The Complete Windows 10 Privacy Guide

ThecompleteWindows10PrivacyGuideFallCreatorsUpdateedition

ByMartinBrinkmann

Copyright©2010byMartinBrinkmannAllrightsreserved.Thisbookoranyportionthereofmaynotbereproducedorusedinanymannerwhatsoeverwithouttheexpresswrittenpermissionofthepublisherexceptfortheuseofbriefquotationsinabookreview.

DedicationForJulia.Thisbookwouldnotexistwithoutyourmoralsupportandunderstanding.Thankyou,mylove.

TableofContentsForewordThisguide

WhatMicrosoftsaysaboutPrivacyandWindows10PrivacyOptionsduringSetupAccountCortanaServices

5-MinutePrivacyConfigurationConfiguringPrivacySettingsafterSetupPrivacy→GeneralPrivacy→LocationPrivacy→CameraPrivacy→MicrophonePrivacy→NotificationsPrivacy->Speech,inkingandtypingPrivacy->AccountInfoPrivacy→ContactsPrivacy→CalendarPrivacy→CallHistoryPrivacy→EmailPrivacy→TasksPrivacy→MessagingPrivacy→RadiosPrivacy→OtherdevicesPrivacy→Feedback&DiagnosticsPrivacy→BackgroundappsPrivacy→AppdiagnosticsPrivacy->Automaticfiledownloads

QuickOverview:DifferencesbetweenWindows10EditionsImportantinformationabouttoolsusedinthisguide

TelemetryWhatisTelemetryTelemetrylevelsOverviewEndpointsforTelemetryServicesConfiguringWindows10TelemetrysettingsBusinessandEnterpriseoptionsManageConnectionsfromWindowscomponentstoMicrosoft

SettingsforWindows10CertificateTrustListsCortanaandSearchDate&TimeDeviceMetadataRetrievalFontStreamingInsiderPreviewBuildsMicrosoftInternetExplorerLiveTilesMailSynchronizationMicrosoftAccountMicrosoftEdgeNetworkConnectionStatusIndicatorOfflineMapsOneDrivePreinstalledApplicationsWindows10PrivacySettings

WindowsFeaturesAccounts(Local,Microsoft)CustomerExperienceProgramFeedbackandHelpInternetExplorerMicrosoftEdgeOneDrive/FileSynchronizationSmartScreen

WindowsErrorReportingWindowsMediaPlayerWindowsUpdateWi-FiMisc

WindowsServicesWindowsTasksOfficeTelemetryTurnonTelemetrydatacollection

AnnoyancesRemoveAds/Suggestions

SoftwareResourcesWindowsExperienceBlogGeneralPagesofInterestMicrosoftOfficeTelemetryandPrivacyThird-partyResourcesPrivacySettingsandFeaturesWhitepapersandDocs

Index

ForewordPrivacyisahottopicintoday’sconnectedworld.ThisistrueespeciallywhenitcomestousertrackingontheInternet,butalsotrackingbuilt-intooperatingsystemssuchasWindows10orAndroid,orprogramssuchasGoogleChromeorMozillaFirefox.Windows10hasprobablybeentheoperatingsystemthatMicrosofthasbeenattackedthemostforfromprivacyadvocatesandconcernedusersinregardstoprivacyanddatacollection.ProbablythebiggestfactorsforthisarechangesmadetoTelemetrycollectingontheoperatingsystem,alackoftransparencywhenitcomestothecollectingofdata,andalackofdistinctionbetweendatathatMicrosoftcollects,anddatathatisrequiredbyservicesorapplicationsforfunctionality.QuestionsaboutwhichdataiscollectedwhenWindows10isused,whyitiscollected,whereitisstored,andhowitisusedorshared,arenotansweredtothesatisfactionofprivacyadvocatesoruserswhoareconcernedaboutprivacy.

Asignificantissueisthetelemetrydatathecompanyreceives.WhileMicrosoftinsiststhatitaggregatesandanonymizesthisdata,ithasn’texplainedjusthowitdoesso.Microsoftalsowon’tsayhowlongthisdataisretained,insteadprovidingonlygeneraltimeframes.[1]

MicrosoftmadeconcessionstothatwiththereleaseoftheWindows10CreatorsUpdatewhenitrevealedwhattheBasic[2]andFullTelemetry[3]settingsmeanintermsofdatacollecting.ItisclearthatthedatathatiscollectedisimportanttoMicrosoft,asitusesittodetectandresolveissues,andtofindwaystooptimizetheoperatingsystem.Thenewfasterreleaseschemewithtwofeatureupdatesperyeardemandsacloserlookondataaswell,toprioritizedevelopmentforinstanceorrecognizeissuesmorequickly.Dataisrequiredforsomefunctionalityaswell.ThedigitalassistantCortanaforinstancerequiresaccesstothedevice’slocation,datafromemailsandtextmessages,thecallhistory,contactsyouhaveandhowoftenyouinteractwiththosecontacts,andtheappsyouuse.Windows10userscanopt-outofmostofthedatacollecting,butevenifthey

turnanypreferenceoffduringsetuporunderthePrivacysectionoftheSettingsapplication,datastillgetscollectedandtransferredtoMicrosoft.

TheriseofprivacyprogramsforWindows10[4]isaresponsetoMicrosoft’sinabilitytorespondtoconcernsadequately,forinstancebymakingitdifficulttocontroldatacollectionandsubmissiontoMicrosoft.Morethanadozenprogramshavebeencreatedthatperformallkindsofpro-privacyoperationsontheoperatingsystemwhenexecuted.Allofferoptionstotweakprivacysettings,andmanytoremoveWindowsapps,blockMicrosoftservers,ordisableWindowsscheduledtasksorServices.

ThisguideThisprivacyguidecoverseveryaspectofWindows10privacyanddatacollectingindetail.ItincludesinformationonallprivacysettingsthatareexposedtousersintheSettingsapplicationandothersystemlocations,andexplainsinsimplebutdetailedtermswhateachdoes.TheguidelooksatMicrosoft’sstanceonprivacy,providesyouwithresourcestodoyourownresearchonthetopic,andcomeswitha5-minuteprivacyimprovementguidetomakethemostimportantprivacyrelatedchangesrightawaysothatyoudon’thavetoreadtheentirebookfirstbeforeyoumakethemostimportantchangesinregardstoprivacy.ItlooksatdifferencesbetweenWindows10Editions,theinstallationprocess,reviewsprivacyprogramscreatedforWindows10,andatspecificfeaturesoftheoperatingsystemandhowdatacollectingplaysaroleforthesefeatures.

WhatMicrosoftsaysaboutPrivacyandWindows10

MicrosoftpublishedapostwiththetitlePrivacyandWindows10[5]backinSeptember2015ontheofficialWindowsExperienceBlogtoaddressrisingprivacyconcerns.AccordingtoTerryMyerson,ExecutiveVicePresident,WindowsandDevicesGroup,MicrosoftdesignedWindows10withtwo“straightforwardprivacyprinciples”inmind.

Windows10collectsinformationsotheproductwillworkbetterforyou.

Youareincontrolwiththeabilitytodeterminewhatinformationiscollected.

MyersongoesontoexplainthatMicrosoftthinksofdatathatthecompanydoesanddoesnotcollectinthreedifferentlevels:1. SafetyandReliabilitydata–Thisdataiscollectedto“provideasecure

andreliableexperience”.ItincludesdatasuchasananonymousdeviceID,devicetype,andapplicationcrashdatawhichMicrosoftanditsdeveloperpartnersusetoimproveapplicationreliability.

2. Personalizationdata–Thisdataisusedtoprovideuserswithacustomexperience,forinstancebyprovidingtextcompletionsuggestions,usingthedigitalassistantCortana,orgivingusersupdatesongamescoreswhentheirfavoriteteamsplay.

3. AdvertisingdatathatMicrosoftdoesnotcollect–Microsoftwon’tcollectcontentofemailsorothercommunications,orfiles,todelivertargetedadvertising.

In2017,MyersonpublishedtwoadditionalprivacyfocusedarticlesontheWindows10Experienceblog.ThenewPrivacyDashboardwasannouncedinthefirstentitledOurcontinuingcommitmenttoyourprivacywithWindows10[6].Thenewonlinedashboard[7]providesoptionstoWindowsuserswhosignintoWindowsusingaMicrosoftAccounttocontrolactivitydatathatiscollectedbyMicrosoftproductssuchasWindows10.

Microsoftannouncedaswellthatitwouldimprovetheprivacypartofthesetupexperience,simplifydiagnosticdatalevels,andreducedatacollectedattheBasiclevel(ofTelemetry).

First,wewillintroduceanewsetupexperienceforyoutochoosethesettingsthatarerightforyou.

Thisexperience,whichreplacespreviousExpressSettings,willlookslightlydifferentdependingontheversionofWindowsyouareusing.IfyouaremovingfromWindows7orWindows8,ordoingafreshinstallofWindows10,thenewsetupexperiencewillclearlyshowyousimplebutimportantsettingsandyouwillneedtochooseyoursettingsbeforeyoucanmoveforwardwithsetup.

IfyouarealreadyusingWindows10,wewillusenotificationstopromptyoutochooseyourprivacysettings.

MicrosoftmadethedecisiontoreduceTelemetrylevelsfromthreetotwoconfigurablelevelsintheSettingsapplicationoftheWindows10CreatorsUpdateversion.ThecompanyremovedtheEnhancedlevel,leavingBasicandFullasthetworemainingoptionsduringSetupandintheSettingsapplication.MyersonconfirmedthatMicrosoftreducedthedatathatiscollectedwhentheBasiclevelisenabled.

WeusethisdatatohelpkeepWindowsandappssecure,up-to-date,andrunningproperlywhenyouletMicrosoftknowthecapabilitiesofyourdevice,whatisinstalled,andwhetherWindowsisoperatingcorrectly.ThisoptionalsoincludesbasicerrorreportingbacktoMicrosoft.

Threemonthslater,inApril2017,MyersonpublishedWindows10privacyjourneycontinues:moretransparencyandcontrolsforyou[8]ontheWindowsExperienceblog.InitherevealedthreeenhancementstoprivacyonWindows10.

•In-productinformationimprovementsbyaddingshortdescriptionsandlearnmorelinkstoprivacysettingstohelpcustomersbetterunderstandeach.

•AnupdatetotheMicrosoftPrivacystatementtoincludemoreinformationabouttheprivacychangesintheCreatorsUpdate.•PublicationofmoreinformationaboutthedatathatMicrosoftcollects.

MarisaRogers,WDGPrivacyOfficer,revealed[9]inSeptember2017ontheofficialWindowsExperienceblogthatprivacyenhancementswerecomingtotheWindows10FallCreatorsUpdate.Shelistedthreeimprovementsinthearticle:1. Directaccesstotheprivacystatementduringsetup,andlinksnexttothe

availableprivacysettingsduringsetupthatleadtotheprivacystatementparagraphthatreferstoit.

2. PermissionpromptsnotonlyforlocationdatabutalsootherdatathatWindowsStoreapplicationsrequestsuchascamera,microphone,contacts,orcalendar.

3. AnewWindowAnalyticssettingforEnterprisecustomers.

PrivacyOptionsduringSetupWindows10usersandadministratorshaveonlyoneoptionwhenitcomestosettinguptheoperatingsystem.PreviousversionsofWindows10shippedwithtwo–ExpressandCustom–butMicrosoftchangedtheexperienceinWindows10version1703.Thismeansthatitisnolongerrequiredtohuntdownthe“custom”linkduringsetuptogetmorecontrol,andcustomizesomeoftheprivacyoptionsthatMicrosoftaddedasoptionstotheWindows10setupprocess.ThefollowingscreensarecapturesofWindows10version1709–TheFallCreatorsUpdate.NotethatMicrosoftchangedthesetupexperienceinthatversion,andthatthescreenswillhavedifferentoptionswhenyouinstallanearlierversionofWindows10.SetupprovidesWindowsuserswithcontrolovertwoprivacyrelatedoptions.Themostimportantpartofsetupfromaprivacyperspectiveistheprivacysettingsscreenofthesetup.Itlistsimportantprivacyoptionsthatareenabledbydefault.Youmaydisablethoseduringsetup,oraftersetupwhenyouopenthePrivacyhuboftheSettingsapplication.Notethatyoumaydisableonlyalimitednumberofprivacyrelatedoptionsduringsetuporfirstrun;theprivacyhublistswaymoreoptions,anditishighlysuggestedthatyougothroughthelistingthereatleastoncetoconfigureeachsettingaccordingly.Onechapterofthisbookwalksyouthroughallthepreferencesthatyoufindthere.ThesecondoptionthatusersgetduringsetuporfirstrunisthattheymaysetupaMicrosoftaccountoralocalaccount(Microsoftcallsitofflineaccountduringsetup)foruseonthesystem.Thisisimportantaswell,asfeaturesmaybelimitedtoacertainaccounttype.Notethatthefollowingpagesconcentrateonprivacyoptionsonly.Mostscreensofthesetupareself-explanatoryandarenotrelatedtoprivacy.

Account

TheAccountsetuppagegivesyoutwooptions:1. UseaMicrosoftAccount2. Usealocal(offline)account.

IsuggestyoucheckoutthecomparisoninalaterchapterofthisbookfordetailedinformationonlocalaccountsandMicrosoftaccounts.ThecoredifferencesbetweenlocalaccountsandMicrosoftaccountsarethefollowingones:•Localaccountsareactiveonasinglemachineonly.

•AMicrosoftaccountmaybeusedonmultipledevices.•SomeaccountpreferencesmaybesyncedacrossdevicesifaMicrosoftaccountisusedtosignin.Thisincludesthemes,languagepreferences,passwords,orInternetExplorersettings.Thisisenabledbydefault.

•SomefeaturesonWindows10requireaMicrosoftAccount.ThisisthecaseforOneDriveforinstance,thedefaultfilesynchronizationservice.•YoucanresettheMicrosoftAccountpasswordonline.•AMicrosoftAccountisnolongerrequiredtodownload(free)StoreapplicationsifyouuseWindows10ProorEnterprise.YoustillneedaMicrosoftaccounttodownloadStoreappsonWindows10Home.•YoumayuseaMicrosoftaccounttosignupanduseotherMicrosoftcompanyproducts,especiallyonlineproducts.

Microsoftlinkstoprivacy&helpinformation,andthetermsofuseonthefirstpageofsetupaswell.Generallyspeaking,aMicrosoftAccountismoreconvenientinsomeregards,butitdoeslinktheaccounttothedeviceandcomeswithdatasynchronizationenabledbydefault.

