Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
In this articleApplies to
This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. Microsoft provides a Windows Restricted Traffic Limited Functionality Baseline package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on Group Policy Administrative Template functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, before deploying Windows Restricted Traffic Limited Functionality Baseline make sure you choose the right settings configuration for your environment and ensure that Windows and Microsoft Defender Antivirus are fully up to date. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. Important
Warning
To use Microsoft Intune cloud-based device management for restricting traffic please refer to the Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server. We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. Management options for each settingThe following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections Settings for Windows 10 and Windows 11 Enterprise editionThe following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
Settings for Windows Server 2016 with Desktop ExperienceSee the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience.
Settings for Windows Server 2016 Server CoreSee the following table for a summary of the management settings for Windows Server 2016 Server Core.
Settings for Windows Server 2016 Nano ServerSee the following table for a summary of the management settings for Windows Server 2016 Nano Server.
Settings for Windows Server 2019See the following table for a summary of the management settings for Windows Server 2019.
How to configure each settingUse the following sections for more information about how to configure each setting. 1. Automatic Root Certificates UpdateThe Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available. For more information, see Automatic Root Certificates Update Configuration. Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list. Caution By not automatically downloading the root certificates the device may not be able to connect to some websites. For Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2016 Server Core, and Windows 11:
-or-
On Windows Server 2016 Nano Server:
Note CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. 2. Cortana and SearchUse Group Policies to manage settings for Cortana. For more info, see Cortana, Search, and privacy: FAQ. 2.1 Cortana and Search Group PoliciesFind the Cortana Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Search.
You can also apply the Group Policies using the following registry keys:
Important Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
-or-
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost. 3. Date & TimeYou can prevent Windows from setting the time automatically.
After that, configure the following:
4. Device metadata retrievalTo prevent Windows from retrieving device metadata from the Internet:
5. Find My DeviceTo turn off Find My Device:
6. Font streamingFonts that are included in Windows but that are not stored on the local device can be downloaded on demand. If you're running Windows 10, version 1607, Windows Server 2016, or later:
Note After you apply this policy, you must restart the device for it to take effect. 7. Insider Preview buildsThe Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10 and Windows 11. This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are not available for Windows Server 2016. Note If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to Optional (Full). Although the diagnostic data level may initially appear as Required (Basic), a few hours after the UI is refreshed or the machine is rebooted, the setting will become Optional (Full). To turn off Insider Preview builds for a released version of Windows 10 or Windows 11:
To turn off Insider Preview builds for Windows 10 and Windows 11: Note If you're running a preview version of Windows 10 or Windows 11, you must roll back to a released version before you can turn off Insider Preview builds.
8. Internet ExplorerNote When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by Enhanced Security Configuration (ESC). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Internet Explorer and make these settings:
There are more Group Policy objects that are used by Internet Explorer:
You can also use Registry keys to set these policies.
To turn off the home page:
To configure the First Run Wizard:
To configure the behavior for a new tab:
8.1 ActiveX control blockingActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by:
For more info, see Out-of-date ActiveX control blocking. 9. License ManagerYou can turn off License Manager related traffic by setting the following registry entry:
10. Live TilesTo turn off Live Tiles:
11. Mail synchronizationTo turn off mail synchronization for Microsoft Accounts that are configured on a device:
To turn off the Windows Mail app:
12. Microsoft AccountUse the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher and Windows 11. See Feature updates are not being offered while other updates are. To disable the Microsoft Account Sign-In Assistant:
13. Microsoft EdgeUse Group Policies to manage settings for Microsoft Edge. For more info, see Microsoft Edge and privacy: FAQ and Configure Microsoft Edge policy settings on Windows. For a complete list of the Microsoft Edge policies, see Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge. 13.1 Microsoft Edge Group PoliciesFind the Microsoft Edge Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge.
