Set-Service

Starts, stops, and suspends a service, and changes its properties.

Syntax

Description

The Set-Service cmdlet changes the properties of a service such as the Status, Description, DisplayName, and StartupType. Set-Service can start, stop, suspend, or pause a service. To identify a service, enter its service name or submit a service object. Or, send a service name or service object down the pipeline to Set-Service .

Examples

Example 1: Change a display name

In this example, a service’s display name is changed. To view the original display name, use Get-Service .

Set-Service uses the Name parameter to specify the service’s name, LanmanWorkstation. The DisplayName parameter specifies the new display name, LanMan Workstation.

Example 2: Change the startup type of services

This example shows how to change a service’s startup type.

Set-Service uses the Name parameter to specify the service’s name, BITS. The StartupType parameter sets the service to Automatic.

Get-Service uses the Name parameter to specify the BITS service and sends the object down the pipeline. Select-Object uses the Property parameter to display the BITS service’s status.

Example 3: Change the description of a service

This example changes the BITS service’s description and displays the result.

The Get-CimInstance cmdlet is used because it returns a Win32_Service object that includes the service’s Description.

Get-CimInstance sends the object down the pipeline to Format-List and displays the service’s name and description. For comparison purposes, the command is run before and after the description is updated.

Set-Service uses the Name parameter to specify the BITS service. The Description parameter specifies the updated text for the services’ description.

Example 4: Start a service

In this example, a service is started.

Set-Service uses the Name parameter to specify the service, WinRM. The Status parameter uses the value Running to start the service. The PassThru parameter outputs a ServiceController object that displays the results.

Example 5: Suspend a service

This example uses the pipeline to pause to service.

Get-Service uses the Name parameter to specify the Schedule service, and sends the object down the pipeline. Set-Service uses the Status parameter to set the service to Paused.

Example 6: Stop a service

This example uses a variable to stop a service.

Get-Service uses the Name parameter to specify the service, Schedule. The object is stored in the variable, $S . Set-Service uses the InputObject parameter and specifies the object stored $S . The Status parameter sets the service to Stopped.

Example 7: Stop a service on a remote system

This example stops a service on a remote computer. For more information, see Invoke-Command.

Get-Credential prompts for a username and password, and stores the credentials in the $Cred variable. Get-Service uses the Name parameter to specify the Schedule service. The object is stored in the variable, $S .

Invoke-Command uses the ComputerName parameter to specify a remote computer. The Credential parameter uses the $Cred variable to sign on to the computer. The ScriptBlock calls Set-Service . The InputObject parameter specifies the service object stored $S . The Status parameter sets the service to Stopped.

Example 8: Change credential of a service

This example changes the credentials that are used to manage a service.

Get-Credential prompts for a username and password, and stores the credentials in the $credential variable. Set-Service uses the Name parameter to specify the Schedule service. The Credential parameter uses the $credential variable and updates the Schedule service.

Example 9: Change the SecurityDescriptor of a service

This example changes a service’s SecurityDescriptor.

The SecurityDescriptor is stored in the $SDDL variable. Set-Service uses the Name parameter to specify the BITS service. The SecurityDescriptorSddl parameter uses $SDDL to change the SecurityDescriptor for the BITS service.

Parameters

Prompts you for confirmation before running Set-Service .

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the account used by the service as the Service Logon Account.

Type a user name, such as User01 or Domain01\User01, or enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, this cmdlet prompts you for a password.

Credentials are stored in a PSCredential object and the password is stored as a SecureString.

For more information about SecureString data protection, see How secure is SecureString?.

This parameter was introduced in PowerShell 6.0.

Type:	PSCredential
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies a new description for the service.

The service description appears in Computer Management, Services. The Description isn’t a property of the Get-Service ServiceController object. To see the service description, use Get-CimInstance that returns a Win32_Service object that represents the service.

Type:	String
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies a new display name for the service.

Type:	String
Aliases:	DN
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the Stop mode of the service. This parameter only works when -Status Stopped is used. If enabled, Set-Service stops the dependent services before the target service is stopped. By default, exceptions are raised when other running services depend on the target service.