Cortana

CortanaisadigitalpersonalassistantthatMicrosoftintroducedinWindows10.YoumaycommunicatewithCortanausingspeechortext,andmayuseitforavarietyofpurposes.Someoftheseincluderunningsearches,settingupreminders,gettinganswerstodirectquestions(What’stheweather),reservingtables,composingemails,andalotmore.Cortanarequiresaccesstodataforthat,andMicrosoft“collectsandusesinformation”forthatpurposes.

..includingyourlocationandlocationhistory,contacts,voiceinput,speechpatterns,searchinghistory,relationships,calendardetails,email,contentandcommunicationhistoryfromtextmessages,instantmessagesandapps,andotherinformationonyourdevice.InMicrosoftEdge,Cortanausesyourbrowsinghistory.

Youmayselectthe“no”optiononthesetuppagetodenyCortana’s

permissionsrequest.YoumaychangewhatCortanaisallowedtodolateronaswell.

Services

TheServicessetuppagelistsallprivacyrelatedsettingsanddescriptionsofthesetupprocess.Theyareenabledbydefault,andjustsomeoftheprivacysettingsthatWindows10shipswith.Pleasenotethatyoucanchangethestatusofanyoftheserviceslistedonthepagelateronaswell.Location–ThissettingdetermineswhetherapplicationsandWindowsmayrequestaccesstothelocationofthedeviceforfunctionality.Twoappsthatmakeuseoflocationaretheweatherapplication,andMaps.LocationdataissenttoMicrosoftandusedtoimprovelocationservicesaccordingtothedescription.Microsoftmaysharelocationdatawithtrustedpartnersforthat.

◦Microsoft’slocationserviceprovideslocationinformationtoWindows

devicesusingacombinationofglobalpositioningservice(GPS),nearbywirelessaccesspoints,celltowers,andyourIPaddress,dependingonthecapabilitiesofyourdevice.◦TurningonLocationenablescertainapps,services,andWindowsfeaturestoaskforpermissiontoaccessanduseyourlocationdatatodeliverlocation-awareservicesatasprecisealevelasyourdevicesupports.Whenyourlocationisusedbyalocation-awareapporservice,yourlocationinformationandrecentlocationhistoryisstoredonyourdeviceandsenttoMicrosoftinade-identifiedformattoimprovelocationservices.◦Inaddition,ifyouareloggedinwithyourMicrosoftaccount,yourlastknowngoodlocationinformationissavedtothecloudandavailabletootherappsorservicesusingyourMicrosoftaccountacrossdevices.Ifyourdevicecannotobtainagoodlocationonitsown(likeforexampleinabuildingorbasement),itcanuseyourlastknowngoodlocationstoredinthecloud.◦Youcanturnofflocationaccessandclearyourdevice’slocationhistoryatanytimeinStart>Settings>Privacy>Location.◦Ifyouhaveaportabledevice,suchasalaptop,turningonlocationwillalsoenabletheFindmyDevicefeature,whichusesyourlocationdatatohelpyoufindyourdeviceifyouloseit.Forthisfeaturetowork,youmustlogintoWindowswithyourMicrosoftAccount.YoucanturnthisoffatanytimeinStart>Settings>Update&Security>FindmyDevice.

Diagnostics–DiagnosticdataissenttoMicrosoft.Thisincludesinformationonbrowser,applicationandfeatureuse,inkingandtypingdata,andmore.ChecktheTelemetrychapterfordetailedinformationonwhatgetscollectedandsenttoMicrosoft.Thisfeaturecannotbeturnedoff,butyoucanswitchfromfulltobasicTelemetryduringsetup.

◦Diagnosticdatahelpsidentifyandtroubleshootproblems,andkeepthedeviceuptodataandsecure.◦ThedataistransmittedtoMicrosoft,andstoredwithoneormultipleuniqueidentifiersthatMicrosoftusestorecognizeindividualusersor

devices.◦Therearetwolevelsofdiagnosticthatcanbesetduringsetup:fullorbasic.◦BasicdataisdatathatisvitaltotheoperationofWindows.ItprovidesMicrosoftwithinformationonthedevice’scapabilities,installedsoftware,andifWindowsoperatescorrectly.◦FulldataincludesallBasicdata,andinformationonappandbrowserusage,featureusage,howlongappsareused,whichservicesyouusetosignintoapps,orhowoftenWindowsHelpandSupportisused.ThememorystateofthedeviceistransferredtoMicrosoftatthefulldatalevel.Microsoftnotesthatanyidentifyinginformationisremovedfromthetypedandhandwritteninputdata.◦MicrosoftusesthedatatoimproveproductsandservicesforallWindowsusers.Itwon’tusethedatatopersonalizeMicrosoftproductsorservices,unlessyouallowMicrosofttodoso.◦YoucanadjustthediagnosticdatalevelinStart>Settings>Privacy>Feedback&diagnosticsRelevantads–Windows10mayuseanadvertisingID,auniqueidentifier,topersonalizeadvertisementontheoperatingsystem.

Advertisementisbasedonapplicationusageifthesettingisenabled.Ifyouturnitoff,adsarestilldisplayedbuttheyarenotpersonalizedanymoreusingtheadvertisingID.

◦WindowsgeneratesauniqueadvertisingIDforeachuseronadevice.ThisIDmaybeusedbyapplicationdevelopersandadvertisingnetworksforpersonalizedadvertisement.◦MicrosoftcomparestheuseoftheadvertisingIDtotheuseofcookiesbywebsites.◦YoucanturnthisoffinStart>Settings>Privacyatanytime.

Speechrecognition–Cortana,thedigitalassistantrequiresspeechrecognitionifyouwanttousevoicecommandsandinteractwithCortanausingvoice.Similarly,Storeappsmayalsosupportvoicerecognitionandrequireitaswell.VoiceinputdataissenttoMicrosofttohelpimprovespeechservices.Ifyouturnthisoff,youcannotcommunicatewithCortanaorotherapplicationsusingvoice.Thisdoesnotimpactthefunctionalityofconnectedmicrophonesthough.

◦Windowsprovidesbothadevicebasedspeechrecognitionfeature(availablethroughtheWindowsSpeechRecognitiondesktopapp),andacloudbasedspeechrecognitionservicethatwasintroducedalongsideCortanainthosemarketsandregionswhereCortanaisavailable.◦TurningontheSpeechrecognitionsettingallowsMicrosofttocollectanduseyourvoicerecordingstoprovideyouwithcloud-basedspeechrecognitionservicesinCortana,supportedStoreapps,andovertimeinotherpartsofWindows.◦Microsoftcollectsinformationfromtheuserdictionaryaspartoftheservice.Theuserdictionarystoresuniquewordslikenamesyouwrite,whichhelpuserstypeandinkmoreaccurately.◦BoththevoicedataandtheuserdictionaryareusedbyMicrosofttoimprovetheabilitytocorrectlyrecognizeuserspeech.◦YoucanturnoffthisfeatureatanytimeinStart>Settings>Privacy>Speech,inking&typing.

Tailoredexperienceswithdiagnosticdata–Microsoftmayusediagnosticdatatodisplaytipsandrecommendationstousers.

◦Microsoftwillusesomediagnosticdatato“personalizeyourexperienceswithWindowsandotherproductsandservices”.Thisincludes,accordingtoMicrosoft,suggestionsonhowtocustomizeandoptimizeWindows:andrecommendationsandoffersofWindowsfeaturesandsupportedapps,services,hardware,andperipherals.◦Thisfeaturepowerscampaignsthatsuggestappstousersthatdothingsbetterthanothers,accordingtoMicrosoft.ChromeorFirefoxusersmaygetEdgerecommendedtothemforinstance.◦MicrosoftmayalsosuggesttryingOneDriveforstorage,orpurchasemorespaceonOneDrive,orgiveOffice365atry.◦Fullincludesadditionalinformation,e.g.theuseofbrowsersorapplications.◦Tailoredexperienceswon’tusecrash,speech,typing,orinkinginputdataforpersonalization.◦YoucanturnthisoffinStart>Settings>Privacy>Feedback&diagnostics.

5-MinutePrivacyConfigurationThisbookoffersalotofinformationwhenitcomestoprivacy,Windowsconfigurationandrelatedtopicsofinterest.This5-minuteguideisdesignedtomakethemostimportantprivacy-relatedchangesrightawaywithouthavingtoreadforhourswhateachsettingdoes.Irecommendthatyoureadthroughtherestofthebook,butsinceitmaytakeawhile,youmaywanttomakesomechangesasquicklyaspossible.Thefollowingsettingsconcentrateontwothings:settingTelemetrydatacollectingtoBasic,thelowestavailablelevel(unlessyourunEnterprise,EducationorIoTeditionsofWindows),andturningofffeaturesthatmaydisplaysuggestions/advertisement.Let’sstart:1. UsetheshortcutWindows-ItoopentheSettingsapplication.2. GotoPrivacy>Feedback&Diagnostics.3. SetthediagnosticandusagedataleveltoBasic.4. Set“LetMicrosoftprovidetailoredexperienceswithrelevanttipsand

recommendationsbyusingyourdiagnosticdata”tooff.5. GotoGeneralusingtheleftsidebar.6. Set“LetappsuseadvertisingIDtomakeadsmoreinterestingtoyoubased

onyourappusage(turningthisoffwillresetyourID)tooff.7. Set“ShowmesuggestedcontentintheSettingsapp”tooff.8. GotoPersonalization>LockScreen.9. Set“Getfunfacts,tips,tricks,andmoreonyourlockscreen”tooff.10. GotoStartusingtheleftsidebar.11. Set“OccasionallyshowsuggestionsinStart”tooff.12. GotoSystem>Notifications&actions13. Set“gettips,tricks,andsuggestionsasyouuseWindows”tooff.14. Set“ShowmetheWindowswelcomeexperienceafterupdatesand

occasionallywhenIsignintohighlightwhat’snewandsuggested”tooff.15. GotoAccounts>SyncyourSettings.16. Set“Syncsettings”tooff,unlessyouwantyoursettingstosynctothe

cloud.Ifyoudo,disablealldatasetsonthesamepagethatyoudon’trequireinstead.

17. GotoUpdates&security>Advancedoptions>Choosehowupdatesaredelivered,andset“downloadWindowsupdatesandappsfromotherPCs..”tooff,and“getupdatesfromMicrosoft..”toPCsonmylocalnetwork.

18. OpenFileExplorer.19. SelectFile>Changefolderandsearchoptions.20. SwitchtotheViewtab.21. Disable“showsyncprovidernotifications”.

ConfiguringPrivacySettingsafterSetupYoucanconfigureanyoftheprivacysettingsthatweredisplayedtoyouduringsetupafterwardsaswell;plus,alotmorethatwerenotexposedduringsetup.ThispartoftheguidelooksatPrivacyoptionsintheWindows10Settingsapplication.FordetailedinformationonprivacyoptionsnotlistedunderSettings,checkoutthefollowingchaptersasyoufindthosethere,aswellasoptionsthatarenotinSettings>Privacy,andinformationonGroupPolicyandRegistrysettings.YoustarttheSettingsapplicationeitherwithaclickonStart>Settings,orbyusingthekeyboardshortcutWindows-I.OpenthePrivacysectiononcetheSettingsapplicationopens.Note:Somefeaturescomewithadefaultlistofapplicationsthatareallowedtousethatfeature.Thislistmayvaryslightlyfromregiontoregion.Itisagoodideatogothroughtheselistingstodisablepermissionsforapplicationsthatyoudon’tplanonusing,ordon’twanttohaveaccesstoafeature.

Privacy→General

ThisisthestartpageofthePrivacycategoryoftheSettingsapplication.Youfindthefollowingoptionshere:•LetappsuseadvertisingIDtomakeadsmoreinterestingtoyoubasedonyourappusage(turningthisoffwillresetyourID).Ifyouhavedisabledtheoptionduringsetup,itisalreadysettooff.Turningthistooffresultsinnon-personalizedads,butnotfewerads.Basically,whatthismeansisthatMicrosoftcreatesnoprofileofyourintereststouseittodisplayadvertisementtoyou.

•Letwebsitesprovidelocallyrelevantcontentbyaccessingmylanguagelist.Websitesmaylookupsupportedlanguagestocustomizecontentbasedonthose.•LetWindowstrackapplaunchestoimproveStartandsearchresults.Ifthisisturnedon,WindowsmaintainsalistofmostusedappsthatitdisplaystoyouinStartandwhenrunningsearches.•ShowmesuggestedcontentintheSettingsapp.Windows10maydisplaysuggestionsintheSettingsapplication.

Privacy→Location

TheLocationsettingsallowyoutomanagelocation-basedfeaturesandfunctionality.LocationmaybeusedbyapplicationssuchasMapsorWeatherforpersonalizedresults.Youfindthefollowingoptionshere:•Changethestatusofthedevice’slocationfeature.Youcanturnthelocationfeatureonoroffhereforthedevice.ThissettingwaspartofSetupaswell.

•Setadefaultlocation.Windowsusesthedefaultlocationforitsfunctionality,andappsmayuseitaswell,ifamoreexactlocationcannotbedetected.•Manageandclearthelocationhistory.Locationhistoryisstoredonthedeviceforalimitedtime.AppsandWindowsmayuseitifthelocationcannotbedeterminedotherwise.•Chooseappsthatmayuselocation.YoumayenableordisablelocationuseforapplicationsindividuallyaswellifLocationisenabled.Worksonlyiflocationisenabled.ThefollowingappsareconfiguredtouseLocation:◦Camera◦Cortana◦MailandCalendar◦Maps◦Messaging◦Microsoft

Edge◦News◦Twitter◦Weather•ControlGeofencing–usinglocationdatatoseewhenyoucrossinoroutofaboundarydrawnaroundaplaceofinterest.

Privacy→Camera

Cameraletsyoucontrolwhetherapplicationsmayusecamerahardware,aconnectedwebcamforinstance.Thefollowingoptionsareprovided:•Letappsusemycamerahardware.Youcanturnthefeatureonoroffhereforthedevice.Notethatturningitoffherewon’timpacttheuseofthecameraindesktopprograms.

•Chooseappsthatmayusethecamera.Youmaypreventselectapplicationsfromusingthecamera.Thisworksonlyifcameraisenabledonthedevice.Thefollowingapplicationsarelistedbydefault:◦Cortana◦FeedbackHub◦Fotos◦Maps◦MicrosoftEdge◦OneNote◦Skype◦Store◦Twitter

Privacy→Microphone

MicrophoneworksidenticaltotheCameraoption,onlythatitcontrolsconnectedmicrophones.Thefollowingoptionsareavailable:•Letappsusemymicrophone.Youmayenableordisabletheuseofthemicrophonebyappshere.Notethatturningthisoffwon’timpactmicrophoneuseindesktopprograms.

