mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-29 13:47:23 +00:00
22 KiB
22 KiB
title, description, ms.assetid, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.author, ms.date
| title | description | ms.assetid | keywords | ms.prod | ms.mktglfcycl | ms.sitesec | ms.localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|
| Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server | Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. | ACCEB0DD-BC6F-41B1-B359-140B242183D9 | privacy, manage connections to Microsoft, Windows 10 | w10 | manage | library | medium | medgarmedgar | v-medgar | 3/1/2019 |
Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
Applies to
- Windows 10 Enterprise 1903 version and newer
You can use Microsoft InTune with MDM CSPs and custom OMA URIs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
To ensure CSPs take priority over Group Policies in case of conflicts, use the ControlPolicyConflict policy.
You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
For more information on Microsoft InTune please see Transform IT service delivery for your modern workplace and Microsoft Intune documentation.
For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see Manage connections from Windows operating system components to Microsoft services.
The endpoints for the MDM “whitelisted” traffic are in the Whitelisted Traffic.
Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the Policy CSP.
| Setting | MDM Policy | Description |
|---|---|---|
| 1. Automatic Root Certificates Update | There is intentionally no MDM available for Automatic Root Certificate Update. | This MDM does not exist since it would prevent the operation and management of MDM management of devices. |
| 2. Cortana and Search | Experience/AllowCortana | Choose whether to let Cortana install and run on the device. Set to 0 (zero) |
| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results. Set to 0 (zero) | |
| 3. Date & Time | Settings/AllowDateTime | Allows the user to change date and time settings. Set to 0 (zero) |
| 4. Device metadata retrieval | DeviceInstallation/PreventDeviceMetadataFromNetwork | Choose whether to prevent Windows from retrieving device metadata from the Internet. Set to Enabled |
| 5. Find My Device | Experience/AllowFindMyDevice | This policy turns on Find My Device. Set to 0 (zero) |
| 6. Font streaming | System/AllowFontProviders | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. Set to 0 (zero) |
| 7. Insider Preview builds | System/AllowBuildPreview | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. Set to 0 (zero) |
| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the Internet Explorer CSP | |
| InternetExplorer/AllowSuggestedSites | Recommends websites based on the user’s browsing activity. Set to Disabled | |
| InternetExplorer/PreventManagingSmartScreenFilter | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. Set to Enabled | |
| InternetExplorer/DisableFlipAheadFeature | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. Set to Enabled | |
| InternetExplorer/DisableHomePageChange | Determines whether users can change the default Home Page or not. Set to Enabled | |
| InternetExplorer/DisableFirstRunWizard | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. Set to Enabled | |
| 9. Live Tiles | Notifications/DisallowTileNotification | This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. Set to Enabled |
| 10. Mail synchronization | Accounts/AllowMicrosoftAccountConnection | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. Set to 0 (zero) |
| 11. Microsoft Account | Accounts/AllowMicrosoftAccountSignInAssistant | Disable the Microsoft Account Sign-In Assistant. Set to 0 (zero) |
| 12. Microsoft Edge | The following Microsoft Edge MDM policies are available in the Policy CSP. For a complete list of the Microsoft Edge policies, see Available policies for Microsoft Edge. | |
| Browser/AllowAutoFill | Choose whether employees can use autofill on websites. Set to 0 (zero) | |
| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers. Set to 0 (zero) | |
| Browser/AllowMicrosoftCompatbilityList | Specify the Microsoft compatibility list in Microsoft Edge. Set to 0 (zero) | |
| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices. Set to 0 (zero) | |
| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the Address Bar shows search suggestions. Set to 0 (zero) | |
| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off. Set to 0 (zero) | |
| 13. Network Connection Status Indicator | Connectivity/DisallowNetworkConnectivityActiveTests | Note: After you apply this policy you must restart the device for the policy setting to take effect. Set to 1 (one) |
| 14. Offline maps | AllowOfflineMapsDownloadOverMeteredConnection | Allows the download and update of map data over metered connections. Set to 0 (zero) |
| EnableOfflineMapsAutoUpdate | Disables the automatic download and update of map data. Set to 0 (zero) | |
| 15. OneDrive | DisableOneDriveFileSync | Allows IT Admins to prevent apps and features from working with files on OneDrive. Set to 1 (one) |
| 16. Preinstalled apps | N/A | N/A |
| 17. Privacy settings | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. | |
| 17.1 General | TextInput/AllowLinguisticDataCollection | This policy setting controls the ability to send inking and typing data to Microsoft. Set to 0 (zero) |
| 17.2 Location | System/AllowLocation | Specifies whether to allow app access to the Location service. Set to 0 (zero) |