Type:	SwitchParameter
Position:	Named
Default value:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies a ServiceController object that represents the service to change. Enter a variable that contains the object, or type a command or expression that gets the object, such as a Get-Service command. You can use the pipeline to send a service object to Set-Service .

Type:	ServiceController
Position:	0
Default value:	None
Accept pipeline input:	True
Accept wildcard characters:	False

Specifies the service name of the service to be changed. Wildcard characters aren’t permitted. You can use the pipeline to send a service name to Set-Service .

Type:	String
Aliases:	ServiceName, SN
Position:	0
Default value:	None
Accept pipeline input:	True
Accept wildcard characters:	False

Returns a ServiceController object that represents the services that were changed. By default, Set-Service doesn’t generate any output.

Type:	SwitchParameter
Position:	Named
Default value:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the SecurityDescriptor for the service in Sddl format.

Type:	String
Aliases:	sd
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the start mode of the service.

The acceptable values for this parameter are as follows:

• Automatic — The service is started or was started by the operating system, at system start-up. If an automatically started service depends on a manually started service, the manually started service is also started automatically at system startup.
• AutomaticDelayedStart — Starts shortly after the system boots.
• Disabled — The service is disabled and cannot be started by a user or application.
• InvalidValue — Has no effect. The cmdlet does not return an error but the StartupType of the service is not changed.
• Manual — The service is started only manually, by a user, using the Service Control Manager, or by an application.

Type:	Microsoft.PowerShell.Commands.ServiceStartupType
Aliases:	StartMode, SM, ST, StartType
Accepted values:	Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the status for the service.

The acceptable values for this parameter are as follows:

• Paused. Suspends the service.
• Running. Starts the service.
• Stopped. Stops the service.

Type:	String
Accepted values:	Paused, Running, Stopped
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Shows what would happen if Set-Service runs. The cmdlet isn’t run.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

System.ServiceProcess.ServiceController, System.String

You can use the pipeline to send a service object or a string that contains a service name to Set-Service .

Outputs

By default, Set-Service doesn’t return any objects. Use the PassThru parameter to output a ServiceController object.

Notes

This cmdlet is only available on Windows platforms.

Set-Service requires elevated permissions. Use the Run as administrator option.

Set-Service can only control services when the current user has permissions to manage services. If a command doesn’t work correctly, you might not have the required permissions.

To find a service’s service name or display name, use Get-Service . The service names are in the Name column and the display names are in the DisplayName column.

All Windows Services Disabled – How to reset all services to default startup value

So, this morning I started my laptop to create a back-up when I noticed something was wrong: nothing worked. No internet, no backlight regulation, no scroll function on my touchpad and a big fat access denied on my external disk drives.

The last thing reminded me of a problem I got when I accidentally disabled the Pointsec services and I was a bit shocked when I opened the services list:

All my services were disabled, except for some mandatory and protected services. After searching a bit on the internet, the only solutions I found were running the Microsoft Safety Scanner and manually re-enabling all services. The first one was no problem but I didn’t realy looked forward into re-enabling all services by hand. So I quickly wrote myself a little batch file which would re-set all default Windows 7 SP1 services to their default value:

First of all, if you want to use this batch file then you must realize you’re using it at own risk 😉

Second, you must run it with administrator rights.

Third, the script won’t stop in case of errors, so always check the output for errors.

Last but not least, these are the default Windows 7 SP1 services I got from BlackVipers . Any other custom service (Skype, Firefox, Pointsec, PunkBuster, …) must be re-enabled by hand.

//edit: lol, looks like I’ve wasted two hours creating this script since BlackVipers already offers a reset-to-default patch.

Manage connections from Windows 10 operating system components to Microsoft services

Applies to

• Windows 10 Enterprise, version 1607 and newer
• Windows Server 2016
• Windows Server 2019

This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.

Microsoft provides a Windows Restricted Traffic Limited Functionality Baseline package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on Group Policy Administrative Template functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, before deploying Windows Restricted Traffic Limited Functionality Baseline make sure you choose the right settings configuration for your environment and ensure that Windows and Windows Defender are fully up to date. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.