•Chooseappsthatmayusethemicrophone.Youcanpreventselectapplicationsfromusingthemicrophone.Themicrophonefeatureneedstobeenabledforthistowork.Thefollowingapplicationsarelistedtherebydefault:◦FeedbackHub◦Fotos◦Messaging◦Microsoftaccounts◦MicrosoftEdge◦OneNote◦Skype◦Store◦TakeaTest◦Twitter◦VoiceRecorder◦Xbox◦XboxGamebar

Privacy→Notifications

Thispageprovidesyouwithoptionstodisableaccesstonotificationsbyapplications.Thefollowingoptionsareprovided:•Letappsaccessmynotifications.Thisenablesordisablesthenotificationssystemforapplicationssystemwide.

•Chooseappsthatcanusenotifications.Ifnotificationsareenabled,youmayusethissettingtopreventselectapplicationsfromusingnotifications.

Windows10FallCreatorsUpdateshipswithoutappsthatarepermittedtoaccessnotificationsonthedevice.

Privacy->Speech,inkingandtyping

Youmaychangethestatusofspeechservicesandtypingsuggestionsonthispage.Thefollowingoptionsareprovided:•Turnspeechservicesandsuggestionsonoroff.Ifyouturnthisoff,youcannotspeaktoCortanaanymore,andthepersonaluserdictionarywillbecleared.Thiswon’timpactspeechservicesthatdon’trelyonthecloud.Youmayalsofollowthe“managemyvoicedatathat’sstoredinthecloudwithmyMicrosoftaccount”linktomanagevoicedataontheweb.[10]

Privacy->AccountInfo

Hereyoumayselectwhetherappsmayaccessaccountrelatedinformationsuchasyournameorpicture.Thefollowingoptionsareprovidedonthispage:•Letappsaccessmyname,pictureandotheraccountinfo.

•TurnoffaccesstoAccountinformationforselectapplications.NotethatthisworksonlyifAccountInfoisturnedon.

ThefollowingapplicationsarelistedunderAccountInfoautomatically:Microsoftcontent

Privacy→Contacts

TheContactsprivacysettingsallowyoutodefinewhetherapplicationsmayaccesscontactsonthedevice.Someapps,MailandCalendar,PeopleandPhone,haveaccesstocontactsevenifthefeatureisturnedoff.Thefollowingoptionsareprovided:•Letappsaccessmycontacts.ThissettingdetermineswhetherWindowsStoreapplicationsmayaccesscontactsifyouallowthemdotoso(orifWindowsallowsthemtodothatbydefault).

•TurnoffaccesstoContactsforindividualapplications.Thefollowingappsarelistedtherebydefault:◦Emailandaccounts◦Maps◦Photos◦Skype◦Twitter◦VoiceRecorder◦Xbox

Privacy→Calendar

Thispagecontrolswhichapplicationsmayaccesscalendarinformation.TheMailandCalendarapplicationhasaccesstocalendardataevenifthisisturnedoff.Thefollowingoptionsareprovided:•Letappsaccessmycalendar.Determineswhethercalendarfunctionalityisenabled.

•TurnaccesstoCalendardataoffforselectapplications.Thefollowingappsarelistedbydefault:◦People◦Windows

Privacy→CallHistory

ControlaccesstotheCallHistorybyapplicationsonthispage.ThePhoneapplicationhasaccesstothecallhistoryevenifthefeatureisturnedoff.

•Letappsaccessmycallhistory.Thissettingdetermineswhetherapplicationsmayaccessthecallhistoryonthedevice.•TurnoffaccesstotheCallHistoryforselectapplications.Thisworksonlyifthesettingisenabled.Thefollowingapplicationsareconfiguredforaccessautomatically.

◦Messaging◦People•ThefollowingapplicationhashardcodedaccesstotheCallHistory◦Phone

Privacy→Email

Thepageallowsyoutocontrolifapplicationsmayaccessandsendemail.TheMailandCalendarapplicationisallowedtosendandaccessemailregardlessofsetting.Thefollowingoptionsareprovided:•Letappsaccessandsendemail.Appsneedpermissiontoaccessortransferemails.

•Chooseappsthatcanaccessandsendemail.Thisreliesonthegeneralsettingtowork.Thefollowingapplicationissetupbytoaccessandsendemailbydefault.

◦People•Thefollowingapplicationshavehardcodedaccessthatcannotberevoked:◦MailandCalendar

Privacy→Tasks

YoumayallowordenyTasksaccesstoapplications.TheMailandCalendarapplicationhasaccesstoTasksregardlessofsetting.Youcanchangethefollowingpreferenceshere:•ControlTasksaccessbyapplicationsforthewholedevice.

•ControlTasksaccessforindividualapplications.•ThefollowingapplicationshavehardcodedaccesstoTasks;thiscannotbeturnedoff:◦MailandCalendar

Privacy→Messaging

HereyoumaydefineifapplicationsmayreadorsendmessagesusingtextorMMS.Thefollowingoptionsarelisted:•Letappsreadorsendmessages(textorMMS).Turnthefeatureonoroffcompletely.

•Choosewhichapplicationsmayreadorsendmessages.Thefollowingappsareconfiguredtodosobydefault:◦People◦Skype

Privacy→Radios

Youcancontrolradiousebyapplications,Bluetoothfunctionalityforinstance,onthispage.Thissettingdoesnotdefinewhetherapplicationsmayuseradios,butwhethertheymaycontrolthem.Thefollowingoptionsareprovided:•SelectwhetherapplicationsmaycontrolradiossuchasBluetooth.Thisallowsthemtoturnthemonoroff,ormakeuseofradios.

•Choosewhichapplicationsmaycontrolradios.Thefollowingapplicationsaresetuptocontrolradiosbydefault:◦Windows

Privacy→Otherdevices

“Otherdevices”definesthesyncbehaviorwithotherdevicessuchasPCs,tabletsorphones.Thissettingisfor“otherdevices”thatdon’tpairexplicitlywiththedevicealready.Thefollowingoptionsareprovided:•Letyourappsautomaticallyshareandsyncinfowithwirelessdevicesthatdon’texplicitlypairwithyourPC,tabletorphone.

•Selectwhichappsmaysyncinfoorshareautomaticallywithwirelessdevices.•Managethelistofotherdevices.

Privacy→Feedback&Diagnostics

YoucontrolhowmuchdataissenttoMicrosofthere.Also,ifthatdataisusedfortailoredexperiences,andthefrequencythatWindowsdisplaysfeedbackprompts.Thefollowingoptionsareprovided:•SelecthowmuchdatayousenttoMicrosoft.SwitchbetweenFullandBasictelemetrysettings.ThisisoneoftheoptionsdisplayedonthePrivacypageduringsetup.FordetailedinformationonTelemetry,checkouttheTelemetrychapterofthisbook.

•LetMicrosoftprovidemoretailoredexperienceswithrelevanttipsandrecommendationsbyusingyourdiagnosticdata.Enableordisablethetailoredexperiencesfunctionality.ThiswasalsopartofthePrivacypageduringsetup.•Controlthefeedbackfrequency(defaultautomatic),orturnthefeatureoffcompletely.

Privacy→Backgroundapps

Youmayallowordenyapplicationstoruninthebackgroundusingthissetting.Thefollowingoptionsareprovided:•Turnbackgroundapplicationfunctionalityonoroffforallapplications.

•Choosewhichapplicationsmayruninthebackground.Thisisonlyactiveifthegeneralsettingisturnedon.Thefollowingapplicationsaresetuptoruninthebackgroundbydefault:◦3DViewer◦Alarms&Clock◦Calculator◦Camera◦Connect◦FeedbackHub◦GetHelp◦GetOffice◦GrooveMusic◦Mail◦Maps◦Messaging◦MicrosoftEdge◦MicrosoftSolitaireCollection◦Minecraft:Windows10Editions◦Movies&TV

◦News◦OneNote◦PaidWi-Fi&Cellular◦Paint3D◦People◦Photos◦Settings◦Skype◦StickyNotes◦Store◦Tips◦Twitter◦VoiceRecorder◦Weather◦WindowsDefenderSecurityCenter◦Xbox

Privacy→Appdiagnostics

Thelastprivacysettinglistsoptionstocontrolwhetherapplicationsmayaccessdiagnosticdata.Diagnosticdatamayincludethenamesofrunningapplications,theuseraccountthatlaunchedanapp,appmemoryinformation,CPU,diskandnetworkusage.Thefollowingoptionsareprovided:

•Choosewhetherappsmayusediagnosticdataonthemachine.•Selectwhichindividualappsmayaccessdiagnosticdata.

Privacy->Automaticfiledownloads

Windows10maydownloadfilesautomaticallyfromonlinestorageproviderssuchasOneDriveifthefilesareavailableonlyonline.Thesettingletsyouunblockapplicationsthatyoublockedfromdownloadingfilesautomatically.Windows10notifiesyouwhenappswanttodownloadfilesautomatically,andyoumayallowit,dismissthemessage,cancelthedownloadingorblocktheapplicationfrom

QuickOverview:DifferencesbetweenWindows10EditionsTheWindows10operatingsystemisofferedinmultipleeditions.Thesecanbedividedintoretail,organizationalandspecialeditions.Retail:Windows10HomeandWindows10ProOrganizational:Windows10Enterprise,Windows10EnterpriseLTSC,Windows10Education,Windows10ProEducation,Windows10MobileEnterpriseSpecial:Windows10Mobile,Windows10IoT,Windows10S,Windows10Team,Windows10ProforWorkstationsConsumersmayselectbetweenWindows10HomeandPro.ThecoredifferencefromaprivacyperspectiveisthatHomedoesnotshipwiththeGroupPolicyEditor.Thismakesitmoredifficulttoapplycertainsettingsonthesystem.Windows10ProincludesbusinessrelatedfeaturessuchasRemoteDesktop,creatingandjoiningdomains,TrustedBoot,orEnterpriseModeInternetExplorerontopofthat,andismoreexpensivethantheHomeeditionoftheoperatingsystem.TherearecoredifferencesbetweenRetailandOrganizationaleditions.Organizationaleditionssupportthe“Security”TelemetrylevelwhichHomeandProeditionsdonotsupport.TheyalsosupporttherecentlyannouncedWindowAnalyticssetting.ThedefaultTelemetrylevelisFullonalleditionsofWindows10though.Note:ThenextchaptergivesyouanoverviewofTelemetry;itoffersdetailedinformationonwhatTelemetryis,andhowthedifferentTelemetrylevelsdifferfromeachother(basedoninformationthatMicrosoftprovidedinthepast).OrganizationaleditionsofWindows10giveyouthebestcontroloverprivacyrelatedfeatures.IfyourunWindows10already,youcanfindoutwhichversionyouhavebytappingontheWindows-key,typingwinver,andhittingtheEnter-key.

Thewindowthatopensliststheversionandbuildoftheoperatingsystem,andtheedition.Windows10HomesystemscanbeupgradedtoWindows10Pro.

ImportantinformationabouttoolsusedinthisguideTostarttheGroupPolicyEditor:1. TapontheWindows-key,typegpedit.msc,andhittheEnter-key.Notethat

theGroupPolicyEditorisonlyavailableinprofessionalversionsofWindows(basically,notinHome).

ToloadtheWindowsRegistryEditor:1. TapontheWindows-key,typeregedit.exe,andhittheEnter-key.2. ConfirmtheUACprompt.

AddingkeystotheRegistry:IfaRegistrypathislisted,itcanhappensometimesthatakeydoesnotexist.Youmaycreateitwitharight-clickonitsparentkeyintheRegistryEditor,andselectingNew>Keyfromthemenu.ToloadtheSettingsapplication:1. UsethekeyboardshortcutWindows-I.

Toloadanadministrativecommandprompt:1. TapontheWindows-key,typecmd.exe,holddowntheShift-keyandthe

Ctrl-key,andhittheEnter-keywhilethetwokeysarehelddown.ToloadanelevatedPowerShellprompt:1. TapontheWindows-key,typepowershell,holddowntheShift-keyand

theCtrl-key,andhittheEnter-key.

TelemetryWindowsasaServiceisafundamentalchangetoMicrosoft’sprevioussystemofplanning,developingandreleasingoperatingsystems.MicrosoftreleasednewWindowsversionseveryfewyearsinthepast;Windows7in2009andWindows8in2012forinstance,butthatchangedwiththereleaseofWindows10intheyear2015.MicrosoftrealizedthatcreatinganddeployinglargeWindowsupdateswasasubstantialeffortinthepastasittookthreeyearsofdevelopmenttoreleaseanewversionofWindows.WindowsasaServicechangestheoldreleasemodelbypushingoutfrequentupdates–socalledFeatureUpdates–instead.Mainbenefitsofthenewstrategyarethatdevelopmentrequireslessresources,thatitislesstimeconsuming,andthatnewfeaturesandchangesarepushedoutfastertotheexistingcustomerbase.ThecompanyplanstoreleasetwofeatureupdatesperyearforWindows10;amuchfasterpacewhencomparedtotheclassicreleasemodel.Thefollowingfeatureupdateshavebeenreleasedsofar:

July29,2015–Windows10RTM(ReleasetoManufacturing)November12,2015–Windows10NovemberUpdate,version1511August2,2016–Windows10AnniversaryUpdate,version1607April5,2017–TheWindows10CreatorsUpdate,version1703October17,2017--TheWindows10FallCreatorsUpdate,version1709

Telemetryisnotanewconcept;MicrosoftdidcollectTelemetrydatainpreviousversionsofthecompany’sWindowsoperatingsystemaswell,forinstancetocheckwhethertheinstallationofWindowsupdateswassuccessful,ortogatherreliabilityinformationthroughtheCEIP(WindowsCustomerExperienceImprovementProgram).WindowsasaServicemakesTelemetrydatamoreimportanthoweverin

Windows10.Theshorterreleasecycleisonecorereasonforthat,asthenextWindows10featureupdateisjustsixmonthsawayandnotthreeyearsanymore.Microsofthastoprioritizedecisionmakinganddevelopment,andTelemetrydatahelpsthecompanyinthatdecision-makingprocess.

