Table of Contents
- Deployment Requirements
- Non-Compliance and Exceptions
- Related UT Austin Policies, Procedures, Best Practices
- External References
With Windows 10, Microsoft introduced some new features that 1) mine user data for the purpose of making the operating system more social and personalized, 2) collect data about user's habits and usage patterns for the purposes of diagnostics and troubleshooting, and 3) allow users to share Windows updates with local networks and the Internet in order to crowd-source distribution of updates. These features are enabled by default in all Windows 10 editions. The use of these new features pose a significant risk for exfiltration of confidential university data to Microsoft (and then to undisclosed third parties at Microsoft's whim), and, in the case of distributed updates, may violate state law governing the use of government property.
In order to comply with university policy, these features of Windows 10 must be disabled. This is best done through GPO for all domain joined machines, but instructions are also provided for stand-alone devices.
- All university-owned tablets, laptops, and desktops running Windows 10.
- All personally-owned tablets, laptops, and desktops running Windows 10 that are used to store confidential (Category I) university data.
Use Group Policy or Local Policy as needed to make the following changes:
|Enforced1||Policy Name||Policy Location||Applies To||Notes|
|Yes||Turn off Application Telemetry||Administrative Templates | Windows Components | Application Compatibility||At least Windows Server 2008 R2 or Windows 7||Set to Enabled|
|Administrative Templates | Windows Components | Data Collection and Preview Builds||At least Windows 10 Server, Windows 10 or Windows 10 RT||Set policy to Enabled and set Options to "0 - Off |LF||LF|Enterprise Only|RF||RF|"|
|Yes||Allow input personalization||Administrative Templates | Control Panel | Regional and Language Options||At least Windows Server Technical Preview 2, Windows 10 or Windows RT 8.1||Set to Disabled. This disables the use of Cortana, collection of speech and handwriting patterns, typing history, contacts, and calendar information.|
|Yes||Allow Cortana||Administrative Templates | Windows Components | Search||At least Windows Server Technical Preview 2, Windows 10 or Windows RT 8.1||Set to Disabled|
|Yes||Turn off picture password sign-in||Administrative Templates | System | Logon||At least Windows Server 2012, Windows 8 or Windows RT||Set to Enabled|
|Yes||Accounts: Block Microsoft Accounts||Windows Settings | Security Settings | Local Policies | Security Options||At least Windows Server 2012, Windows 8 or Windows RT||Check "Define this policy setting" and choose "Users can't add or log on with Microsoft Accounts"|
|No||Turn off the Advertising ID||Administrative Templates | System | User Profiles||At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1||Set to Enabled. This is not required, but is recommended to protect user privacy.|
|No||Use Microsoft Passport for Work||Administrative Templates | Windows Components | Microsoft Passport for Work||At least Windows 10 Server or Windows 10||Set as desired. This functionality is used with biometrics and PINs|
|No||Turn on PIN sign-in||Administrative Templates | System | Logon||At least Windows Server 2012, Windows 8 or Windows RT||Set as desired. If PINs are allowed, they must comply with section 15.2 of the Information Resources Use and Security Policy.|
Use lowercase letters
Maximum PIN Length
Minimum PIN Length
Use special characters
Use uppercase letters
|Administrative Templates | Windows Components | Microsoft Passport for Work| PIN complexity||At least Windows 10 Server or Windows 10||All passwords, including device PINs, must comply with section 15.2 of the Information Resources Use and Security Policy. Another option is to disable PIN sign-in entirely.|
|Yes||DownloadMode||Preferences | Windows Settings | Registry||All versions of Windows will accept the registry change, but will only be effective on Windows 10||This registry policy preference will disable peer-to-peer update sharing and should be created with the name "DownloadMode" as a "Replace" action, in the HKEY_LOCAL_MACHINE hive, at the "SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" key. The value type is "REG_DWORD", and the value data is "0". On the Common tab, the setting "Remove this item when it is no longer applied" should be checked.|
1 These requirements will be enforced by GPO for all members of the Austin Active Directory domain.
This guide assumes that the operating system is already installed. All of these settings may also be configured during installation if "Customise settings" is chosen during the "Get going fast" stage of installation.
Follow the instructions to make the following changes:
- Disable 'Getting to know you
From the Start menu, click on "Settings"Click on "Privacy"Click on "Speech, inking, & typing"Click on the button "Stop getting to know me"Click on "Turn off" in the confirmation dialog
- Disable sending diagnostic and usage data to Microsoft (i.e. telemetry)
From the Start menu, click on "Settings"Click on "Privacy"Click on "Feedback & diagnostics"Select "Basic" under "Diagnostic and usage data"NOTE: With this setting, Windows 10 will still send sometelemetry data to Microsoft. In Enterprise editions ofWindows, telemetry can be completely disabled, butonly via (local or group) policy. Contact your IT supportstaff for assistance with this if desired.
- Disable receiving/sharing Windows updates with the Internet (desktops) or both the Internet and local networks (mobile devices)
From the Start menu, click on "Settings"Click on "Update & security"Under "Windows Update" click on "Advanced options"Click on "Choose how updates are delivered"For mobile devices, click the toggle to turn distributedupdates off entirely.For desktops, ensure that "PCs on my local network" isselected (or turn off distributed updates entirely via thetoggle).
- Do not use a Microsoft account to sign-in
If you have already setup a Microsoft Account for authentication, you can switchto a local account by doing the following:From the Start menu, click on "Settings"Click on "Accounts"Click on "Sign in with a local account instead"Enter your Microsoft Account password when promptedChoose a username, password, and password hintClick on "Sign out and finish"
- Do not use a picture password to sign-in. PINs must meet password policy complexity requirements.
Section 15.2 of the Information Resources Use and Security Policy (IRUSP) mandatesthe use of strong passwords for user authentication.
Non-Compliance and Exceptions
If any of the configuration requirements contained within this document cannot be met, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report.) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.
University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with state laws and regulations.
Related UT Austin Policies, Procedures, Best Practices
The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)
Optional Privacy and Security Settings for all Windows 10 Devices
Privacy-conscious users may find the guides below useful for addressing other features of Windows 10 that pose a privacy/security risk:
- https://fix10.isleaked.com/ - this site is currently unavailable, but a cached copy of the page is at: https://web.archive.org/web/20150908131637/https://fix10.isleaked.com/