: - -- In the UI: **Settings** > **Accounts** > **Sync your settings** - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - - -or- - -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - - **No**. Settings are not synchronized. - - - **Yes**. Settings are synchronized. (default) - -To turn off Messaging cloud sync: - -- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). - -### 16. Teredo - -You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). - -- From an elevated command prompt, run **netsh interface teredo set state disabled** - -### 17. Wi-Fi Sense - -Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. - -To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: - -- Turn off the feature in the UI. - - -or- - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - - -or- - -- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). - - -or- - -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). - - -or- - -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910) - -When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. - -### 18. Windows Defender - -You can opt of the Microsoft Antimalware Protection Service. - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** - - -or- - -- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - -You can stop sending file samples back to Microsoft. - -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - - -or- - -- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Always prompt. - - - **1**. (default) Send safe samples automatically. - - - **2**. Never send. - - - **3**. Send all samples automatically. - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. - -You can stop downloading definition updates: - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - - -and- - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. - -### 19. Windows Media Player - -To remove Windows Media Player: - -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - - -or- - -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** - -### 20. Windows spotlight - -Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. - -- Configure the following in **Settings**: - - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. - - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - - **System** > **Notifications & actions** > **Show me tips about Windows**. - - -or- - -- Apply the Group Policies: - - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. - - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - - **Note**  This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. - -   - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). - -### 21. Windows Store - -You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. - -### 22. Windows Update Delivery Optimization - -Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. - -By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. - -Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. - -### 22.1 Settings > Update & security - -You can set up Delivery Optimization from the **Settings** UI. - -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. - -### 22.2 Delivery Optimization Group Policies - -You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

Download Mode

Lets you choose where Delivery Optimization gets or sends updates and apps, including

-
    -

  • None. Turns off Delivery Optimization.

    • -

  • Group. Gets or sends updates and apps to PCs on the same local network domain.

    • -

  • Internet. Gets or sends updates and apps to PCs on the Internet.

    • -

  • LAN. Gets or sends updates and apps to PCs on the same NAT only.

    • -

Group ID

Lets you provide a Group ID that limits which PCs can share apps and updates.

-
-Note   -

This ID must be a GUID.

-
-
-  -

Max Cache Age

Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.

-

The default value is 259200 seconds (3 days).

Max Cache Size

Lets you specify the maximum cache size as a percentage of disk size.

-

The default value is 20, which represents 20% of the disk.

Max Upload Bandwidth

Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.

-

The default value is 0, which means unlimited possible bandwidth.

- -  - -### 22.3 Delivery Optimization MDM policies - -The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyDescription

DeliveryOptimization/DODownloadMode

Lets you configure where Delivery Optimization gets or sends updates and apps, including:

-
    -

  • 0. Turns off Delivery Optimization.

    • -

  • 1. Gets or sends updates and apps to PCs on the same NAT only.

    • -

  • 2. Gets or sends updates and apps to PCs on the same local network domain.

    • -

  • 3. Gets or sends updates and apps to PCs on the Internet.

    • -

DeliveryOptimization/DOGroupID

Lets you provide a Group ID that limits which PCs can share apps and updates.

-
-Note   -

This ID must be a GUID.

-
-
-  -

DeliveryOptimization/DOMaxCacheAge

Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.

-

The default value is 259200 seconds (3 days).

DeliveryOptimization/DOMaxCacheSize

Lets you specify the maximum cache size as a percentage of disk size.

-

The default value is 20, which represents 20% of the disk.

DeliveryOptimization/DOMaxUploadBandwidth

Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.

-

The default value is 0, which means unlimited possible bandwidth.