WhatisTelemetryMicrosoftdefinesTelemetryinthefollowingways:

WindowstelemetryisvitaltechnicaldatafromWindowsdevicesaboutthedeviceandhowWindowsandrelatedsoftwareare

performing.[11]

TelemetryissystemdatathatisuploadedbytheConnectedUserExperienceandTelemetrycomponent.ThetelemetrydataisusedtokeepWindowsdevicessecure,andtohelpMicrosoftimprovethequalityofWindowsandMicrosoftservices.Itisusedtoprovidea

servicetotheuseraspartofWindows.AccordingtoMicrosoft,Telemetryisusedfor

•KeepingWindowsuptodate.•KeepingWindowssecure,reliableandperformant.•ImprovingWindowsthroughtheuseofaggregateWindowsusedata.•PersonalizingtheWindowsengagementsurface.•Betterunderstandinghowcustomersuse(ordon’t)useoperatingsystemfeaturesandservices.

SpecificexamplesofWindowstelemetrydatathatMicrosoftprovidesinclude:

•Thetypeofhardwarethatisbeingused.•Theapplicationsthatareinstalled,andusageinformation.•Devicedriverreliabilityinformation.•MonitoringthescalabilityoftheCortanacloudservice.•HowuserscustomizetheWindowsStartMenu.

MicrosoftstatesthatitusesTelemetrydatatoidentifysecurityandreliabilityissuesinWindows10,toanalyzeproblems,toimprovethequalityofWindows,andformakingfuturedevelopmentdecisions.ItneedstobenotedthatTelemetryisnotaWindows-specificfeature.Manycompanies,includingGoogle,MozillaorTesla,collectTelemetrydata.MicrosoftdifferentiatesbetweenTelemetryandfunctionaldata.Telemetry

iswhatMicrosoftcollects,asdescribedabove.

Operationaldata,suchastelemetry,enablesustoprovideyouwithcoreoperatingsystemservices,suchasWindowsUpdate,andgiveseveryenterprisecustomeravoiceinhelpingshapefutureversionsofWindows.Wecanprovidequickresponsestoyourfeedbackandyourfeedbackhelpsusdefinenewfeaturesand

improvequality.[12]

FunctionaldataontheotherhandisexchangedbyWindowsappsandcomponentstoprovideuserswithinformationorfunctionalitytheyrequireorprovide.Abasicexampleistheuseoflocationdatatolookupweatherinformationordisplaylocalnews.

FunctionaldataiscreatedandusedbyspecificapplicationsorcomponentsofWindows,suchasCortanaandBing,andgivesyoucustomizedexperiencesthathelpincreaseyourproductivityand

enjoymentofyourWindowsdevices.[13]

WhileTelemetrycannotbeturnedoffcompletely,dependingontheeditionthatisuseditiseithersettoSecurityorBasicataminimum,functionaldatacanbeblockedcompletely.

TheblockingoffunctionaldatarestrictssomefeaturesoftheWindows10operatingsystemandapplicationsthatrequirethedatatofunctionproperly.

Important

TelemetryonlyappliestoWindows,WindowsServer,andSystemCentercomponents,andappsthatuseConnectedUserExperienceorTelemetrycomponents.

TherearefourTelemetrylevelsasofWindows10version1709whicharedescribedindetailonthenextpages.

ThelowestTelemetrylevelsupportedthroughManagementPoliciesisSecurity,andonlyavailableinEnterpriseeditionsofWindows10(seeTelemetryLevelsbelowfordetailedinformationoneditions).

ThelowestTelemetrylevelsupportedthroughtheSettingsUIisBasic.

AllTelemetrydataisencryptedusingSSLwhenitistransferredtotheMicrosoftDataManagementService.Microsoft’simplementationusescertificatepinningaswell.

Telemetrydataisuploadedonaschedulethattakesintoaccounteventpriority,batteryuse,andnetworkcosts.

WithWindows10,dataisuploadedonaschedulethatissensitivetoeventpriority,batteryuse,andnetworkcost.Real-timeevents,suchasWindowsDefenderAdvancedThreatProtection,are

alwayssentimmediately.Normaleventsarenotuploadedonmeterednetworks,unlessyouareonameteredserverconnection.Onafreenetwork,normaleventscanbeuploadedevery4hoursifonbattery,orevery15minutesifonA/Cpower.Diagnosticandcrashdataareonly

uploadedonA/Cpowerandfreenetworks.[14]

HowdoesWindows10collectTelemetrydata?

AllWindows10editionscomewiththeConnectedUserExperiencesandTelemetryservice.ThisserviceisrunbytheConnectedUserExperienceandTelemetrycomponent.Theservice’snameisConnectedUserExperiencesandTelemetry,itsdisplaynameisDiagTrack,anditsservicenameisutcsvc.Theservice’sdescriptionreads:

TheConnectedUserExperiencesandTelemetryserviceenablesfeaturesthatsupportin-applicationandconnecteduser

experiences.

Additionally,thisservicemanagestheeventdrivencollectionandtransmissionofdiagnosticandusageinformation(usedtoimprove

theexperienceandqualityoftheWindowsPlatform)whenthediagnosticsandusageprivacyoptionsettingsareenabledunder

FeedbackandDiagnostics.Telemetrydataisstoredinthehiddensystemfolder%ProgramData%\Microsoft\DiagnosisNotethatthedataisencrypted,andthatpermissionsmakeitdifficulttoaccessthesefolders.

Windows10connectstotheTelemetryendpoints,listedinthefollowingchapter,whenitistimetotransferdatatoMicrosoft.TheTelemetryclientconnectstosettings-win.data.microsoft.comtodownloadasettingsfileandprovideadeviceIDandotherbasicinformation.Thesettingsfileisparsed,andthenusedtoconnecttov10.vortex-win.data.microsoft.com,theMicrosoftDataManagementServicetouploadtheTelemetrydata.

TelemetrylevelsOverviewWindows10supportsthefourTelemetrylevels:Security,Basic,EnhancedandFull.Onlytwoofthoselevels,BasicandFull,canbesetintheSettingsapplicationbyusersoftheoperatingsystem.Onelevel,Security,isonlyavailableinWindows10Enterprise,Windows10Server,andEducation.Thefourthlevel,Enhanced,isavailableinalleditions,butcanonlybesetusingtheGroupPolicyorbymakingchangestotheWindowsRegistry.Security–InformationrequiredtohelpkeepWindowssecure.ItcollectsdatathatisrequiredtokeepWindowssecureandprotectedwiththelatestsecurityupdates.NotanoptionunderSettings.

appliesto:WindowsServer2016,Windows10Enterprise,Windows10Education,Windows10MobileEnterprise,andWindowsIoTCoreeditions

Basic–BasicincludesallSecuritydata,anddatathatMicrosoftcalls“criticalforunderstandingthedeviceanditsconfiguration”.

•appliesto:alleditionsofWindows10.MinimumsettingforalleditionsthatarenotlistedunderSecurityabove.

Enhanced–ATelemetrylevelofEnhancedincludesalldatathatissentontheBasiclevel,plusadditionaldataonhowapps,Windows,WindowsServer,orSystemCenterareused,andhowtheyperform.NotanoptionunderSettings,canonlybesetusingpoliciesortheRegistry.

•appliesto:alleditionsofWindows10.Full–TheFulllevelincludesallbasicandsecuritydatasets.Additionally,•appliesto:alleditionsofWindows10.

•Defaulton:Windows10InsiderPreviewsystems,onWindows10ProandHome.Windows10Enterprise,Windows10Education,Windows10Server.

SecurityNote:OrganizationsshouldnotusetheSecuritytelemetryleveliftheyrelyonWindowsUpdateforupdatesaccordingtoMicrosoft.ThemainreasonMicrosoftgivesforthatisthatWindowsUpdateinformationisnotgatheredonthislevel,andthatmeansthatinformationaboutupdatefailuresisnotsubmitted.Microsoftusesthedatatorepairissuesthatcauseupdatestofail,andtoimprovethequalityofupdates.OrganizationsmaywanttousethisTelemetrylevelforcomputersystemswithoutInternetconnectivity,asthisstopsthegatheringofdatathatwouldnotbetransferredanyway.Also,thelevelissuitableformachineswhichshouldnotcommunicatewiththeoutsideworld,andforenvironmentswherecommunicationwithoutsideserversneedstobekepttoaminimum.DatagatheredonthislevelSecurityisthelowestTelemetrylevel.ItisonlyavailableinEnterprise-editionsofWindows10(seefullcompatibilitylistinthepreviouschapter).ConnectedUserExperienceandTelemetrycomponentsettingsIfgeneraltelemetrydatahasbeengatheredandisqueued,itissenttoMicrosoft.Alongwiththistelemetrydata,theConnectedUserExperienceandTelemetrycomponentmaydownloadaconfigurationsettingsfilefromMicrosoft’sservers.ThisfileisusedtoconfiguretheConnectedUserExperienceandTelemetrycomponentitself.

ThedatagatheredbytheclientforthisrequestincludesOSinformation,deviceid(usedtoidentifywhatspecificdeviceisrequestingsettings)anddeviceclass(forexample,whetherthedeviceisserverordesktop).

MaliciousSoftwareRemovalTool(MSRT)TheMSRTinfectionreportcontainsinformation,includingdeviceinfoandIPaddress.Note:MSRTinfectionreportscanbeturnedoff.SeeDeployWindowsMaliciousSoftwareRemovalToolinanEnterpriseenvironmentforinformation:https://support.microsoft.com/en-us/help/891716/deploy-windows-malicious-software-removal-tool-in-an-enterprise-environment

WindowsDefender/EndpointProtection

WindowsDefenderandSystemCenterEndpointProtectionrequiressomeinformationtofunction,including:anti-malwaresignatures,diagnosticinformation,UserAccountControlsettings,UnifiedExtensibleFirmwareInterface(UEFI)settings,andIPaddress.

Note:Thereportingcanbeturnedoff:https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender

Microsoftstatesthatnousercontentisgatheredatthislevel.Usercontentincludesuserfilesorcommunication.Stepsaretakentoavoidthegatheringofuserorcompanyidentifyinginformationsuchasemailaddresses,names,oraccountIDs.

ItmayhappenunintentionallyhoweverthroughMSRTasreportsmaycontainpersonalinformation.

MSRTinformationmayunintentionallycontainpersonalinformation.Forinstance,somemalwaremaycreateentriesinacomputer’sregistrythatincludeinformationsuchasausername,causingittobegathered.MSRTreportingisoptionalandcanbeturnedoffatanytime.

https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender

BasicBasicisoneofthetwoTelemetrylevelsthatMicrosoftlistsduringsetupandintheWindows10Settingsapplication.Itisnotthedefaultlevelhowever,andmustbesetbyusersoradministrators.DatagatheredonthislevelBasicisthesecond-lowestTelemetrylevel.ItincludesalldatathatiscollectedontheSecuritylevel(seedescriptionabove),plusadditionaldata.Thisadditionaldatacanbedividedintodeviceinformation,qualityrelatedinformation,andinventoryrelatedinformation.BasicDeviceData

•InternetExplorerversion•Deviceattributessuchascameraresolutionanddisplaytype.•Batteryattributes.•NetworkingattributessuchasthenumberofnetworkadaptersorIMEInumber.•Processorandmemoryattributessuchasnumberofcores,memorysize,orarchitecture.•Storageattributessuchasthenumberofharddrives,typeofdrives,andsize.•OperatingsystemattributessuchastheWindowseditionandvirtualizationstate.•Virtualizationattributes,suchasguestoperatingsystemorSLATsupport.

ConnectedUserExperienceandTelemetrycomponentqualitymetricsThisincludesinformationonhowTelemetryandConnectedUserExperiencecomponentsfunctionandwork.Informationthatistransferredincludesdataonuploadedanddroppedevents,andthelastuploadtime.QualityrelatedinformationDatathatprovidesMicrosoftwithinformationonhowadeviceandWindowsperforms.Dataincludesthenumberofcrashesandhangs,applicationstatechangedetailssuchashowmuchmemoryandprocessortimewereused,andcharacteristicsof

aConnectedStandbydevice.Compatibilitydata

•Listofinstalledapplicationsincludingapplicationnames,publisherinformation,versions,aswellasInternetExploreradd-ons.•Dataonhowappsareused,howlongindividualappsareopen,havefocus,andwhenappsarestarted.•SystemdatathatMicrosoftusestodeterminewhetheradevicemeetstheminimumrequirementstoupdatetothenextversionofWindows.Alsoincludesmemory,aswellasinformationontheprocessorandBIOS.•Listofaccessorydevicessuchasprintersorexternalharddrives.Also,compatibilityinformationtodetermineiftheyarecompatiblewiththenextversionofWindows.•Dataoninstalleddrivers,includingwhetherthesearecompatiblewiththenextversionofWindows.

MicrosoftStoreThissetofdataincludesinformationonhowMicrosoftStoreperformsonthedevice.Informationincludesthenumberofappdownloads,installationsandupdates.Also,MicrosoftStorelaunches,pageviews,suspendandresumeoperations,andlicenseobtaining.

EnhancedTheEnhancedTelemetrylevelcanonlybesetusingpoliciesortheRegistry.Seethenextchapter–ConfiguringTelemetryonWindows10–forinstructionsonchangingtheTelemetrylevel.Thislevelhelpstoimprovetheuserexperiencewiththeoperatingsystemandapps.

DatafromthislevelcanbeabstractedintopatternsandtrendsthatcanhelpMicrosoftdeterminefutureimprovements.DatagatheredonthislevelTheenhancedlevelincludesalldatafromtheSecurityandBasiclevel.

•Operatingsystemeventsincludingnetworking,Hyper-V,Cortana,storage,filesystem.•OperatingsystemappeventsthatresultfromMicrosoftapplicationsandmanagementtoolsdownloadfromStore,orthatcamepre-installedwiththeoperatingsystem(suchasMicrosoftEdge,Mail,orPhotos).•DevicespecificeventssuchasSurfaceHuborMicrosoftHoloLensdata(whichisnotpartonregularcomputersystems).•Aselectionofcrashdumptypes.

FullFulldataincludesalldatathatiscollectedontheSecurity,BasicandEnhancedlevel,plusadditionalinformationlistedbelow.Itisthedefaultlevelonallnon-Enterprise,EducationandServeroperatingsystemeditionsofWindows10.

Datagatheredonthislevel

◦Appusage,inputreaction,orhowlongeachappruns.◦Browserusage,includingbrowsinghistoryandsearchterms.◦Samples(smallaccordingtoMicrosoft)ofinkingandtypingsupport.Microsoftnotesthatthedataisprocessedtoremoveidentifiableinformationsuchasemailaddresses,names,ornumericvalues.◦Enhancederrorreportinglikethememorystateofthedevice,whensystemorappcrashesoccurred.◦Statusandlogginginformationaboutthehealthoftheoperatingsystem.◦Additionaldevicedata,connectivityinformation,andconfigurationdatabeyondthatwhatisalreadycollectedontheBasiclevel.