• The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
• The Allowed Traffic endpoints are listed here: Allowed Traffic
  • CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
• For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
• It is recommended that you restart a device after making configuration changes to it.
• The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.

• If a user executes the Reset this PC command (Settings -> Update & Security -> Recovery) with the Keep my files option (or the Remove Everything option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
• To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
• During update or upgrade of Windows, egress traffic may occur.

We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.

Management options for each setting

The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections

Settings for Windows 10 Enterprise edition

The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.

Setting	UI	Group Policy	Registry
1. Automatic Root Certificates Update
2. Cortana and Search
3. Date & Time
4. Device metadata retrieval
5. Find My Device
6. Font streaming
7. Insider Preview builds
8. Internet Explorer
9. License Manager
10. Live Tiles
11. Mail synchronization
12. Microsoft Account
13. Microsoft Edge
14. Network Connection Status Indicator
15. Offline maps
16. OneDrive
17. Preinstalled apps
18. Settings > Privacy
В В В В 18.1 General
В В В В 18.2 Location
В В В В 18.3 Camera
В В В В 18.4 Microphone
В В В В 18.5 Notifications
В В В В 18.6 Speech
В В В В 18.7 Account info
В В В В 18.8 Contacts
В В В В 18.9 Calendar
В В В В 18.10 Call history
В В В В 18.11 Email
В В В В 18.12 Messaging
В В В В 18.13 Phone calls
В В В В 18.14 Radios
В В В В 18.15 Other devices
В В В В 18.16 Feedback & diagnostics
В В В В 18.17 Background apps
В В В В 18.18 Motion
В В В В 18.19 Tasks
В В В В 18.20 App Diagnostics
В В В В 18.21 Inking & Typing
В В В В 18.22 Activity History
В В В В 18.23 Voice Activation
19. Software Protection Platform
20. Storage Health
21. Sync your settings
22. Teredo
23. Wi-Fi Sense
24. Windows Defender
25. Windows Spotlight
26. Microsoft Store
27. Apps for websites
28. Delivery Optimization
29. Windows Update

Settings for Windows Server 2016 with Desktop Experience

See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience.

Setting	UI	Group Policy	Registry
1. Automatic Root Certificates Update
2. Cortana and Search
3. Date & Time
4. Device metadata retrieval
6. Font streaming
7. Insider Preview builds
8. Internet Explorer
10. Live Tiles
12. Microsoft Account
14. Network Connection Status Indicator
16. OneDrive
18. Settings > Privacy
19. Software Protection Platform
22. Teredo
24. Windows Defender
26. Microsoft Store
27. Apps for websites
29. Windows Update

Settings for Windows Server 2016 Server Core

See the following table for a summary of the management settings for Windows Server 2016 Server Core.

Setting	Group Policy	Registry
1. Automatic Root Certificates Update
3. Date & Time
6. Font streaming
14. Network Connection Status Indicator
19. Software Protection Platform
22. Teredo
24. Windows Defender
29. Windows Update

Settings for Windows Server 2016 Nano Server

See the following table for a summary of the management settings for Windows Server 2016 Nano Server.

Setting	Registry
1. Automatic Root Certificates Update
3. Date & Time
22. Teredo
29. Windows Update

Settings for Windows Server 2019

See the following table for a summary of the management settings for Windows Server 2019.

