Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
- Windows 10 Enterprise 1903 version and newer
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier (OMA URI) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
- The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic
- CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
- There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
- To ensure CSPs take priority over Group Policies in case of conflicts, use the ControlPolicyConflict policy.
- The Get Help and Give us Feedback links in Windows may no longer work after applying some or all of the MDM/CSP settings.
For more information on Microsoft Intune please see Transform IT service delivery for your modern workplace and Microsoft Intune documentation.
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see Manage connections from Windows 10 operating system components to Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to email@example.com.
Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the Policy CSP.
Automatic Root Certificates Update
- MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices.
Cortana and Search
Date & Time
- MDM Policy: Settings/AllowDateTime. Allows the user to change date and time settings. Set to 0 (zero)
Device metadata retrieval
- MDM Policy: DeviceInstallation/PreventDeviceMetadataFromNetwork. Choose whether to prevent Windows from retrieving device metadata from the Internet. Set to Enabled
Find My Device
- MDM Policy: Experience/AllowFindMyDevice. This policy turns on Find My Device. Set to 0 (zero)
- MDM Policy: System/AllowFontProviders. Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. Set to 0 (zero)
Insider Preview builds
- MDM Policy: System/AllowBuildPreview. This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. Set to 0 (zero)
Internet Explorer The following Microsoft Internet Explorer MDM policies are available in the Internet Explorer CSP
- MDM Policy: InternetExplorer/AllowSuggestedSites. Recommends websites based on the user’s browsing activity. Set to Disabled
- MDM Policy: InternetExplorer/PreventManagingSmartScreenFilter. Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. Set to String with Value:
- <enabled/><data id=”IE9SafetyFilterOptions” value=”1”/>
- MDM Policy: InternetExplorer/DisableFlipAheadFeature. Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. Set to Enabled
- MDM Policy: InternetExplorer/DisableHomePageChange. Determines whether users can change the default Home Page or not. Set to String with Value:
- <enabled/><data id=”EnterHomePagePrompt” value=”Start Page”/>
- MDM Policy: InternetExplorer/DisableFirstRunWizard. Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. Set to String with Value:
- <enabled/><data id=”FirstRunOptions” value=”1”/>
- MDM Policy: Notifications/DisallowTileNotification. This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. Integer value 1
- MDM Policy: Accounts/AllowMicrosoftAccountConnection. Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. Set to 0 (zero)
- MDM Policy: Accounts/AllowMicrosoftAccountSignInAssistant. Disable the Microsoft Account Sign-In Assistant. Set to 0 (zero)
- MDM Policy: Browser/AllowAutoFill. Choose whether employees can use autofill on websites. Set to 0 (zero)
- MDM Policy: Browser/AllowDoNotTrack. Choose whether employees can send Do Not Track headers. Set to 0 (zero)
- MDM Policy: Browser/AllowMicrosoftCompatbilityList. Specify the Microsoft compatibility list in Microsoft Edge. Set to 0 (zero)
- MDM Policy: Browser/AllowPasswordManager. Choose whether employees can save passwords locally on their devices. Set to 0 (zero)
- MDM Policy: Browser/AllowSearchSuggestionsinAddressBar. Choose whether the Address Bar shows search suggestions. Set to 0 (zero)
- MDM Policy: Browser/AllowSmartScreen. Choose whether SmartScreen is turned on or off. Set to 0 (zero)
Network Connection Status Indicator
- Connectivity/DisallowNetworkConnectivityActiveTests. Note: After you apply this policy you must restart the device for the policy setting to take effect. Set to 1 (one)
- MDM Policy: DisableOneDriveFileSync. Allows IT Admins to prevent apps and features from working with files on OneDrive. Set to 1 (one)
- Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
- MDM Policy: Prevent Network Traffic before User SignIn. PreventNetworkTrafficPreUserSignIn. The OMA-URI value is: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn, Data type: String, Value: <enabled/>
Privacy settings Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- General - TextInput/AllowLinguisticDataCollection. This policy setting controls the ability to send inking and typing data to Microsoft. Set to 0 (zero)
- Location - System/AllowLocation. Specifies whether to allow app access to the Location service. Set to 0 (zero)
- Camera - Camera/AllowCamera. Disables or enables the camera. Set to 0 (zero)
- Microphone - Privacy/LetAppsAccessMicrophone. Specifies whether Windows apps can access the microphone. Set to 2 (two)
- Notifications - Privacy/LetAppsAccessNotifications. Specifies whether Windows apps can access notifications. Set to 2 (two)