EndpointsforTelemetryServicesService Endpoint

ConnectedUserExperienceandTelemetrycomponent

v10.vortex-win.data.microsoft.comsettings-win.data.microsoft.com

WindowsErrorReporting watson.telemetry.microsoft.comOnlineCrashAnalysis oca.telemetry.microsoft.comOneDriveappforWindows10 vortex.data.microsoft.com/collect/v1

http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx

http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx

ConfiguringWindows10TelemetrysettingsWindows10usersandadministratorshavethreeoptionswhenitcomestosettingtheTelemetrylevel(switchingtoalevelthatisnotthedefault).TheSettingsapplicationlimitsthelevelstoBasicandFull.YoucansettheSecurityandEnhancedlevelsonlythroughothermeans,forinstancebyusingtheGroupPolicyoreditingtheRegistry.NotethatyoucansettheSecuritylevelonnon-EnterpriseversionthroughtheRegistryorGroupPolicy,butthatthesettingischangedtoBasicautomaticallyinthatcase.Option1:Settingsapplication

1. UsethekeyboardshortcutWindows-ItoopentheSettingsapplication.2. NavigatetoPrivacy>Feedback&Diagnostics3. Locatethe“SelecthowmuchdatayousendtoMicrosoft”section.4. YouhavetheoptiontoswitchbetweenBasicandFulllevelsthere.

Option2:GroupPolicy1. TapontheWindows-key,typegpedit.msc,andhittheEnter-keyonthe

keyboard.2. UsethefolderstructureonthelefttonavigatetoComputerConfiguration

>AdministrativeTemplates>WindowsComponents>DataCollectionandFeedback

3. Double-clickon“AllowTelemetry”.4. SetthepolicytoEnabled.5. Selectoneoftheavailablelevels(Security,Basic,Enhanced,Full).1. NotethatSecurityappliesonlytoEnterprise,EDUandIoT.Whileyou

maysetthelevelonothereditionsofWindows10,thisisthenhandledlikeBasicautomatically.Inotherwords,thelowestlevelyoucansetonHomeandProeditionsofWindows10isBasic.

Option3:WindowsRegistry1. TapontheWindows-key,typeregedit.exe,andhittheEnter-keyonthe

keyboard.2. Navigatetothefollowingkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection3. Right-clickonDataCollection,andselectNew>Dword(32-bit)Value.4. NameitAllowTelemetry.5. Double-clickonthenewvalueAllowTelemetry,andsetitsvalueaccording

tothetablebelow.Again,SecurityisautomaticallychangedtoBasiconHomeandProeditionsofWindows10.

6. RestartthePCafterwards.Level Datagathered Value

Security Securitydataonly. 0Basic Securitydata,andbasicsystemandqualitydata. 1

Enhanced Securitydata,basicsystemandqualitydata,andenhancedinsightsandadvancedreliabilitydata. 2

Full Securitydata,basicsystemandqualitydata,enhancedinsightsandadvancedreliabilitydata,andfulldiagnosticsdata. 3

BusinessandEnterpriseoptions

OptionstoturnoffTelemetryarealsoprovidedinSystemCenter2016byusingtheSystemCenterUIConsolesettingsworkspace.AnotheroptionisprovidedbyMDM.YoumayusethePolicyConfigurationServiceProvider(CSP)toapplytheAllowTelemetryMDMpolicy.

ManageConnectionsfromWindowscomponentstoMicrosoftWindows10andWindows10ServeradministratorsandusersmaycontrolthehandlingofTelemetryandotherconnectionsthatWindowsandappsmaketoMicrosoftindividuallyaswell.Thefollowingchaptershighlighttheseoptions.MostapplytoalleditionsofWindows10.Itneedstobenotedthatsomeoptions,suchasMDMpolicyorGroupPolicy,arenotavailableforallversionsofWindows10.Pleasenotethatitisrecommendedtogothroughthelistanddecideforeachsettingindividuallyhowyouwanttoconfigureit.Somemayberequiredforfunctionality.Ifyoudisablelocationforallapps,youcannotusecertainfeaturesthatrequirelocation.Thesameistrueforotherfeatures,sothatthedecisionshouldbebasedonyouruseoftheoperatingsystem,andwhatyoufeelcomfortablewith.

SettingsforWindows10SomeprogramsandservicesshipwiththeirownTelemetrydatasettingswhichyouneedtodisablemanuallyifyoudon’twantthedatatobesenttoMicrosoft.Ihavelistedthoseinotherchaptersinthisguide.ThisistrueforinstancefortheMessengerapplication.

CertificateTrustListsApredefinedlistofitems,forinstanceofcertificatehashesorfilenames,thataresigned.Windowswilldownloadanupdatedcertificatetrustlistwhenitisupdated.Youcanturnofftheautomaticdownloadingoftheupdatedlistbyturningoffautomaticrootupdates.Note:Webconnectivityissuesmayoccurwhenyoudisabletherootcertificateupdating.

1. OpentheGroupPolicyEditor,andgotoComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationSettings>TurnoffAutomaticRootCertificatesUpdate.SetthistoenabledtodisabletheautomaticupdatingofRootCertificates

2. IfyouprefertheWindowsRegistryinstead,dothefollowing:1. OpentheWindowsRegistryEditor,andgoto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot2. Ifakeydoesnotexist,right-clickontheparentkey,andselectNew>

Keytocreateit.3. Right-clickonAuthRoot,andselectNew>Dword(32-bit)Value.4. NameitDisableRootAutoUpdate.5. Double-clickonthenewvalue,andsetitsvalueto1.

3. WhilestillintheGroupPolicyEditor,gotoComputerConfiguration>WindowsSettings>SecuritySettings>PublicKeyPolicies

1. SelectCertificatePathValidationSettingsbydouble-clickingonit.2. OntheNetworkRetrievaltab,selectDefinethesepolicysettings.3. UnchecktheAutomaticallyupdatecertificatesintheMicrosoftRoot

CertificateProgram(recommended)

CortanaandSearchCortanaisadigitalagentthatispartoftheWindows10operatingsystem.MicrosoftlinkedCortanatosearch,asitmaybeusedtorunwebsearchesfortheuser.Cortanaisconfiguredtomakelifeeasierfortheuser.Thedigitalagentmaybeusedtokeeptrackofdatesorevents,trackpages,yourfavoritesportsteamorflights,tocreateandmanagelists,andtosendemailsortexts.CortanareturnswebsearchresultspoweredbyBingbydefaultforqueries.ThiswaslimitedtosearchtermsuggestionsinolderversionsofWindows10,buthassincethenbeenexpandedbyMicrosoft.WebsearchdisplaystheBingresultspageonthedesktopwhenyourunsearchesintheFallCreatorsUpdate.WindowsusersmaydisableCortana,butmaystilluseWindowsSearchtofindlocalfiles,settingsandinformationwhentheydoso.

AllowCortana

ThispolicydetermineswhetherCortanaisallowedonthedevice.NotethatusersmaystilluseWindowsSearchtofindfiles,settingsandotherinformationonthedevicewhentheydisableCortanaonthemachine.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>AllowCortana

Enabled–Sameasnotconfigured.Cortanaisallowedonthedevice.Disabled–Cortanaisdisabled.

WindowsRegistry1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Experience2. IfExperiencedoesnotexist,right-clickondeviceandselectNew>

Key.NamethekeyExperience.3. Right-clickonExperience,andselectNewDword(32-bit)Value.

1. Setitsvalueto0todisallowCortana.2. Setitsvalueto1toallowCortana.

Alternatively2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearch

3. CreateDword(32-bit)ValueAllowCortana1. Setitsvalueto0todisallowCortana2. Setitsvalue1ordeletethepreferencetoallowCortana.

4. Additionally,on64-bitversionsofWindows:1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsSearch\

2. Right-clickonWindowsSearch,selectNew>Dword(32-bit)Value.

3. NameitAllowCortana1. Setitsvalueto0todisallowCortana2. Setitsvalueto1toallowCortana

AllowSearchandCortanatouselocation

ThispolicydefineswhetherWindowsSearchandCortanacanusethedevice’slocationtodeliverlocationawaresearchresults.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>AllowsearchandCortanatouselocation

Enabled–CortanaandSearchareallowedtoaccesslocationinformation,andwillusethedataforlocationawaresearchresults.Disabled–CortanaandSearchmaynotuselocationinformation.

WindowsRegistryAllowsearchandCortanatouselocationKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:AllowSearchToUseLocationType:Dword

Setitsvalueto0todisallowsearchtousethelocation.Setthevalueto1ordeletetheDwordvaluetoallowsearchtousethelocation.

Donotallowwebsearch

ThispolicydefineswhetherWindowsDesktopSearchmaysearchtheWebwhenyoutypeinthesearcbbox,andreturnWebresults.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>Donotallowwebsearch

Enabled–Ifyouenablethepolicy,WebSearchoptionsarenotavailable.Disabled–Sameasnotconfigured.Theoptiontosearchthewebisavailable,anduserscansearchtheWebusingthedefaultsearchengine.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:DisableWebSearchType:Dword

Setitsvalueto1todisablewebsearching.Setitsvalueto0toenablewebsearching,ordeletethevalue.

Don’tsearchthewebordisplaywebresultsinSearch

ThispolicyallowsyoutocontrolwhetherSearchmayrunwebsearchqueries,andwhetherwebresultsaredisplayedbyWindowsSearch.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>Don’tsearchthewebordisplaywebresultsinSearch

Enabled–Ifyouenablethepolicy,WindowsSearchwon’trunorreturnwebqueries.Disabled–WindowsSearchwillsearchtheWeb,andwebresultsaredisplayedinSearch.NotConfigured–UsersareincontrolandmayconfigureSearchtoincludeWebresults,orblockSearchfromdoingso.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchUseWebType:Dword

Setitsvalueto0todisablesearchingthewebordisplayingwebresults.Setitsvalueto1ordeletethepreferencetoallowwebsearching

Don’tsearchthewebordisplaywebresultsinSearchovermeteredconnections

Thisisessentiallythesameasthepolicyabove,butitappliesonlytometeredconnections.Ifyouenablethe“Don’tsearchthewebordisplaywebresultsinSearch”policy,querieswon’tbeperformedregardlessofhowyouconfigurethispolicy.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>Don’tsearchthewebordisplaywebresultsinSearchovermetered

connectionsEnabled–Ifyouenablethispolicy,Searchwon’trunwebsearchesordisplaythemintheSearchresultsifthePCisameteredconnectionisused.Disabled–Websearchesarerunovermeteredconnections,andresultsaredisplayedbySearch.NotConfigured–Usersareincontrol,andmayenableordisablethefeature.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchUseWebOverMeteredConnectionsType:Dword

Setitsvalueto0todisablethefeature.WebSearchisenabledovermeteredconnections.Setitsvalueto1toenableit.

SetwhatinformationissharedinSearch

ThispolicydefineswhichinformationissharedwithBingwhenwebsearchesarerun.Availableoptionsincludesharinguserinformationandlocation,userinformationonly,oranonymousinformation.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>SetwhatinformationIssharedinSearch

Enabled–Ifyouenablethissetting,youmayselectoneofthefollowingdatasetswhenitcomestosharingwithBing:

Userinfoandlocation–Sharesbothinformationontheuser,thesearchhistory,andspecificlocationinformationtopersonalizesearchand“otherMicrosoftexperiences”.Userinfoonly–Thissharesuserinformation,butnolocationinformation.Anonymousinfo–Sharesusageinformation,butnoMicrosoftAccount,searchhistory,orlocationdata.

Disabled--Sameasnotconfigured.UsersmaychoosewhatissharedinSearch.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchPrivacyType:Dword

Avalueof1meansUserinfoandlocationisshared.Avalueof2meansonlyuserinfoisshared.Avalueof3meansonlyanonymousinfoisshared.

SettheSafeSearchsettingforSearch

SafeSearchdetermineswhetherafilterisbeingusedtofilteroutinappropriatecontent.ThisisthesamefilterthatisavailableonBingdirectlywhenyourunsearchesusingthesearchengine.Optionsincludesettingthesearchfiltertostrict,moderateoroff.Usersareallowedtospecifythefilterifthepolicyisnotconfigured.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>SettheSafeSearchsettingforSearch

Enabled–Ifyouenablethepolicy,youmaysettheSafeSearchfiltertothefollowingvalues:

Strict–Filtersoutadulttext,images,andvideosfromsearchresults.

Moderate–Filtersadultimagesandvideosonly.Off–Doesnotfilter.

Disabled–Sameasnot.Configured.Searchisenabled,andusersmayconfigurethefilterlevel.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchSafeSearchType:Dword

1--Valueof1meansstrictfiltering.2--Valueof2meansmoderatefiltering.3--Valueof3meansnofiltering.

CortanaandSearchMDMPoliciesThefollowingCortanaMDMpoliciesareavailableinthePolicyCSP

•Experience/AllowCortana–SelectwhethertoallowordisallowCortanaonWindows10machines.•Search/AllowSearchToUseLocation–ChoosewhetherCortanaorSearchmayuselocationdatatoprovidelocation-awaresearchresults•LinguisticDataCollectioncanbedisabledinSettings>Privacy.MicrosoftusesdatacollectedbytheEnhancedandFullTelemetrylevelstoimprovefeaturessuchasspellchecking,suggestions,ordictionaries.•WindowsDefenderCloud-basedProtectionandAutomaticSampleSubmissioncanbeturnedoffinSettings>Update&Security>WindowsDefender.•WindowsUpdateTelemetrycanonlybeturnedoffifyoudisableWindowsUpdates,orifyousetthedevicetobemanagedbyanonpremisesupdateserversuchasWSUS(WindowsServerUpdateServices),orSystemCenterConfigurationManager.•YoucandisabletheinfectionreportingoftheMicrosoftRemovalToolaswellbyaddingthefollowingRegistrykeytotheWindows10system:◦HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT

◦Dword(32-bit)Name:DontReportInfectionInformation◦Valuedata:1

Date&TimeYoucanconfigureWindowssothatitwon’tsetthetimeautomatically.YoumayturnoffthefeatureintheSettingsapplication:1. OpentheSettingsapplicationwithWindows-I.2. GotoTime&language>Date&Time3. ToggleSetTimeAutomatically.4. SetTimeZoneautomaticallytooff.Notethatifyoudo,youmayneedtosetthetimemanually.Thisisthecaseforinstanceyouneedtoadjustthetimeforwardorbackwardonehourfordaylightsavingtime.Windowshandlesthisforyouautomaticallyifyouletitsyncthetime.Ifyoudisablesettimezoneautomatically,Windowswon’tadjustthetimeautomaticallywhenyoutraveltolocationsthatareinadifferenttimezone.NotethatsomeWindowsfeatures–suchasWindowsUpdate–relyonaccuratedateandtimeinformation.Theymaynotworkproperlyifdateandtimeareinaccurate.