| 17.3 Camera | Camera/AllowCamera | Disables or enables the camera. Set to 0 (zero) |
| 17.4 Microphone | Privacy/LetAppsAccessMicrophone | Specifies whether Windows apps can access the microphone. Set to 2 (two) |
| 17.5 Notifications | Notifications/DisallowCloudNotification | Turn off notifications network usage. DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune |
| Privacy/LetAppsAccessNotifications | Specifies whether Windows apps can access notifications. Set to 2 (two) | |
| Settings/AllowOnlineTips | Enables or disables the retrieval of online tips and help for the Settings app. Set to Disabled | |
| 17.6 Speech, Inking, & Typing | Privacy/AllowInputPersonalization | This policy specifies whether users on the device have the option to enable online speech recognition. Set to 0 (zero) |
| TextInput/AllowLinguisticDataCollection | This policy setting controls the ability to send inking and typing data to Microsoft Set to 0 (zero) | |
| 17.7 Account info | Privacy/LetAppsAccessAccountInfo | Specifies whether Windows apps can access account information. Set to 2 (two) |
| 17.8 Contacts | Privacy/LetAppsAccessContacts | Specifies whether Windows apps can access contacts. Set to 2 (two) |
| 17.9 Calendar | Privacy/LetAppsAccessCalendar | Specifies whether Windows apps can access the calendar. Set to 2 (two) |
| 17.10 Call history | Privacy/LetAppsAccessCallHistory | Specifies whether Windows apps can access account information. Set to 2 (two) |
| 17.11 Email | Privacy/LetAppsAccessEmail | Specifies whether Windows apps can access email. Set to 2 (two) |
| 17.12 Messaging | Privacy/LetAppsAccessMessaging | Specifies whether Windows apps can read or send messages (text or MMS). Set to 2 (two) |
| 17.13 Phone calls | Privacy/LetAppsAccessPhone | Specifies whether Windows apps can make phone calls. Set to 2 (two) |
| 17.14 Radios | Privacy/LetAppsAccessRadios | Specifies whether Windows apps have access to control radios. Set to 2 (two) |
| 17.15 Other devices | Privacy/LetAppsSyncWithDevices | Specifies whether Windows apps can sync with devices. Set to 2 (two) |
| Privacy/LetAppsAccessTrustedDevices | Specifies whether Windows apps can access trusted devices. Set to 2 (two) | |
| 17.16 Feedback & diagnostics | System/AllowTelemetry | Allow the device to send diagnostic and usage telemetry data, such as Watson. Set to 0 (zero) |
| Experience/DoNotShowFeedbackNotifications | Prevents devices from showing feedback questions from Microsoft. Set to 1 (one) | |
| 17.17 Background apps | Privacy/LetAppsRunInBackground | Specifies whether Windows apps can run in the background. Set to 2 (two) |
| 17.18 Motion | Privacy/LetAppsAccessMotion | Specifies whether Windows apps can access motion data. Set to 2 (two) |
| 17.19 Tasks | Privacy/LetAppsAccessTasks | Turn off the ability to choose which apps have access to tasks. Set to 2 (two) |
| 17.20 App Diagnostics | Privacy/LetAppsGetDiagnosticInfo | Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. Set to 2 (two) |
| 18. Software Protection Platform | Licensing/DisallowKMSClientOnlineAVSValidation | Opt out of sending KMS client activation data to Microsoft automatically. Set to 1 (one) |
| 19. Storage Health | Storage/AllowDiskHealthModelUpdates | Allows disk health model updates. Set to 0 (zero) |
| 20. Sync your settings | Experience/AllowSyncMySettings | Control whether your settings are synchronized. Set to 0 (zero) |
| 21. Teredo | No MDM needed | Teredo is Off by default. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM. |
| 22. Wi-Fi Sense | No MDM needed | Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer. |
| 23. Windows Defender | Defender/AllowCloudProtection | Disconnect from the Microsoft Antimalware Protection Service. Set to 0 (zero) |
| Defender/SubmitSamplesConsent | Stop sending file samples back to Microsoft. Set to 2 (two) | |
| 23.1 Windows Defender Smartscreen | Browser/AllowSmartScreen | Disable Windows Defender Smartscreen. Set to 0 (zero) |
| 23.2 Windows Defender Smartscreen EnableAppInstallControl | SmartScreen/EnableAppInstallControl | Controls whether users are allowed to install apps from places other than the Microsoft Store. Set to 0 (zero) |
| 24. Windows Spotlight | Experience/AllowWindowsSpotlight | Disable Windows Spotlight. Set to 0 (zero) |
| 25. Microsoft Store | ApplicationManagement/DisableStoreOriginatedApps | Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. Set to 1 (one) |
| ApplicationManagement/AllowAppStoreAutoUpdate | Specifies whether automatic update of apps from Microsoft Store are allowed. Set to 0 (zero) | |
| 25.1 Apps for websites | ApplicationDefaults/EnableAppUriHandlers | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. Set to 0 (zero) |
| 26. Windows Update Delivery Optimization | The following Delivery Optimization MDM policies are available in the Policy CSP. | |
| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps. Set to 100 (one hundred) | |
| 27. Windows Update | Update/AllowAutoUpdate | Control automatic updates. Set to 5 (five) |
Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations
| Allowed traffic endpoints |
|---|
| ctldl.windowsupdate.com |
| cdn.onenote.net |
| r.manage.microsoft.com |
| tile-service.weather.microsoft.com |
| settings-win.data.microsoft.com |
| client.wns.windows.com |
| dm3p.wns.windows.com |
| crl.microsoft.com/pki/crl/* |
| microsoft.com/pkiops/crl/* |
| activation-v2.sls.microsoft.com/* |
| ocsp.digicert.com/* |