Setting	UI	Group Policy	Registry
1. Automatic Root Certificates Update
2. Cortana and Search
3. Date & Time
4. Device metadata retrieval
5. Find My Device
6. Font streaming
7. Insider Preview builds
8. Internet Explorer
10. Live Tiles
11. Mail synchronization
12. Microsoft Account
13. Microsoft Edge
14. Network Connection Status Indicator
15. Offline maps
16. OneDrive
17. Preinstalled apps
18. Settings > Privacy
В В В В 18.1 General
В В В В 18.2 Location
В В В В 18.3 Camera
В В В В 18.4 Microphone
В В В В 18.5 Notifications
В В В В 18.6 Speech
В В В В 18.7 Account info
В В В В 18.8 Contacts
В В В В 18.9 Calendar
В В В В 18.10 Call history
В В В В 18.11 Email
В В В В 18.12 Messaging
В В В В 18.13 Phone calls
В В В В 18.14 Radios
В В В В 18.15 Other devices
В В В В 18.16 Feedback & diagnostics
В В В В 18.17 Background apps
В В В В 18.18 Motion
В В В В 18.19 Tasks
В В В В 18.20 App Diagnostics
В В В В 18.21 Inking & Typing
В В В В 18.22 Activity History
В В В В 18.23 Voice Activation
19. Software Protection Platform
20. Storage Health
21. Sync your settings
22. Teredo
23. Wi-Fi Sense
24. Windows Defender
25. Windows Spotlight
26. Microsoft Store
27. Apps for websites
28. Delivery Optimization
29. Windows Update

How to configure each setting

Use the following sections for more information about how to configure each setting.

1. Automatic Root Certificates Update

The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available. For more information, see Automatic Root Certificates Update Configuration. Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.

By not automatically downloading the root certificates the device may not be able to connect to some websites.

For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:

Enable the Group Policy: Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update

1. Navigate to Computer Configuration >Windows Settings >Security Settings >Public Key Policies.
2. Double-click Certificate Path Validation Settings.
3. On the Network Retrieval tab, select the Define these policy settings check box.
4. Clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box, and then click OK.

Create the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot and then add a REG_DWORD registry setting, named DisableRootAutoUpdate, with a value of 1.

1. Navigate to Computer Configuration >Windows Settings >Security Settings >Public Key Policies.
2. Double-click Certificate Path Validation Settings.
3. On the Network Retrieval tab, select the Define these policy settings check box.
4. Clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box, and then click OK.

On Windows Server 2016 Nano Server:

• Create the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot and then add a REG_DWORD registry setting, named DisableRootAutoUpdate, with a value of 1.

CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.

2. Cortana and Search

Use Group Policies to manage settings for Cortana. For more info, see Cortana, Search, and privacy: FAQ.

2.1 Cortana and Search Group Policies

Find the Cortana Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Search.

Policy	Description
Allow Cortana	Choose whether to let Cortana install and run on the device. Disable this policy to turn off Cortana.
Allow search and Cortana to use location	Choose whether Cortana and Search can provide location-aware search results. Disable this policy to block access to location information for Cortana.
Do not allow web search	Choose whether to search the web from Windows Desktop Search. Enable this policy to remove the option to search the Internet from Cortana.
Don’t search the web or display web results in Search	Choose whether to search the web from Cortana. Enable this policy to stop web queries and results from showing in Search.

You can also apply the Group Policies using the following registry keys:

Policy	Registry Path
Allow Cortana	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search REG_DWORD: AllowCortana Value: 0
Allow search and Cortana to use location	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search REG_DWORD: AllowSearchToUseLocation Value: 0
Do not allow web search	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search REG_DWORD: DisableWebSearch Value: 1
Don’t search the web or display web results in Search	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search REG_DWORD: ConnectedSearchUseWeb Value: 0

Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.

Expand Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows Defender Firewall with Advanced Security — , and then click Outbound Rules.

Right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard starts.

On the Rule Type page, click Program, and then click Next.

On the Program page, click This program path, type %windir%\systemapps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe, and then click Next.

On the Action page, click Block the connection, and then click Next.

On the Profile page, ensure that the Domain, Private, and Public check boxes are selected, and then click Next.

On the Name page, type a name for the rule, such as Cortana firewall configuration, and then click Finish.

Right-click the new rule, click Properties, and then click Protocols and Ports.

Configure the Protocols and Ports page with the following info, and then click OK.

For Protocol type, choose TCP.

For Local port, choose All Ports.

For Remote port, choose All ports.

• Create a new REG_SZ registry setting named in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules and set it to a value of v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\searchUI.exe|Name=Block outbound Cortana|

If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.

3. Date & Time

You can prevent Windows from setting the time automatically.