- Notifications - Settings/AllowOnlineTips. Enables or disables the retrieval of online tips and help for the Settings app. Integer value 0
- Speech, Inking, & Typing - Privacy/AllowInputPersonalization. This policy specifies whether users on the device have the option to enable online speech recognition. Set to 0 (zero)
- Speech, Inking, & Typing - TextInput/AllowLinguisticDataCollection. This policy setting controls the ability to send inking and typing data to Microsoft Set to 0 (zero)
- Account info - Privacy/LetAppsAccessAccountInfo. Specifies whether Windows apps can access account information. Set to 2 (two)
- Contacts - Privacy/LetAppsAccessContacts. Specifies whether Windows apps can access contacts. Set to 2 (two)
- Calendar - Privacy/LetAppsAccessCalendar. Specifies whether Windows apps can access the calendar. Set to 2 (two)
- Call history - Privacy/LetAppsAccessCallHistory. Specifies whether Windows apps can access account information. Set to 2 (two)
- Email - Privacy/LetAppsAccessEmail. Specifies whether Windows apps can access email. Set to 2 (two)
- Messaging - Privacy/LetAppsAccessMessaging. Specifies whether Windows apps can read or send messages (text or MMS). Set to 2 (two)
- Phone calls - Privacy/LetAppsAccessPhone. Specifies whether Windows apps can make phone calls. Set to 2 (two)
- Radios - Privacy/LetAppsAccessRadios. Specifies whether Windows apps have access to control radios. Set to 2 (two)
- Other devices - Privacy/LetAppsSyncWithDevices. Specifies whether Windows apps can sync with devices. Set to 2 (two)
- Other devices - Privacy/LetAppsAccessTrustedDevices. Specifies whether Windows apps can access trusted devices. Set to 2 (two)
- Feedback & diagnostics - System/AllowTelemetry. Allow the device to send diagnostic and usage telemetry data, such as Watson. Set to 0 (zero)
- Feedback & diagnostics - Experience/DoNotShowFeedbackNotifications. Prevents devices from showing feedback questions from Microsoft. Set to 1 (one)
- Background apps - Privacy/LetAppsRunInBackground. Specifies whether Windows apps can run in the background. Set to 2 (two)
- Motion - Privacy/LetAppsAccessMotion. Specifies whether Windows apps can access motion data. Set to 2 (two)
- Tasks - Privacy/LetAppsAccessTasks. Turn off the ability to choose which apps have access to tasks. Set to 2 (two)
- App Diagnostics - Privacy/LetAppsGetDiagnosticInfo. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. Set to 2 (two)
Software Protection Platform - Licensing/DisallowKMSClientOnlineAVSValidation. Opt out of sending KMS client activation data to Microsoft automatically. Set to 1 (one)
Storage Health - Storage/AllowDiskHealthModelUpdates. Allows disk health model updates. Set to 0 (zero)
Sync your settings - Experience/AllowSyncMySettings. Control whether your settings are synchronized. Set to 0 (zero)
Teredo - No MDM needed. Teredo is Off by default. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
Wi-Fi Sense - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
- Defender/AllowCloudProtection. Disconnect from the Microsoft Antimalware Protection Service. Set to 0 (zero)
- Defender/SubmitSamplesConsent. Stop sending file samples back to Microsoft. Set to 2 (two)
- Windows Defender Smartscreen - Browser/AllowSmartScreen. Disable Windows Defender Smartscreen. Set to 0 (zero)
- Windows Defender Smartscreen EnableAppInstallControl - SmartScreen/EnableAppInstallControl. Controls whether users are allowed to install apps from places other than the Microsoft Store. Set to 0 (zero)
- Windows Defender Potentially Unwanted Applications(PUA) Protection - Defender/PUAProtection. Specifies the level of detection for potentially unwanted applications (PUAs). Set to 1 (one)
- Defender/SignatureUpdateFallbackOrder. Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder, Data type: String, Value: FileShares
Windows Spotlight - Experience/AllowWindowsSpotlight. Disable Windows Spotlight. Set to 0 (zero)
- ApplicationManagement/DisableStoreOriginatedApps. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. Set to 1 (one)
- ApplicationManagement/AllowAppStoreAutoUpdate. Specifies whether automatic update of apps from Microsoft Store are allowed. Set to 0 (zero)
Apps for websites - ApplicationDefaults/EnableAppUriHandlers. This policy setting determines whether Windows supports web-to-app linking with app URI handlers. Set to 0 (zero)
Windows Update Delivery Optimization - The following Delivery Optimization MDM policies are available in the Policy CSP.
- DeliveryOptimization/DODownloadMode. Let’s you choose where Delivery Optimization gets or sends updates and apps. Set to 100 (one hundred)
- Update/AllowAutoUpdate. Control automatic updates. Set to 5 (five)
- Windows Update Allow Update Service - Update/AllowUpdateService. Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Set to 0 (zero)
- Windows Update Service URL - Update/UpdateServiceUrl. Allows the device to check for updates from a WSUS server instead of Microsoft Update. Set to String with the Value:
- <Replace><CmdID>$CmdID$<Item><Meta><Format>chr<Type>text/plain</Meta><Target> <LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</Target><Data>http://abcd-srv:8530</Item></Replace>
|Allowed traffic endpoints|