- -  - -### 22.4 Delivery Optimization Windows Provisioning - -If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies - -Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. - -1. Open Windows ICD, and then click **New provisioning package**. - -2. In the **Name** box, type a name for the provisioning package, and then click **Next.** - -3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. - -4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. - -For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). - -### 23. Windows Update - -You can turn off Windows Update by setting the following registry entries: - -- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - - -and- - -- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -You can turn off automatic updates by doing one of the following. This is not recommended. - -- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - - -or- - -- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Notify the user before downloading the update. - - - **1**. Auto install the update and then notify the user to schedule a device restart. - - - **2** (default). Auto install and restart. - - - **3**. Auto install and restart at a specified time. - - - **4**. Auto install and restart without end-user control. - - - **5**. Turn off automatic updates. - -To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). - -## Manage your telemetry settings - - -You can manage your telemetry settings using the management tools you're already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings. - -You can set your organization's devices to use 1 of 4 telemetry levels: - -- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions) - -- [Basic](#bkmk-utc-basic) - -- [Enhanced](#bkmk-utc-enhanced) - -- [Full](#bkmk-utc-full) - -For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). If you choose Express settings during installation, your device is configured for the Full telemetry level. In Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core, unattended installations configure your device for the Enhanced telemetry level. - -**Important**   -These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies. - -  - -### Use Group Policy to set the telemetry level - -Use a Group Policy object to set your organization’s telemetry level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the telemetry level - -Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values: - -- **0**. Maps to the [Security](#bkmk-utc-security) level. - -- **1**. Maps to the [Basic](#bkmk-utc-basic) level. - -- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. - -- **3**. Maps to the [Full](#bkmk-utc-full) level. - -### Use Windows Provisioning to set the telemetry level - -Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool - part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization's telemetry level. - -After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD. - -**To use Windows ICD to integrate your package into a custom image** - -1. Open Windows ICD, and then click **New provisioning package**. - -2. In the **Name** box, type a name for the provisioning package, and then click **Next**. - -3. Click **Common to all Windows editions** > **Next** > **Finish**. - -4. Go to **Runtime settings** > **Policies** > **System** > **AllowTelemetry** to configure the policies. You can set it to one of the following: - - - **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level. - - - **Basic**. Maps to the [Basic](#bkmk-utc-basic) level. - - - **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level - - - **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level. - -5. After you've added all of your settings to the provisioning package, click **Export** > **Provisioning package**. - -6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** > **Next**. - -7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**. - -8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**. - -9. On the **Build the provisioning package** step, click **Build**. - -### Use Registry Editor to set the telemetry level - -Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. - -If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. - -2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**. - - - **0**. This setting maps to the [Security](#bkmk-utc-security) level. - - - **1**. This setting maps to the [Basic](#bkmk-utc-basic) level. - - - **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level - - - **3**. This setting maps to the [Full](#bkmk-utc-full) level. - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Additional telemetry controls - -There are a few more settings that you can turn off that may send telemetry information: - -- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- Turn off Linguistic Data Collection in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article. - - **Note**   - Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -   - -## How telemetry works - - -Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization. - -### Telemetry levels - -This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core. - -- **Security**. Information that's required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core. - -- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level. - -- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels. - -- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels. - -As a diagram: - -![](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only telemetry info that's required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. - -**Note**   -If your organization relies on Windows Update for updates, you shouldn't use the Security level. Because no Windows Update information is gathered at this level, Microsoft can't tell whether an update successfully installed. - -You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level. - -  - -Security level info includes: - -- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - **Note**   - You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. - -   - -- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender). - - **Note**   - This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality. - -   - -No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer's registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article. - -### Basic level - -The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. - -Basic level info includes: - -- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as mobile operator network and IMEI number - - - Processor and memory attributes, such as number of cores, speed, and firmware - - - Operating system attributes, such as Windows edition and IsVirtualDevice - - - Storage attributes, such as number of drives and memory size - -- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems. - - - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS. - - - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. - -### Enhanced level - -The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -Enhanced level info includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang. - -### Full level - -The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels. - -Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft's internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem. - -However, before more info is gathered, Microsoft's privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- Ability to gather user content, such as documents, if they might have been the trigger for the issue. - -### How is telemetry information handled by Microsoft? - -### Collection - -Information gathered by the Connected User Experience and Telemetry component complies with Microsoft's security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info. - -### Data Transfer - -All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -### Microsoft Data Management Service - -The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings. - -### Usage - -Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis. - -An example of personalization is to create individually tailored in-product messages. - -Microsoft doesn't share organization-specific customer information with third parties, except at the customer's direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals. - -### Retention - -Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it's needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%. - - - - - +title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) +redirect_url: http://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft +--- \ No newline at end of file diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png index 1a4aff8def..527d92d9b2 100644 Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index ffe9e7c732..6371799d7f 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -43,23 +43,27 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

-

[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)

-

Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

+

[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)

+

Use this article to make informed decisions about how you can configure Windows telemetry in your organization.

+

[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)

+

Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

+ +

[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)

IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.

- +

[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)

Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.

The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.

- +

[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.

- +

[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.