To turn off the feature in the UI: Settings > Time & language > Date & time > Set time automatically

Create a REG_SZ registry setting in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type with a value of NoSync.

After that, configure the following:

Disable the Group Policy: Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers > Enable Windows NTP Client

Create a new REG_DWORD registry setting named Enabled in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient and set it to 0 (zero).

4. Device metadata retrieval

To prevent Windows from retrieving device metadata from the Internet:

Enable the Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Prevent device metadata retrieval from the Internet.

Create a new REG_DWORD registry setting named PreventDeviceMetadataFromNetwork in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata and set it to 1 (one).

5. Find My Device

To turn off Find My Device:

Turn Off the feature in the UI by going to Settings -> Update & Security -> Find My Device, click the Change button, and set the value to Off

Disable the Group Policy: Computer Configuration > Administrative Template > Windows Components > Find My Device > Turn On/Off Find My Device

You can also create a new REG_DWORD registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice\AllowFindMyDevice to 0 (zero).

6. Font streaming

Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.

If you’re running Windows 10, version 1607, Windows Server 2016, or later:

Disable the Group Policy: Computer Configuration > Administrative Templates > Network > Fonts > Enable Font Providers.

Create a new REG_DWORD registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableFontProviders to 0 (zero).

After you apply this policy, you must restart the device for it to take effect.

7. Insider Preview builds

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.

If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to Optional (Full). Although the diagnostic data level may initially appear as Required (Basic), a few hours after the UI is refreshed or the machine is rebooted, the setting will become Optional (Full).

To turn off Insider Preview builds for a released version of Windows 10:

• Disable the Group Policy: Computer Configuration >Administrative Templates >Windows Components >Data Collection and Preview Builds >Toggle user control over Insider builds.

To turn off Insider Preview builds for Windows 10:

If you’re running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.

Turn off the feature in the UI: Settings > Update & security > Windows Insider Program > Stop Insider Preview builds.

Enable the Group Policy Toggle user control over Insider builds under Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds

Create a new REG_DWORD registry setting named AllowBuildPreview in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds with a value of 0 (zero)

8. Internet Explorer

When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by Enhanced Security Configuration (ESC). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Internet Explorer and make these settings:

Policy	Description
Turn on Suggested Sites	Choose whether an employee can configure Suggested Sites. Set Value to: Disabled You can also turn this off in the UI by clearing the Internet Options > Advanced > Enable Suggested Sites check box.
Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar	Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. Set Value to: Disabled
Turn off the auto-complete feature for web addresses	Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. Set Value to: Enabled You can also turn this off in the UI by clearing the Internet Options > Advanced > Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog check box.
Turn off browser geolocation	Choose whether websites can request location data from Internet Explorer. Set Value to: Enabled
Prevent managing Windows Defender SmartScreen	Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer. Set Value to: Enabled and then set Select Windows Defender SmartScreen mode to Off.

Registry Key	Registry path
Turn on Suggested Sites	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Suggested Sites REG_DWORD: Enabled Set Value to: 0
Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer REG_DWORD: AllowServicePoweredQSA Set Value to: 0
Turn off the auto-complete feature for web addresses	HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete REG_SZ: AutoSuggest Set Value to: no
Turn off browser geolocation	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Geolocation REG_DWORD: PolicyDisableGeolocation Set Value to: 1
Prevent managing Windows Defender SmartScreen	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter REG_DWORD: EnabledV9 Set Value to: 0

There are more Group Policy objects that are used by Internet Explorer:

Path	Policy	Description
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Compatibility View > Turn off Compatibility View	Turn off Compatibility View.	Choose whether an employee can fix website display problems that he or she may encounter while browsing. Set to: Enabled
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page	Turn off the flip ahead with page prediction feature	Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website. Set to: Enabled
Computer Configuration > Administrative Templates > Windows Components > RSS Feeds	Turn off background synchronization for feeds and Web Slices	Choose whether to have background synchronization for feeds and Web Slices. Set to: Enabled
Computer Configuration > Administrative Templates > Control Panel > Allow Online Tips	Allow Online Tips	Enables or disables the retrieval of online tips and help for the Settings app. Set to: Disabled

You can also use Registry keys to set these policies.