YoumayalsodisablethesyncingoftimeusingtheRegistryOpentheWindowsRegistryEditor.1. Goto

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\2. Right-clickonParameters,andselectNew>StringValue3. SetthevaluetoNoSync.

Thendoeitherofthefollowing:1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient2. Right-clickonTimeProviders,andselectNew>Dword(32-bit)Value.3. NameitEnabled.4. Setitsvalueto0.

4.

DeviceMetadataRetrieval

YoucanpreventWindowsfromretrievingDeviceMetadatafromtheInternet.Ifyouenablethispolicysetting,WindowsdoesnotretrievedevicemetadataforinstalleddevicesfromtheInternet.ThispolicysettingoverridesthesettingintheDeviceInstallationSettingsdialogbox(ControlPanel>SystemandSecurity>System>AdvancedSystemSettings>Hardwaretab).

Thiscanbeconfiguredthroughpolicies:

1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>System>

DeviceInstallation3. Double-clickon“PreventdevicemetadataretrievalfromtheInternet.4. Setthepolicytoenabled.

OrintheWindowsRegistry:1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata

3. Right-clickonDeviceMetadata,andselectNew>Dword(32-bit)Value.4. NameitPreventDeviceMetadataFromNetwork5. Setitsvalueto1.

FontStreaming

Windowsmaydownloadfontsondemandthatarenotstoredonthelocaldevice.YoucandisablefontstreamingintheRegistryorthroughpolicies1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\3. Right-clickonSystem,andselectNew>Dword(32-bit)Value.4. NameitEnableFontProviders

5. Setitsvalueto1.Or,byusingtheGroupPolicy:

Ifyoudisablethispolicysetting,Windowsdoesnotconnecttoanonlinefontproviderandonlyenumerateslocally-installedfonts.

1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Network>

Fonts3. Double-clickonEnableFontProviders.4. Setthepolicytodisabled.

Or,byapplyingtheSystem\AllowFontProvidersMDMpolicyfromthePolicyCSPandsettingthepolicytofalsetodisablefontstreaming.

InsiderPreviewBuilds

WindowsInsiderPreviewBuildsareopt-intestversionsofupcomingversionsofWindows10.ThesettingbelowpreventschecksfornewInsiderBuilds.ItiseasytosignupamachineforjoiningtheInsiderprogram,butnotsoeasytoleaveitagain.Note:YouneedtorollbacktoareleaseversionofWindows10beforethefollowingsettingscanbeused.ToturnoffInsiderPreviewBuildsforWindows10:

1. OpentheSettingsapplication.2. GotoUpdate&security>WindowsInsiderProgram3. SelectStopInsiderPreviewbuilds.

YoucanturnthisoffusingtheGroupPolicyaswell.ThispolicysettingdetermineswhetheruserscanaccesstheInsiderbuildcontrolsintheAdvancedOptionsforWindowsUpdate.Thesecontrolsarelocatedunder"GetInsiderbuilds,"andenableuserstomaketheirdevicesavailablefordownloadingandinstallingWindowspreviewsoftware.

Ifyoudisablethispolicysetting,theitem"GetInsiderbuilds"willbeunavailable.

1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>DataCollectionandPreviewBuilds3. SelectToggleusercontroloverInsiderBuilds.4. SetthepolicytoDisabled.

YoucanturnInsiderBuildsoffintheWindowsRegistryaswell:1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds3. Right-clickonPreviewBuilds,andselectNew>Dword(32-bit)Values.4. NameitAllowBuildPreview5. Setitsvalueto0.

YoumayalsoapplytheSystem/AllowBuildPreviewMDMpolicyfromthePolicyCSP.Setitto0topreventusersfrommakingtheirdeviceavailableforinstallingpreviewsoftware.

MicrosoftInternetExplorerAdministratorsmayusetheGroupPolicytoconfigurevariousprivacyortelemetryrelatedsettings.1. OpentheGroupPolicy.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>InternetExplorer.1. TurnonSuggestedSites–Definewhetherusersmayconfigure

suggestedsites.Settodisabletoturnoff.2. AllowMicrosoftservicestoprovideenhancedsuggestionsasuser

typesintheAddressBar–Selectwhetherusersseesuggestionswhentheytypeintheaddressbar.Settodisabledtoturnoff.

3. Turnofftheauto-completefeatureforwebaddresses–ChoosewhetherInternetExplorer’sauto-completefeaturedisplaysmatcheswhenuserstypeURLsintheaddressbar.Setthistoenabledtoturnitoff.

4. Turnoffbrowsergeolocation–ChoosewhetherwebsitesmayrequestlocationdatafromInternetExplorer.SettoEnabledtoturnitoff.

5. PreventmanagingSmartScreenfilter–SelectwhetherusersmaymanagetheSmartScreenFilterinInternetExplorer.Defaultisturnedoff.

3. GotoUserConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>SecurityFeatures>Add-onManagement

1. SelectTurnoffAutomaticdownloadoftheActiveXVersionList–ThispolicydefineswhetherInternetExplorerwilldownloadupdatedversionsoftheVersionList.XMLfromMicrosoft.

2. Setthispolicytoenabled.Warning:Turningoffthisautomaticdownloadbreakstheout-of-dateActiveXcontrolblockingfeaturebynotlettingtheversionlistupdatewithnewlyoutdatedcontrols,potentiallycompromisingthesecurityofyourcomputer.ItisalternativelypossibletoconfigurethesettingsintheWindowsRegistry.1. OpentheWindowsRegistryEditor.

2. ForTurnonSuggestedSites:1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer\SuggestedSites

2. Right-clickonSuggestedSites,selectNew>Dword(32-bit)Value.3. Setthevalueto0.

3. ForAllowMicrosoftservicestoprovideenhancedsuggestionsastheusertypesintheAddressBar

1. GotoHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer

2. Right-clickonInternetExplorer,andselectNew>Dword(32-bit)Value.

3. NameitAllowServicePoweredQSA4. Setitsvalueto0.

4. ForTurnofftheauto-completefeatureforwebaddresses1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Explorer\AutoComplete2. Right-clickonAutoComplete,andselectNew>StringValue.3. NameitAutoSuggest4. GiveitthevalueNo

5. ForTurnoffbrowsergeolocation1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer\Geolocation

2. Right-clickonGeolocation,andselectNew>Dword(32-bit)Value.3. NameitPolicyDisableGeolocation4. Giveitthevalue0.

6. ForPreventManagingSmartSCreenFilter1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet

Explorer\PhishingFilter2. Right-clickonPhishingFilter,andselectNew>Dword(32-bit)Value.3. NameitEnabledV9.

4. Setitsvalueto0.7. FordisablingthedownloadofupdatedActiveXcontrollists1. HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\VersionManager2. SelectDownloadVersionList3. Setitsvalueto0.

LiveTiles

LiveTilesareusedbyapplications.Aweatherapplicationmaydisplayweatherinformationforinstance,andpulldatafromaserverontheInternettoupdatetheinformation.

TurnoffnetworkusageoflivetilesusingtheGroupPolicy1. OpentheGroupPolicyEditor.2. GotoUserConfiguration>AdministrativeTemplates>StartMenuand

Taskbar>Notifications3. SelectTurnoffnotificationsnetworkusage.4. Setthepolicytoenabled.

Thispolicysettingblocksapplicationsfromusingthenetworktosendnotificationstoupdatetiles,tilebadges,toast,orrawnotifications.ThispolicysettingturnsofftheconnectionbetweenWindowsandtheWindowsPushNotificationService(WNS).Thispolicysettingalsostopsapplicationsfrombeingabletopollapplicationservicestoupdatetiles.Ifyouenablethispolicysetting,applicationsandsystemfeatureswillnotbeablereceivenotificationsfromthenetworkfromWNSorvianotificationpollingAPIs.ToturnoffnetworkusageofLiveTilesusingtheWindowsRegistryOpentheWindowsRegistryEditor.1. Goto

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications2. Right-clickonPushNotifications,andselectNew>Dword(32-bit)Value.3. NameitNoCloudApplicationNotification4. Setitsvalueto1

MailSynchronization

YoucanturnoffmailsynchronizationforMicrosoftAccountsconfiguredonthedevice.ToturnoffMailSynchronizationintheSettingsapplication:1. OpentheSettingsapplication.2. GotoAccounts>Youremailandaccounts.3. RemoveanyMicrosoftAccountconnectedthere.

ToturnofMailSynchronizationusingMDMpolicy1. ApplytheAccounts/AllowMicrosoftAccountConnectionMDMpolicy

fromthePolicyCSPandsetitto0todisallowit.

MicrosoftAccountWindows10usersmaysignintotheoperatingsystemusingaMicrosoftAccount,oralocalaccount.AdministratorsmayblockMicrosoftAccountcommunicationwiththeMicrosoftAccountcloudauthenticationservice.

Warning:Ifyoudisablethis,someappsmaylosefunctionality.

ToturnoffMicrosoftAccountsusingtheGroupPolicyThispolicysettingpreventsusersfromaddingnewMicrosoftaccountsonthiscomputer.

Ifyouselectthe"Userscan’taddMicrosoftaccounts"option,userswillnotbeabletocreatenewMicrosoftaccountsonthiscomputer,switchalocalaccounttoaMicrosoftaccount,orconnectadomainaccounttoaMicrosoftaccount.

Ifyouselectthe"Userscan’taddorlogonwithMicrosoftaccounts"option,existingMicrosoftaccountuserswillnotbeabletologontoWindows.Selectingthisoptionmightmakeitimpossibleforanexistingadministratoronthiscomputertologonandmanagethesystem.

1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>WindowsSettings>SecuritySettings>

LocalPolicies>SecurityOptions3. SelectAccounts:BlockMicrosoftAccounts4. SetittoUserscan'taddMicrosoftaccounts

TopreventusersfromaddingMicrosoftAccountsusingtheRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System3. Right-clickonSystem,andselectNew>Dword(32-bit)Value.

4. NameitNoConnectedUser5. Setitsvalueto3.

5.

MicrosoftEdge

YoucancontrolthefollowingfeaturesusingtheGroupPolicyEditor1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>MicrosoftEdge1. ConfigureAutofill–Defineswhetherusersmayuseautofill

functionality.2. ConfigureDoNotTrack–DefineswhetherDoNotTrackheadersare

sentwithrequests.3. ConfigurePasswordManager–Defineswhetherusersmaysave

passwordsinEdge.4. ConfigureSearchsuggestionsinAddressbar–Definesifsuggestions

aredisplayedwhenuserstypeintheaddressbar.5. ConfigureWindowsDefenderSmartScreenFilter–Thissettingdefines

whetherSmartScreenFilteristurnedonoroff.6. AllowwebcontentonNetTabPage–Choosewhethertodisplay

contentfromtheInternetonthebrowser’sNewTabpage.

7. Configurestartpages–Setthestartpagefordomain-joineddevices.8. PreventFirstRunwebpagefromopeninginMicrosoftEdge–Choose

whetherafirstrunpageisdisplayedonfirststartofMicrosoftEdge.YoumayconfigurethesefeaturesintheRegistryaswell1. OpentheWindowsRegistryEditor1. ConfigureAutofill1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main2. Right-clickonMain,selectNew>StringValue.3. NameitUseFormSuggest4. Setitsvaluetono.

2. ConfigureDoNotTrack1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main2. Right-clickonMain,andselectNew>Dword(32-bit)Value.3. NameitDoNotTrack4. Setitsvalueto1.

3. ConfigurePasswordManager1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main2. Right-clickonMain,andselectNew>Stringvalue.3. NameitFormSuggestPasswords4. Setitsvaluetono.

4. ConfigureSearchsuggestionsinAddressbar1. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes2. Right-clickonSearchScopes,andselectNew>Dword(32-bit)

Value.3. NameitShowSearchSuggestionsGlobal4. Setitsvalueto0

5. ConfigureWindowsDefenderSmartScreenFilter

1. GotoHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter

2. Right-clickonPhishingFilter,andselectNew>Dword(32-bit)Value.

3. NameitEnabledV94. Setitsvalueto0

6. AllowwebcontentonNetTabPage–ChoosewhethertodisplaycontentfromtheInternetonthebrowser’sNewTabpage.

7. Configurestartpages–Setthestartpagefordomain-joineddevices.8. PreventFirstRunwebpagefromopeninginMicrosoftEdge–Choose

whetherafirstrunpageisdisplayedonfirststartofMicrosoftEdge.MicrosoftEdgeMDMpolicies

•Browser/AllowAutoFill•Browser/AllowDoNotTrack•Browser/AllowMicrosoftCompatbilityList•Browser/AllowPasswordManager•Browser/AllowSearchSuggestionsinAddressBar•Browser/AllowSmartScreen•Browser/FirstRunURL

NetworkConnectionStatusIndicator

TheNetworkConnectionStatusIndicatorisanautomatictestthatWindowsrunstotestInternetconnectivityandnetworkconnectivity.ItsendsaDNSrequestoraHTTPrequesttohttp://www.msftconnecttest.com/connecttest.txttofindoutifthedeviceisconnectedtotheInternet.NCSIcanbeturnedoffusingtheGroupPolicyIfyouenablethispolicysetting,NCSIdoesnotruneitherofthetwoactivetests.ThismayreducetheabilityofNCSI,andofothercomponentsthatuseNCSI,todetermineInternetaccess.1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>System>

http://www.msftconnecttest.com/connecttest.txt

InternetCommunicationManagement>InternetCommunicationSettings3. OpenTurnoffWindowsNetworkConnectivityStatusIndicatoractive

tests.4. Setthepolicytoenabledtodisablethetesting.

YoucanturnofNCSIusingtheWindowsRegistryaswell1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator3. Right-clickonNetworkConnectivityStatusIndicator,andselectNew>

Dword(32-bit)value.4. NameitNoActiveProbe.5. Setitsvalueto1.

