Hardening Windows 10 Desktops – Part 2

3 January 2021 0 By angelusadeuszabulus
Contenus masquer
1 Computer Configuration / Administrative Templates / Windows Components / Windows Error Reporting
1.1 Disable Windows Error Reporting
1.2 Automatically send memory dumps for error reports generated by the operating system
1.3 Do not send additional data
1.4 Computer configuration / Administrative templates / Control panel / Regional and language options
1.5 Authorize input customization
1.6 Disable machine learning
2 Computer configuration / Administrative templates / System / Internet communication management / Internet communication settings
2.1 Disable “Did you know?” Content in the help center
2.2 Disable sharing of handwriting personalization data
2.3 Disable Windows Customer Experience Improvement Program
2.4 Disable access to the Windows Store
2.5 Disable Windows Error Reporting
3 Computer configuration / Administrative templates / Windows components / Cloud content
3.1 Disable Microsoft Consumer Experiences
3.2 Do not show Windows tips

Computer Configuration / Administrative Templates / Windows Components / Windows Error Reporting

  • On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
  • Name the strategy and click OK
  • Once the strategy is created, right click on it and click Modify
  • Go to: Computer Configuration / Administrative Templates / Windows Components / Windows Error Reporting

 

Disable Windows Error Reporting

“This policy setting turns off Windows Error Reporting, so that no report is collected or sent to Microsoft or to internal servers within your organization when software unexpectedly stops working or fails.”

If you enable this policy setting, Windows Error Reporting does not send information about problems to Microsoft. Additionally, no solution information is available in Security and Maintenance in Control Panel.

If you disable or do not configure this policy setting, the Disable Windows Error Reporting policy setting in Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication Settings takes precedence. If otherwise Disable Error Reporting is disabled or not configured, the user settings for Windows Error Reporting in Control Panel are applied. ”

  • We will choose Enabled
Automatically send memory dumps for error reports generated by the operating system

“This policy setting controls whether memory dumps can be sent automatically to Microsoft in addition to error reporting generated by the operating system.” This policy does not apply to error reports generated by third-party products, or to additional data other than memory dumps.

If you enable or do not configure this policy setting, all memory dumps generated for error reporting by Microsoft Windows are automatically downloaded, without notifying the user.

If you disable this policy setting, all memory dumps are downloaded based on the default consent and notification settings. ”

  • We will choose Disabled
Do not send additional data

“This policy setting controls whether additional data can be sent automatically to Microsoft in addition to error reporting.”

If you enable this policy setting, any request for additional data from Microsoft in response to a Windows error report is automatically denied without notifying the user.

If you disable or do not configure this policy setting, the consent policy settings in Computer Configuration / Administrative Templates / Windows Components / Windows Error Reporting / Consent take precedence. ”

  • We will choose Enabled
Computer configuration / Administrative templates / Control panel / Regional and language options
  • On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
  • Name the strategy and click OK
  • Once the strategy is created, right click on it and click Modify
  • Go to: Computer Configuration / Administrative Templates / Control Panel / Regional and Language Options

 

Authorize input customization

“This strategy activates the input personalization machine learning component that includes speech, handwriting and typing recognition.

Machine learning enables the collection of voice and handwritten patterns, typing histories, contacts, and recent calendar information. This tool is required to use Cortana. Some of the information collected may be stored on the user’s OneDrive, in the case of handwritten and typing entries; some information will be uploaded to Microsoft to customize speech recognition.

Machine learning for speech recognition may not be available for all languages, even though handwriting and typing is available.

If this policy is enabled, machine learning of speech, handwriting and typing recognition is enabled and users cannot change its value through PC settings.

If this policy is disabled, machine learning of speech, handwriting, and typing will stop and users cannot change its value through PC settings.

If this policy is not configured, the user can configure the speech, handwriting and typing recognition personalization setting through the PC settings. ”

  • We will choose disabled
Disable machine learning
  • We go to Computer configuration / Administrative templates / Control panel / Regional and language options / Personalization of handwriting

“This policy setting disables the Machine Learning component of the Handwriting Recognition Customization Tool.”

Machine learning enables collection and storage of text and handwriting to make it easier to adapt handwriting recognition to the user’s vocabulary and writing system.

The collected text includes all outgoing messages from Windows Mail and MAPI mail clients, plus URLs from Internet Explorer browser history. The information stored includes word frequency as well as new words that are not yet known to handwriting recognition engines (eg, proper names and acronyms). Deleting email content or browser history does not delete stored personalization data. Handwriting entered through the Input Panel is collected and then stored.

Note: The combined text and handwriting machine learning may not be available for all languages, even when handwriting personalization is available. For more information, see the Tablet PC Help.

If you enable this policy setting, machine learning stops and all stored data is deleted. Users cannot configure this policy setting in Control Panel.

If you disable this policy setting, machine learning is enabled. Users cannot configure this policy setting in Control Panel. The data collected is used only for handwriting recognition, provided that handwriting personalization is enabled.

If you do not configure this policy setting, users can choose to enable or disable machine learning on the Handwriting tab of Tablet PC Settings in Control Panel or in the options dialog box .

This policy setting is associated with the “Disable handwriting personalization” policy setting.

Note: The amount of handwriting stored is limited to 50MB, and the amount of text information is approximately 5MB. When these limits are reached and new data is collected, old data is deleted to make room for newer data.