Alternatively, you can configure the following Registry keys as described:
13.2 Microsoft Edge EnterpriseFor a complete list of the Microsoft Edge policies, see Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge. Important
14. Network Connection Status IndicatorNetwork Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the Microsoft Networking Blog to learn more. In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was You can turn off NCSI by doing one of the following:
-or-
15. Offline mapsYou can turn off the ability to download and update offline maps.
16. OneDriveTo turn off OneDrive in your organization:
17. Preinstalled appsSome preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. To remove the News app:
To remove the Weather app:
To remove the Money app:
To remove the Sports app:
To remove the Twitter app:
To remove the XBOX app:
To remove the Sway app:
To remove the OneNote app:
To remove the Get Office app:
To remove the Get Skype app:
To remove the Sticky notes app:
18. Settings > Privacy & securityUse Settings > Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
18.1 GeneralGeneral includes options that don't fall into other areas. Windows 10, version 1703 optionsTo turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID):
To turn off Let websites provide locally relevant content by accessing my language list:
To turn off Let Windows track app launches to improve Start and search results:
Windows Server 2016 and Windows 10, version 1607 and earlier optionsTo turn off Let apps use my advertising ID for experiences across apps (turning this off will reset your ID):
-or-
To turn off Turn on Microsoft Defender SmartScreen to check web content (URLs) that Microsoft Store apps use:
To turn off Send Microsoft info about how I write to help us improve typing and writing in the future: Note If the diagnostic data level is set to either Basic or Security, this is turned off automatically.
To turn off Let websites provide locally relevant content by accessing my language list:
To turn off Let apps on my other devices open apps and continue experiences on this device:
To turn off Let apps on my other devices use Bluetooth to open apps and continue experiences on this device:
18.2 LocationIn the Location area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. To turn off Location for this device:
To turn off Allow apps to access your location:
To turn off Location history:
To turn off Choose apps that can use your location:
18.3 CameraIn the Camera area, you can choose which apps can access a device's camera. To turn off Let apps use my camera:
To turn off Choose apps that can use your camera:
18.4 MicrophoneIn the Microphone area, you can choose which apps can access a device's microphone. To turn off Let apps use my microphone:
To turn off Choose apps that can use your microphone:
18.5 NotificationsTo turn off notifications network usage:
In the Notifications area, you can also choose which apps have access to notifications. To turn off Let apps access my notifications:
18.6 SpeechIn the Speech area, you can configure the functionality as such: To turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services:
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models:
18.7 Account infoIn the Account Info area, you can choose which apps can access your name, picture, and other account info. To turn off Let apps access my name, picture, and other account info:
To turn off Choose the apps that can access your account info:
18.8 ContactsIn the Contacts area, you can choose which apps can access an employee's contacts list. To turn off Choose apps that can access contacts:
18.9 CalendarIn the Calendar area, you can choose which apps have access to an employee's calendar. To turn off Let apps access my calendar:
To turn off Choose apps that can access calendar:
18.10 Call historyIn the Call history area, you can choose which apps have access to an employee's call history. To turn off Let apps access my call history:
18.11 EmailIn the Email area, you can choose which apps have access and can send email. To turn off Let apps access and send email:
18.12 MessagingIn the Messaging area, you can choose which apps can read or send messages. To turn off Let apps read or send messages (text or MMS):
To turn off Choose apps that can read or send messages:
To turn off Message Sync
18.13 Phone callsIn the Phone calls area, you can choose which apps can make phone calls. To turn off Let apps make phone calls:
To turn off Choose apps that can make phone calls:
18.14 RadiosIn the Radios area, you can choose which apps can turn a device's radio on or off. To turn off Let apps control radios:
To turn off Choose apps that can control radios:
18.15 Other devicesIn the Other Devices area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. To turn off Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone:
To turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone):
18.16 Feedback & diagnosticsIn the Feedback & Diagnostics area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see Configure Windows diagnostic data in your organization. Note Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. To change how frequently Windows should ask for my feedback:
To change the level of diagnostic and usage data sent when you Send your device data to Microsoft:
Note If the Security option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The Security option is only available in Windows 10 and Windows 11 Enterprise edition. To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
18.17 Background appsIn the Background Apps area, you can choose which apps can run in the background. To turn off Let apps run in the background:
-or-
Note Some apps, including Cortana and Search, might not function as expected if you set Let apps run in the background to Force Deny. 18.18 MotionIn the Motion area, you can choose which apps have access to your motion data. To turn off Let Windows and your apps use your motion data and collect motion history:
18.19 TasksIn the Tasks area, you can choose which apps have access to your tasks. To turn this off:
18.20 App DiagnosticsIn the App diagnostics area, you can choose which apps have access to your diagnostic information. To turn this off:
18.21 Inking & TypingIn the Inking & Typing area you can configure the functionality as such: To turn off Inking & Typing data collection:
18.22 Activity HistoryIn the Activity History area, you can choose turn Off tracking of your Activity History. To turn this Off in the UI:
-OR-
-OR-
18.23 Voice ActivationIn the Voice activation area, you can choose turn Off apps ability to listen for a Voice keyword. To turn this Off in the UI:
-OR-
-OR-
18.24 News and interestsIn the Windows Feeds area, you can choose which apps have access to your diagnostic information. To turn this off:
19. Software Protection PlatformEnterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: For Windows 10 and Windows 11:
For Windows Server 2019 or later:
For Windows Server 2016:
Note Due to a known issue the Turn off KMS Client Online AVS Validation group policy does not work as intended on Windows Server 2016; the NoAcquireGT value needs to be set instead. The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. 20. Storage healthEnterprise customers can manage updates to the Disk Failure Prediction Model. For Windows 10 and Windows 11:
21. Sync your settingsYou can control if your settings are synchronized:
To turn off Messaging cloud sync:
22. TeredoYou can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see Internet Protocol Version 6, Teredo, and Related Technologies. Note If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
23. Wi-Fi SenseImportant Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see Connecting to open Wi-Fi hotspots in Windows 10 for more details. Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. To turn off Connect to suggested open hotspots and Connect to networks shared by my contacts:
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. 24. Microsoft Defender AntivirusYou can disconnect from the Microsoft Antimalware Protection Service. Important Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903
-OR-
You can stop sending file samples back to Microsoft.