OfflineMaps

OfflineMapsisafeatureoftheMapsapplication.Youmayuseittosavemapstothelocalsystem,andtoupdatethesemapsforofflineuse.ThedefaultMapsapplicationofWindows10workssimilartoGoogleMapsinmanyregards.Youcanuseittobrowsetolocations,finddirections,orlocatespecificbuildingsonthemap.Itsupportsfeaturessuchasturnbyturndirections,voiceguidenavigationandmore.Youmaysavemapssothattheybecomeavailableevenwhenthedeviceisoffline.UsefulforsituationswhenInternetconnectivityisflakyornotavailableatall.SettingsapplicationYoucanmanageofflinemapsusingtheSettingsapplication.GotoSettings>Apps>OfflineMapstogetstarted.Youfindoptionsonthepagetodownloadnewmaps,todeleteexistingmaps,andconfigurationoptions.OneoftheseoptionsletsyoudefinewhethermapsareupdatedautomaticallybyWindows.Toggle“Automaticallyupdatemaps”onthepagetodisablethefunctionality.

Notethatyouonlyneedtoconfigurethisifyouhavedownloadedmapsactively.GroupPolicyIfyouenablethissettingtheautomaticdownloadandupdateofmapdataisturnedoff.


Components>Maps3. OpenTurnoffAutomaticDownloadandUpdateofMapData4. Setthepolicytoenabled,todisablethefeatureonthesystem.

WindowsRegistryOfflineMapscanbeturnedoffintheWindowsRegistryaswell.1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps3. Right-clickonMaps,andselectNew>Dword(32-bit)Value.4. NameitAutoDownloadAndUpdateMapData.5. Giveitavalueof0.

OneDrive

OneDrive,formerlyknownasSkyDrive,isMicrosoft’scloudstorageservice.OneDriveisintegratedinWindows10bydefault.DisablingOneDriveimpactssomefunctionality,including:•Thecamerarollthatuploadsphotosandvideosautomaticallywon’tworkanymore.

•OneDrivefilesarenotkeptinsyncwithcloudservers.•OneDrive’slistinginFileExplorerisremoved.

•WindowsStoreapplicationscannotaccessOneDriveusingtheWinRTAPI.•UserscannotaccessOneDriveusingtheapp.

YoucanturnoffOneDriveusingtheGroupPolicy1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>OneDrive3. SelectPreventtheusageofOneDriveforfilestorage.4. SetthepolicytoEnabled.

OneDrivecanbeturnedoffusingtheWindowsRegistryaswell1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive3. Right-clickonOneDrive,andselectNew>Dword(32-bit)Value.4. NameitDisableFileSyncNGSC5. Giveitthevalueof1.

PreinstalledApplicationsWindows10shipswithpreinstalledapplications.Someoftheseapplicationsgetcontentbeforetheyareopenedbyusers(forabetteruserexperience)SomeofthesecanberemovedusingtheSettingsapplication,allofthemusingPowerShell.Settingsapplication1. OpentheSettingsapplicationontheWindows10machine.2. GotoApps.3. Clickontheapplicationthatyouwanttoremoveunder“Apps&

Features”.4. Selectuninstall,andfollowtheinstructions.

PowerShell(removingappsforcurrentuser)1. OpenanelevatedPowerShellcommandprompt.2. ToremovetheWeatherapp,run:Get-AppxPackage

Microsoft.BingWeather|Remove-AppxPackage3. ToremovetheMoneyapp,runGet-AppxPackageMicrosoft.BingFinance|

Remove-AppxPackage4. ToremovetheSportsapp,run:Get-AppxPackageMicrosoft.BingSports|

Remove-AppxPackage5. ToremovetheTwitterapp,run:Get-AppxPackage*.Twitter|Remove-

AppxPackage6. ToremovetheXboxapp,run:Get-AppxPackageMicrosoft.XboxApp|

Remove-AppxPackage7. ToremovetheSwayapp,run:Get-AppxPackageMicrosoft.Office.Sway|

Remove-AppxPackage8. ToremovetheOneNoteapp,run:Get-AppxPackage

Microsoft.Office.OneNote|Remove-AppxPackage9. ToremovetheGetOfficeapp,run:Get-AppxPackage

Microsoft.MicrosoftOfficeHub|Remove-AppxPackage10. ToremovetheGetSkypeapp,run:Get-AppxPackage

Microsoft.SkypeApp|Remove-AppxPackage11. ToremovetheStickyNotesapp,run:Get-AppxPackage

Microsoft.MicrosoftStickyNotes|Remove-AppxPackagePowerShell(removefornewusers)1. OpenanelevatedPowerShellcommandprompt.2. ToremovetheWeatherapp,run:Get-AppxProvisionedPackage-Online|

Where-Object{$_.PackageName-Like"Microsoft.BingWeather"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

3. ToremovetheMoneyapp,runGet-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.BingFinance"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

4. ToremovetheSportsapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.BingSports"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

5. ToremovetheTwitterapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"*.Twitter"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

6. ToremovetheXboxapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.XboxApp"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

7. ToremovetheSwayapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.Office.Sway"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

8. ToremovetheOneNoteapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.Office.OneNote"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-

PackageName$_.PackageName}9. ToremovetheGetOfficeapp,run:Get-AppxProvisionedPackage-Online|

Where-Object{$_.PackageName-Like"Microsoft.MicrosoftOfficeHub"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

10. 9.ToremovetheGetSkypeapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.SkypeApp"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

11. ToremovetheStickyNotesapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.MicrosoftStickyNotes"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}

Windows10PrivacySettingsWindows10shipswithadedicatedprivacygroupintheSettingsapplication.Youcanopenitinthefollowingway:1. UsethekeyboardshortcutWindows-ItoopentheSettingsapplication.

YoumayusetheStartmenuinsteadasitlinkstoSettingsaswell.2. SelectPrivacyfromthelistofavailablegroups.

Notes

•Theseprivacysettingsapplyonlytoapps,butnottolegacydesktopprograms.Asaruleofthumb:appsaredownloadedfromWindowsStore,desktopprogramsarenot.Thisdoesnotapply100%buttothemajorityofcases.•Thebulkofsettingsenableyoutoallowordisallowaccesstocertaindatasets,calendar,contacts,orhardwaredevices,likethemicrophoneorcamera.

ThePrivacygroupofsettingsliststhefollowingpagesintheWindows10CreatorsUpdate:

•General–Listsimportantprivacysettings,andlinkstolookupinformationandmanageinformationthatisstoredonline.•Location–Managelocationbasedsettingssuchasenablinglocation-basedlook-ups,orclearingthelocationhistory.•Camera–Selectwhetherappsmayuseacameraconnectedtothedevice,andmanagethisonaper-appbasis.•Microphone–Selectwhetherappsmayusethemicrophone,andmanageappsthatareallowedtousethemicrophone.•Notifications–Selectwhetherapplicationsmayaccess

notifications,andmanagethepermissionforindividualapps.•Speech,inking,&typing–Enableordisablespeechservicesandtypingsuggestions,andmanagecloudinformation.•Accountinfo–Selectwhetherappsmayaccessyourname,pictureandotheraccountinformation,andmanagethisonaper-applicationbasis.•Contacts–Selectwhetherappsmayaccessyourcontacts,andmanageindividualapplicationrightsforthat.•Callhistory–Selectwhetherappsmayaccessyourcallhistory,andmanagetheseappsindividually.•Email–Selectwhetherappsmayaccessyouremail(includingsending),andmanageindividualapplicationrights.•Tasks–Selectwhetherappsmayaccesstasks,andmanagetheseapps.•Messaging–Selectwhetherappsmayreadandsendmessages(textorMMS),andmanagetheseapplicationsindividually.•Radios–Manageradiosupport,e.g.forBluetoothandselectwhetherappsareallowedtocontrolradiosonthesystem.•Otherdevices–Configureappsyncingwithyourotherdevice,andmanagethelistoftrusteddevices.•Feedback&diagnostics–SettheTelemetrydatalevel(BasicorFull),setfeedbackfrequency,andtogglethetailoredexperiencedoption.•Backgroundapps–Selectwhetherappsareallowedtoruninthebackground,andmanageindividualapppermissionsinthisregard.•Appdiagnostics–Selectwhetherappsareallowedtoaccessdiagnosticinformation.•Automaticfiledownloads–DetermineswhetherfilesyncservicessuchasOneDrivemaydownloadonline-onlyfilesautomaticallywhenrequestedbytheuser.

General

TheGeneralpageofthePrivacygroupliststhefollowingoptions:•LetappsuseadvertisingIDtomakeadsmoreinterestingtoyoubasedonyourappusage(turningthisoffwillresetyourID)–ThisdefineswhetherapplicationsmayaccesstheadvertisingIDthatidentifiesthedevicewhichinturnmeanstracking.

◦WindowsgeneratesauniqueadvertisingIDforeachuseronadevice,whichappdevelopersandadvertisingnetworkscanusetoprovidemorerelevantadvertisinginapps.WhentheadvertisingIDisenabled,appscanaccessanduseitinmuchthesamewaythatwebsitescanaccessanduseauniqueidentifierstoredinacookie.Thus,appdevelopers(andtheadvertisingnetworkstheyworkwith)canuseyouradvertisingIDtoprovidemorerelevantadvertisingandotherpersonalizedexperiencesacrosstheirapps.

•Letwebsitesprovidelocallyrelevantcontentbyaccessingmylanguagelist–Defineswhetherwebsitesthatyouopenonthedevicemayaccessthelistoflanguagesinstalledonthedevicetodisplaylocalcontentinsteadofgenericcontent.

◦Somewebsitesmayhavetheircontentavailableindifferentlanguages.Windowscanshareinformationaboutyourpreferredlanguagelistwithwebsitessothattheycanhavetheopportunitytorespectyourlanguagepreferenceswithoutyouhavingtoindependentlysetthemforeachsite.

•LetWindowstrackapplaunchestoimproveStartandsearchresults–Ifenabled,WindowstracksapplicationlaunchesandusestheinformationforStart’s(mostusedapps)andsearchresults.

◦WindowscanpersonalizeyourStartmenubasedontheappsthatyoulaunch.ThisallowsyoutoquicklyhaveaccesstoyourlistofMostusedappsbothintheStartmenuandwhenyousearchyourdevice.

•ShowmesuggestedcontentintheSettingsapplication–Windows10maydisplaysuggestions,readtipsandpromotions,intheSettingsapplicationwhennotturnedoff.

AdvertisingID

Note:TheadvertisingIDisresetwhenyouturnoffthefeatureintheUI.GroupPolicyoptions1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>System>

UserProfiles3. SelectTurnofftheadvertisingID.4. Setthepolicytoenabled.

Registryoptions1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo3. Right-clickonAdvertisingInfoandselectNew>Dword(32-bit)Value.4. NameitEnabled.5. Setitsvalueto0.

or,6. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo7. Right-clickonAdvertisingInfo,andselectNew>Dword(32-bit)Value.8. NameitDisabledByGroupPolicy9. Setitsvalueto1.

Letwebsitesprovidelocallyrelevantcontentbyaccessingmylanguagelist

1. OpentheWindowsRegistryEditor.2. GotoHKEY_CURRENT_USER\ControlPanel\International\UserProfile3. Right-clickonUserProfile,andselectNew>Dword(32-bit)Valuefrom

thecontextmenu.4. NameitHttpAcceptLanguageOptOut5. Setitsvalueto1.

LetWindowstrackapplaunchestoimproveStartandsearchresults

1. OpentheWindowsRegistryEditor.2. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced3. Right-clickonAdvanced,selectNew>Dword(32-bit)Value.4. NameitStart_TrackProgs5. Setitsvalueto0.

Location

ThefollowingoptionsareavailablewhenyouopentheLocationgroupofthePrivacySettingsapplication:

•Locationon/off–Thistoggleallowsyoutoenableordisablelocationfunctionalityonthedevice.Ifdisabled,noapplicationthatrunsonthedevicemaymakeuseofit.•Defaultlocation–YoumayaddadefaultlocationwhichWindows,appsandserviceswillmakeuseofitnolocationcannotbedetected.•Locationhistory–Windows10storesthelocationhistoryforalimitedperiodoftime(24hours)onthedevice.Youmayusethisoptiontoclearthelocationhistoryonthedevice.•Chooseappsthatcanuseyourpreciselocation–Selectindividualapplicationsthatareallowedtolookupyourlocation.•Geofencing–ListsapplicationsthatmakeuseofGeofencing.

◦Someappsusegeofencing,whichcanturnonoroffparticularservicesorshowyouinformationthatmightbeusefulwhenyou’reinanareadefined(or“fenced”)bytheapp

ToturnoffLocationforthisDevice

GroupPolicyIfyouenablethispolicysetting,thelocationfeatureisturnedoff,andallprogramsonthiscomputerarepreventedfromusinglocationinformationfromthelocationfeature.

1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>LocationandSensors3. SelectTurnoffLocation.4. Setthepolicytoenabled,todisablelocationonthedevice.

WindowsRegistryEditor1. OpentheRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.

4. NameitLetAppsAccessLocation1. Setthevalueto1toturnonapplicationlocationaccess,andusers

cannotchangeit.2. Setitsvalueto2toturnofflocationaccess,anddisallowusersto

changeit.MDMpolicyfromthePolicyCSP(System/AllowLocation)•0meansitisturnedoff,anduserscan’tturnitbackon.

•1meansitisturnedon,butusersmayturnitoff.•2meansitisturnedon,anduserscan’tturnitoff.

ToturnoffLocationforapps

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccesslocation.

Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.

Ifyouchoosethe"ForceDeny"option,Windowsappsarenotallowedtoaccesslocationandemployeesinyourorganizationcannotchangeit.


Components>AppPrivacy3. SelectLetWindowsappsaccesslocation.4. Enablethepolicy.5. Setthe“defaultforallapps”boxtoForceDeny.

WindowsRegistry1. OpentheRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors3. Right-clickonLocationAndSensors,andselectNew>Dword(32-bit)

Value.4. NameitDisableLocation5. Setitsvalueto1.

RelatedPreferencesTurnofflocationThissettingdetermineswhetherthelocationfeatureisavailableonthisdevice.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>LocationandSensors>Turnofflocation•Enabled–Locationfeatureisturnedoff,andallprogramsonthecomputerarepreventedfromusingthelocationfeature.

•Disabled–Sameasnotconfigured;thelocationfeatureisenabled.WindowsRegistryKey:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\AppPrivacyName:LetAppsAccessLocationType:Dword

•2–TurnedoffTurnofflocationscriptingThisfeatureturnsoffscriptingforthelocationfeature(meanswhetherscriptsforthelocationfeaturemayrun).

Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>LocationandSensors>Turnofflocationscripting•Enabled–Thisturnslocationscriptingoffsothatitisnotavailable.

•Disabled–Sameasnotconfigured;locationscriptingisenabled.WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensorsName:DisableLocationScriptingType:Dword

•0–Thefeatureisenabled.•1–Thefeatureisdisabled.