Registry Key	Registry path
Choose whether employees can configure Compatibility View.	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation REG_DWORD: DisableSiteListEditing Set Value to 1
Turn off the flip ahead with page prediction feature	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\FlipAhead REG_DWORD: Enabled Set Value to 0
Turn off background synchronization for feeds and Web Slices	HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds REG_DWORD: BackgroundSyncStatus Set Value to 0
Allow Online Tips	HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer REG_DWORD: AllowOnlineTips Set Value to 0

To turn off the home page:

Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable changing home page settings, and set it to about:blank

Create a new REG_SZ registry setting named Start Page in HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main with a about:blank

Create a new REG_DWORD registry setting named HomePage in HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel with a 1 (one)

To configure the First Run Wizard:

Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent running First Run wizard, and set it to Go directly to home page

Create a new REG_DWORD registry setting named DisableFirstRunCustomize in HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main with a 1 (one)

To configure the behavior for a new tab:

Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Specify default behavior for a new tab, and set it to about:blank

Create a new REG_DWORD registry setting named NewTabPageShow in HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\TabbedBrowsing with a 0 (zero)

8.1 ActiveX control blocking

ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked.

You can turn this off by:

Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management > Turn off Automatic download of the ActiveX VersionList

Changing the REG_DWORD registry setting HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList to 0 (zero).

9. License Manager

You can turn off License Manager related traffic by setting the following registry entry:

Add a REG_DWORD value named Start to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LicenseManager and set the value to 4

The value 4 is to disable the service. Here are the available options to set the registry:

0x00000000 = Boot

0x00000001 = System

0x00000002 = Automatic

0x00000003 = Manual

0x00000004 = Disabled

10. Live Tiles

To turn off Live Tiles:

Enable the Group Policy: Computer Configuration > Administrative Templates > Start Menu and Taskbar > Notifications > Turn Off notifications network usage

Create a REG_DWORD registry setting named NoCloudApplicationNotification in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications with a value of 1 (one)

In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.

11. Mail synchronization

To turn off mail synchronization for Microsoft Accounts that are configured on a device:

In Settings > Accounts > Your email and accounts, remove any connected Microsoft Accounts.

Remove any Microsoft Accounts from the Mail app.

To turn off the Windows Mail app:

• Create a REG_DWORD registry setting named ManualLaunchAllowed in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail with a value of 0 (zero).

12. Microsoft Account

Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are.

To disable the Microsoft Account Sign-In Assistant:

• Change the Start REG_DWORD registry setting in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wlidsvc to a value of 4.

13. Microsoft Edge

Use Group Policies to manage settings for Microsoft Edge. For more info, see Microsoft Edge and privacy: FAQ and Configure Microsoft Edge policy settings on Windows.

13.1 Microsoft Edge Group Policies

Find the Microsoft Edge Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge.

Policy	Description
Allow Address bar drop-down list suggestions	Choose whether to show the address bar drop-down list Set to Disabled
Allow configuration updates for the Books Library	Choose whether configuration updates are done for the Books Library. Set to Disabled
Configure Autofill	Choose whether employees can use autofill on websites. Set to Disabled
Configure Do Not Track	Choose whether employees can send Do Not Track headers. Set to Enabled
Configure Password Manager	Choose whether employees can save passwords locally on their devices. Set to Disabled
Configure search suggestions in Address Bar	Choose whether the Address Bar shows search suggestions. Set to Disabled
Configure Windows Defender SmartScreen (Windows 10, version 1703)	Choose whether Windows Defender SmartScreen is turned on or off. Set to Disabled
Allow web content on New Tab page	Choose whether a new tab page appears. Set to Disabled
Configure Start pages	Choose the Start page for domain-joined devices. Enabled and Set this to
Prevent the First Run webpage from opening on Microsoft Edge	Choose whether employees see the First Run webpage. Set to: Enable
Allow Microsoft Compatibility List	Choose whether to use the Microsoft Compatibility List in Microsoft Edge. Set to: Disabled

Alternatively, you can configure the following Registry keys as described:

Registry Key	Registry path
Allow Address Bar drop-down list suggestions	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI REG_DWORD name: ShowOneBox Set to 0
Allow configuration updates for the Books Library	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BooksLibrary REG_DWORD name: AllowConfigurationUpdateForBooksLibrary Set to 0
Configure Autofill	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main REG_SZ name: Use FormSuggest Value : No
Configure Do Not Track	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main REG_DWORD name: DoNotTrack REG_DWORD: 1
Configure Password Manager	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main REG_SZ name: FormSuggest Passwords REG_SZ: No
Configure search suggestions in Address Bar	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes REG_DWORD name: ShowSearchSuggestionsGlobal Value: 0
Configure Windows Defender SmartScreen (Windows 10, version 1703)	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter REG_DWORD name: EnabledV9 Value: 0
Allow web content on New Tab page	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI REG_DWORD name: AllowWebContentOnNewTabPage Value: 0
Configure corporate Home pages	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings REG_SZ name: ProvisionedHomePages Value:
Prevent the First Run webpage from opening on Microsoft Edge	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main REG_DWORD name: PreventFirstRunPage Value: 1
Choose whether employees can configure Compatibility View.	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BrowserEmulation REG_DWORD: MSCompatibilityMode Value: 0

For a complete list of the Microsoft Edge policies, see Available policies for Microsoft Edge.

14. Network Connection Status Indicator

Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the Microsoft Networking Blog to learn more.

In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com/ncsi.txt .

You can turn off NCSI by doing one of the following:

• Enable the Group Policy: Computer Configuration >Administrative Templates >System >Internet Communication Management >Internet Communication Settings >Turn off Windows Network Connectivity Status Indicator active tests

After you apply this policy, you must restart the device for the policy setting to take effect.

• Create a REG_DWORD registry setting named NoActiveProbe in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator with a value of 1 (one).

15. Offline maps

You can turn off the ability to download and update offline maps.

Turn Off the feature in the UI by going to Settings -> Apps -> Offline maps -> Map updates, toggle the Automatically update maps switch to Off

Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Maps > Turn off Automatic Download and Update of Map Data

Create a REG_DWORD registry setting named AutoDownloadAndUpdateMapData in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps with a value of 0 (zero).

In Windows 10, version 1607 and later, Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Maps > Turn off unsolicited network traffic on the Offline Maps settings page

Create a REG_DWORD registry setting named AllowUntriggeredNetworkTrafficOnSettingsPage in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps with a value of 0 (zero).

16. OneDrive

To turn off OneDrive in your organization:

Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage

Create a REG_DWORD registry setting named DisableFileSyncNGSC in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive with a value of 1 (one).

Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)

Create a REG_DWORD registry setting named PreventNetworkTrafficPreUserSignIn in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive with a value of 1 (one)

17. Preinstalled apps

Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.

To remove the News app:

Right-click the app in Start, and then click Uninstall.

If you have any issues with these commands, restart the system and try the scripts again.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.BingNews">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage

To remove the Weather app:

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.BingWeather">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage

To remove the Money app:

Right-click the app in Start, and then click Uninstall.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.BingFinance">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage

To remove the Sports app:

Right-click the app in Start, and then click Uninstall.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.BingSports">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage

To remove the Twitter app:

Right-click the app in Start, and then click Uninstall.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "*.Twitter">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage *.Twitter | Remove-AppxPackage

To remove the XBOX app:

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.XboxApp">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage

To remove the Sway app:

Right-click the app in Start, and then click Uninstall.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.Office.Sway">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage

To remove the OneNote app:

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.Office.OneNote">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage

To remove the Get Office app:

Right-click the app in Start, and then click Uninstall.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.MicrosoftOfficeHub">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage

To remove the Get Skype app:

Right-click the Sports app in Start, and then click Uninstall.

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.SkypeApp">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage

To remove the Sticky notes app:

Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object <$_.PackageName -Like "Microsoft.MicrosoftStickyNotes">| ForEach-Object

Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage

18. Settings > Privacy

Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.

Читайте также:  Grep linux поиск строки