You can stop downloading Definition Updates: Note The Group Policy path for 1809 and earlier builds is Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Signature Updates
You can turn off Malicious Software Reporting Tool (MSRT) diagnostic data:
You can turn off Enhanced Notifications as follows:
24.1 Microsoft Defender SmartScreenTo disable Microsoft Defender SmartScreen: In Group Policy, configure:
-OR-
25. Personalized ExperiencesPersonalized experiences provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy. Note This excludes how individual experiences (e.g., Windows Spotlight) can be controlled by users in Windows Settings. If you're running Windows 10, version 1607 or later, or Windows 11, you need to:
-AND-
26. Microsoft StoreYou can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Microsoft Store will be disabled. In addition, new email accounts cannot be created by clicking Settings > Accounts > Email & app accounts > Add an account. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
-AND-
27. Apps for websitesYou can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app.
28. Delivery OptimizationDelivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. By default, PCs running Windows 10 or Windows 11 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization. In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting Download Mode to Simple Mode (99), as described below. 28.1 Settings > Update & securityYou can set up Delivery Optimization Peer-to-Peer from the Settings UI.
28.2 Delivery Optimization Group PoliciesYou can find the Delivery Optimization Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization.
For a comprehensive list of Delivery Optimization Policies, see Delivery Optimization Reference. 28.3 Delivery Optimization
-or-
For more info about Delivery Optimization in general, see Windows Update Delivery Optimization: FAQ. For IT Professionals, information about Delivery Optimization is available here: Delivery Optimization for Windows 10 updates. 29. Windows UpdateYou can turn off Windows Update by setting the following registry entries:
-OR-
You can turn off automatic updates by doing the following. This is not recommended.
For China releases of Windows 10 there is one additional Regkey to be set to prevent traffic:
30. Cloud ClipboardSpecifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 and Windows 11 devices. Most restricted value is 0. ADMX Info:
The following list shows the supported values:
31. Services ConfigurationServices Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working. You can turn off Services Configuration by setting the following registry entries: Add a REG_DWORD value named DisableOneSettingsDownloads to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection and set the value to 1. 32. WidgetsWidgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working. You can turn off Widgets by setting the following registry entries: Add a REG_DWORD value named AllowWidgets to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets and set the value to 0. Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
To learn more, see Device update management and Configure Automatic Updates by using Group Policy. FeedbackSubmit and view feedback for Which type of security addresses the protection of all communications/media technology and content?Cybersecurity primarily addresses technology-related threats, with practices and tools that can prevent or mitigate them. Another related category is data security, which focuses on protecting an organization's data from accidental or malicious exposure to unauthorized parties.
What ensures authorized users persons or computer systems can access or use information without interference or obstruction and in the required format?Availability: enables authorized users—persons or computer systems—to access information without interference or obstruction and to receive it in the required format. Accuracy: Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects.
Which of the following information characteristics means users can access information without interference or obstruction and in the required format?Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format.
Which five methodologies can be used to defend your network?Here are five of the most effective methods.. Install antivirus software. One of the first lines of defense against malware and other viruses is to install antivirus software on all devices connected to a network (Roach & Watts, 2021). ... . Create strong passwords. ... . Enforce security policies. ... . Use firewalls. ... . Monitor activity.. |