Note: Handwriting personalization works only for Microsoft handwriting recognition engines and not with third-party recognition engines. ”

  • We will choose Enabled

Computer configuration / Administrative templates / System / Internet communication management / Internet communication settings

  • On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
  • Name the strategy and click OK
  • Once the strategy is created, right click on it and click Modify
  • Go to: Computer configuration / Administrative templates / System / Internet communication management / Internet communication settings

 

Disable “Did you know?” Content in the help center

“This policy setting indicates whether the” Did you know? ” ”Of the Help and Support Center should be displayed.

This content is dynamically updated when users who are connected to the Internet open the Help and Support Center, and provide up-to-date information about Windows and the computer.

If you enable this policy setting, Help and Support Center no longer retrieves and displays content from the “Did you know?” “.

If you disable or do not configure this policy setting, Help and Support Center retrieves and displays the contents of the “Did you know?” “.

Enabling this policy setting may be of interest to users who do not have Internet access, because the content in the “Did you know?” Section »Remains static if it cannot be updated over an Internet connection. ”

  • We will choose Enabled
Disable sharing of handwriting personalization data

“Disables the data sharing feature of the handwriting recognition personalization tool.”

This tool allows Tablet PC users to tailor handwriting recognition to their own writing style by providing handwriting samples. The tool may optionally share the user’s handwriting samples with Microsoft for the purpose of improving handwriting recognition in future versions of Windows. It is responsible for producing reports and transmitting them to Microsoft via a secure connection.

If you enable this policy, you prevent Tablet PC users from sharing Handwriting Recognition Personalization Tool handwriting samples with Microsoft.

If you disable this policy, the Tablet PC user’s handwriting samples from the Handwriting Recognition Customization Tool are automatically shared with Microsoft.

If you do not configure this policy, Tablet PC users will be free to choose whether or not to share their Handwriting Recognition Personalization Tool handwriting samples with Microsoft. ”

  • We will choose Enabled
Disable Windows Customer Experience Improvement Program

“This policy setting indicates whether Windows Messenger collects anonymous information about how the Windows Messenger software and service are used.”

Through the Customer Experience Improvement Program, users can enable Microsoft to collect anonymous information about product usage. This information is used to improve the product in future versions.

If you enable this policy setting, Windows Messenger does not collect any usage information, and the user settings that allow this information to be collected are not displayed.

If you disable this policy setting, Windows Messenger collects anonymous usage information and the setting is not displayed.

If you do not configure this policy setting, users can subscribe to the service and enable information collection. ”

  • We will choose Enabled
Disable access to the Windows Store

“This policy setting indicates whether the Windows Store service should be used when finding an application that can open a file that has an unsupported protocol or file type association.”

When a user opens a protocol or file type that is not associated with any application on the computer, they are offered the option to choose a local application or to use the Windows Store service to find an application.

If you enable this policy setting, the “Find an app in the Windows Store” item is removed in the Open With dialog box.

If you disable or do not configure this policy setting, the user is allowed to use the Windows Store service. Additionally, the Windows Store item is available in the Open With dialog box. ”

  • We will choose Enabled
Disable Windows Error Reporting

“This policy setting indicates whether errors should be reported to Microsoft.”

The Error Reporting feature is used to send information about an unresponsive or malfunctioning system or application, and it helps improve product quality.

If you enable this policy setting, users cannot report errors.

If you turn off or do not configure this policy setting, errors can be reported to Microsoft over the Internet or in a file share in your company.

This policy setting overrides any user error reporting settings made from Control Panel.

Also see the “Configure error reporting” and “Show error notifications” policy settings in Computer Configuration / Administrative Templates / System / Error Reporting. ”

  • We will choose Enabled

Computer configuration / Administrative templates / Windows components / Cloud content

  • On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
  • Name the strategy and click OK
  • Once the strategy is created, right click on it and click Modify
  • Go to: Computer Configuration / Administrative Templates / Windows Components / Cloud Content

 

Disable Microsoft Consumer Experiences

“This policy setting disables experiences that help consumers get the most from their devices and a Microsoft account.

If you enable this policy setting, users will no longer see personalized Microsoft recommendations and notifications on their Microsoft accounts.

If you disable this policy setting, or if you don’t configure it, users can see Microsoft suggestions and notifications on their Microsoft accounts.

Note: This setting only applies to Enterprise and Education SKUs. ”

  • We will choose Enabled
Do not show Windows tips

“This policy setting prevents Windows tips from showing to users.”

If you enable this policy setting, users will no longer see Windows tips.

If you disable or do not configure this policy setting, users may see pop-up windows explaining how to use Windows. Microsoft uses diagnostic and usage data to determine which guidance to display.

Note: If you disable or do not configure this policy setting, but you enable the “Computer Configuration \ Administrative Templates \ Windows Components \ Data Collection and Preview Versions \ Allow Telemetry” policy setting with a level “Basic” or lower, users will be able to see a limited set of tips.

Additionally, this setting only applies to Enterprise and Education SKUs. ”

  • We will choose Enabled

Visits: 1731

CategoryGroup Policy Objects Security System administration
Tagsgpo Windows 10

Leave a Reply

Your email address will not be published. Required fields are marked *