Camera

TheCameraprivacygroupoffersthefollowingoptions:•Toggletheuseofcamerahardware(e.g.awebcam),byappsonoroff.

•Manageallapplicationsthatmayusethecamera,andallowordisallowusageindividually.

Generalinformationoncamerause:Windows10highlightstheuseofthecamerabyturningonthecameralightwheneveritisinuse.Ifthedevicedoesnothaveacameralight,anotificationisdisplayedinstead.Someexceptionsapplytothegeneralcameraprivacysettings.WindowsHello,Windows10’sbiometricauthenticationsystem,willmakeuseofthecameraevenifcamerauseisdisabledforapplicationsintheprivacysettings.Thesettingignoresdesktopprograms.OnlyWindowsStoreappsandappsthatshipwithWindows10bydefaultareaffectedbythesettings.

Letappsusemycamera

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessthecamera.



Components>AppPrivacy3. SelectLetWindowsappsaccessthecamera.4. Setthepolicytoenabled.5. Inthe“Defaultforallapps”box,selectoneofthefollowingvalues:1. Userisincontrolmeansthatusersmayallowordisallowaccesstothe

camerausingtheSettingsapplication.2. ForceAllowmeansthatappsmayaccessthecamera,andthatusers

cannotchangethis.3. ForceDenymeansthatappscannotaccessthecamera,andthatusers

cannotchangethis.WindowsRegistry1. OpentheRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessCamera.5. Setthevaluetooneofthefollowingsupportedintegers:1. Avalueof0meansthattheuserisincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.

MDMpolicyfromthePolicyCSP(Camera/AllowCamera)1. Valueof0meansappscannotusecamera.2. Valueof1meansappsmayusethecamera.

Microphone

TheMicrophoneprivacysettingspageoffersthefollowingoptions:•Togglemicrophoneusebyapplications.Ifturnedoff,applicationsmaynotusethemicrophoneforfunctionality.

•Selectpermissionsforapplicationsindividually.Asisthecasewiththecamerapreference,themicrophonepreferenceaffectsonlyWindowsApplicationsbutnotdesktopprograms.

Letappsusemymicrophone

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessthemicrophone.



Components>AppPrivacy3. SelectLetwindowsappsaccessthemicrophone4. Setthepolicytoenabled.5. Inthe“defaultforallapps”box,setoneofthefollowingvalues:1. Userisincontrolmeansthatusersmaychangetheprivacysettingusing

theSettingsapplication.2. Forceallowmeansthatappsmayaccessthemicrophone,andthatusers

cannotchangeit.3. Forcedenymeansthatappsmaynotaccessthemicrophone,andthat

userscannotchangethis.WindowsRegistry1. OpentheRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessMicrophone.5. Setittooneofthefollowingvalues:1. Avalueof0meansthatusersareincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessMicrophone)•Valueof0:userisincontrol.

•Valueof1:forceallow•Valueof2:forcedeny.

Notifications

TheNotificationspageprovidesyouwithtwooptions:•Enableordisablenotifications.

•Managenotificationsforapplicationsindividually.

Letappsaccessmynotifications

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessnotifications.



Components>AppPrivacy.3. SelectLetWindowsappsaccessnotifications.4. Setthepolicytoenabled.5. Setthe“defaultforallapps”boxtooneofthefollowingvalues:1. Userisincontrolmeansthatuserscancontroltheaccessto

notificationsusingtheSettingsapplication.2. Forceallowmeansthatappsareallowedtoaccessnotifications,and

thatuserscannotchangethat.3. Forcedenymeansthatappsarenotallowedtoaccessnotifications,and

thatuserscannotchangethat.WindowsRegistry1. OpentheRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessNotifications.5. Setittooneofthefollowingvalues:1. Avalueof0meansthattheuserisincontrolofthefunctionality.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessNotifications)•Valueof0:userisincontrol.

•Valueof1:forceallow•Valueof2:forcedeny.

Speech,inking&typingSpeechservicesandtypingsuggestionscanbeturnedonoroffwhenyouopenthespeech,inking&typingpageoftheprivacyoptions.Whenswitchedon,itenablesyoutotalktoCortanaandotherStoreapplications.Yourtypinghistoryandhandwritingpatternsareusedtocreatealocaluserdictionary,andprovideyouwithbettersuggestionsMicrosoftwillusevoiceinputtoimprovecloud-basedspeechservicesWhenthesettingisoff,youcannottalktoCortana,andanyexistingtypingandinkinguserdictionaryiserased.Voicedatainthecloudisdisassociatedwiththedevice.Speechservicesthatdon’trelyonthecloudwillstillwork,andsowilltypingsuggestionsandhandwritingrecognitionthatusesthesystemdictionary.

Tousespeechrecognition,gettingtoknowyou(theprivacysettingunderSpeech,inking&typing)mustbeturnedonbecausespeechservicesexistbothinthecloudandonyourdevice.TheinfoMicrosoftcollectsfromtheseserviceshelpstoimprovethem.

Speechservicesthatdon’trelyonthecloudandonlyliveonyourdevice,likeNarratorandWindowsSpeechRecognition,willstillworkwhenthissettingisturnedoff,butMicrosoftwon’tcollect

anyspeechdata.

WhenyourDiagnosticandusagedatasetting(Settings>Privacy>Feedback&diagnostics)issettoFull,yourinkingandtypinginputdataissenttoMicrosoft,andweusethisdatainthe

aggregatetoimprovetheinkingandtypingplatformforallusers.LearnmoreaboutDiagnosticdatahere.Aspartofinkingandtypingonyourdevice,Windowscreatesauserdictionarythatstoresuniquewordslikenamesyouwrite,whichhelpsyoutype

andinkmoreaccurately.

Turnoffautomaticlearning

Automaticlearningenablesthecollectionandstorageoftextandinkwrittenbytheuserinordertohelpadapthandwritingrecognitiontothevocabularyandhandwritingstyleoftheuser.TextthatiscollectedincludesalloutgoingmessagesinWindowsMail,andMAPIenabledemailclients,aswellasURLsfromtheInternetExplorerbrowser

history.Theinformationthatisstoredincludeswordfrequencyandnewwordsnotalreadyknowntothehandwritingrecognitionengines(forexample,propernamesandacronyms).Deletingemailcontentorthebrowserhistorydoesnotdeletethestoredpersonalizationdata.InkenteredthroughInputPaneliscollectedandstored.GroupPolicy

Thispolicysettingturnsofftheautomaticlearningcomponentofhandwritingrecognitionpersonalization.

Ifyouenablethispolicysetting,automaticlearningstopsandanystoreddataisdeleted.UserscannotconfigurethissettinginControlPanel.

1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Control

Panel>RegionalandLanguageOptions>Handwritingpersonalization3. SelectTurnoffautomaticlearning.4. Setthepolicytoenabled.

RegistryEditor1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\Policies\Microsoft\InputPersonalization3. Right-clickonInputPersonalization,andselectNew>Dword(32-bit)

Value.4. NameitRestrictImplicitInkCollection.5. Setitsvalueto1.

or1. Goto

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings.2. Right-clickonSettings,andselectNew>Dword(32-bit)Value.3. NameitAcceptedPrivacyPolicy.

4. Setitsvalueto0.or1. Goto

HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore2. Right-clickonTrainedDataStore,andselectNew>Dword(32-bit)Value.3. NameitHarvestContacts4. Setitsvalueto0.

AllowInputPersonalization

GroupPolicyThispolicyturnsoftheautomaticlearningcomponentofinputpersonalization(thatincludesspeech,inkingandtyping).

Automaticlearningenablesthecollectionofspeechandhandwriting

patterns,typinghistory,contacts,andrecentcalendarinformation.ItisrequiredfortheuseofCortana.Someofthiscollectedinformationmaybestoredontheuser'sOneDrive,inthecaseofinkingandtyping;someoftheinformationwillbeuploadedtoMicrosofttopersonalizespeech.

Policy:ComputerConfiguration>AdministrativeTemplates>ControlPanel>RegionalandLanguageOptions>Allowinputpersonalization

•Enabled–Automaticlearningofspeech,inkingandtypingisenabled.SomeinformationmaybeuploadedtoMicrosoft,andsomemaybestoredonOneDrive.•Disabled–Thefeatureisturnedoff.Automaticlearningofspeech,typingandinkingisstopped.

WindowsRegistryKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalizationName:RestrictImplicitTextCollectionType:Dword

•1–Turnoffimplicittextcollection.•0–Default,textiscollected.

Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalizationName:RestrictImplicitInkCollectionType:Dword

•1–Turnoffimplicitinkcollection.•0–Default,inkdataiscollected.

Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStoreName:HarvestContactsType:Dword

•0–Thefeatureisturnedoff.•1–Default,thefeatureisenabled.

Turnoffupdatestospeechrecognitionandspeechsynthesis

Determineswhetherthedevicewillcheckforspeechrecognitionandspeechsynthesisupdates,anddownloadthemautomatically.GroupPolicy

Aspeechmodelcontainsdatausedbythespeechenginetoconvertaudiototext(orvice-versa).Themodelsareperiodicallyupdatedtoimproveaccuracyandperformance.Modelsarenon-executabledatafiles.

Ifenabled(default),thedevicewillperiodicallycheckforupdatedspeechmodelsandthendownloadthemfromaMicrosoftserviceusingtheBackgroundInternetTransferService(BITS).


Components>Speech3. SelectAllowautomaticallyupdateofSpeechData4. Setthepolicytodisabled.

WindowsRegistry1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Preferences3. Right-clickonPreferences,andselectNew>Dword(32-bit)Value.4. NameitModelDownloadAllowed.5. Setthevalueto0.

MDMpolicyfromthePolicyCSP(Speech/AllowSpeechModelUpdate)

•Avalueof0meansnotallowed.•Avalueof1meansallowed.

Turnoffhandwritingpersonalizationdatasharing

ThehandwritingrecognitionpersonalizationtoolmaybeusedonWindowsTabletPCstoadapthandwritingrecognitiontotheuser’swritingstyle.WindowsTabletPCsmaysharehandwritingdataautomaticallywithMicrosoftto“improvehandwritingrecognitioninfutureversionsofWindows”.

GroupPolicyComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>Turnoffhandwritingpersonalizationdatasharing

Enabled:WhenthispolicyisenabledWindowsusersmaynotsharewritingsamplesfromthehandwritingrecognitionpersonalizationtoolwithMicrosoft.Disabled:SamplesaresharedautomaticallywithMicrosoftwhenthetoolisbeingused.NotConfigured:UsersarepromptedandmaydecidetosharethedatawithMicrosoft.

WindowsRegistryRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPCName:PreventHandwritingDataSharingType:Dword

Avalueof1preventshandwritingdatasharing.

Turnoffhandwritingrecognitionerrorreporting

Thehandwritingrecognitionerrorreportingtoolenablesuserstoreporterrors.Thetoolgenerateserrorreports,andtransmitsthemtoMicrosoft.MicrosoftusesthedatatoimprovehandwritingrecognitioninfutureversionsofWindows.GroupPolicy

ComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>Turnoffhandwritingrecognitionerrorreporting

Enabled:Whenthispolicyisenabled,usersmaynotstartthehandwritingrecognitionerrorreportingtoolorsenderrorreportstoMicrosoft.Disabled:Sameasnotconfigured.UsersmayusethehandwritingrecognitionerrorreportingtooltosenderrordatatoMicrosoft.

WindowsRegistryRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReportsName:PreventHandwritingErrorReportsType:Dword

Avalueof1preventsuseofthehandwritingerrorreportingtool,andthereportingoferrorstoMicrosoft.

AccountInfo

TheAccountinfopageprovidesyouwiththemeanstoenableordisablegeneralaccesstoyourname,pictureandotheraccountinformation.Youmayalsoallowordisallowaccessonaper-applicationbasisinstead.

Letappsaccessmyname,picture,andotheraccountinfo

GroupPolicy

ThispolicysettingspecifieswhetherWindowsappscanaccessaccountinformation.


Ifyouchoosethe"ForceDeny"option,Windowsappsarenotallowedtoaccessaccountinformationandemployeesinyourorganizationcannotchangeit.

1. LoadtheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>AppPrivacy.3. OpenLetWindowsappsaccessaccountinformation.4. Setthepolicytoenabled.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues:1. Userisincontrolmeansthatusersmayselecttoalloworblock

individualapps,ortheprivacyfeature,intheSettingsapplication.2. ForceAllowmeansthatWindowsappsmayuseaccountinformation,

andthatuserscannotchangethat.3. ForceDenymeansthatWindowsappsmaynotuseaccountinformation,

andthatuserscannotchangethat.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy.3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Valuefrom

themenu.4. NamethenewvalueLetAppsAccessAccountInfo5. Setitsvaluetooneofthefollowingsupportedvalues:1. Valueof0meansuserisincontrol.2. Valueof1meansforceallow.3. Valueof2meansforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessAccountInfo)

•Avalueof0meanstheuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.

Contacts

TheContactsprivacypageliststwomainoptionsrightnow:•Enableordisableaccesstocontactsbyapplications.

•Manageaccessrightstocontactsforindividualapplications.

Chooseappsthatcanaccesscontacts

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccesscontacts.



Components>AppPrivacy.3. OpentheLetWindowsappsaccesscontactspolicy.4. Enablethepolicy.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues1. Userisincontrolgivesusersoptionstoallowordisallowappstoaccess

contacts.2. Forceallowmeansthatapplicationsmayaccesscontacts,andthatusers

cannotpreventthis.3. Forcedenymeansthatapplicationsmaynotaccesscontacts,andthat

userscannotallowthem.WindowsRegistry1. OpentheWindowsRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy3. IftheDwordvalueLetAppsAccessContactsdoesnotexist,right-clickon

AppPrivacy,andselectNew>Dword(32-bit)Valuefromthecontextmenu,andnameitaccordingly.

4. Setthepreferenceto2todisableaccesstocontacts.MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessContacts)


Calendar

YoumayusetheCalendarpageoftheprivacysettingstoallowordisallowapplicationaccesstothecalendar.Youmayfurthermoreallowordisallowaccesstothecalendarforindividualapplications.

Letappsaccessthecalendar

GroupPolicy

ThispolicysettingspecifieswhetherWindowsappscanaccessthe

calendar.


1. LoadtheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>AppPrivacy.3. OpenLetWindowsappsaccessthecalendar4. Setthepolicytoenabled.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues:

4. Userisincontrolmeansthatusersmayalloworblockappstoaccessthecalendar.

5. Forceallowmeansthatappsmayaccesscalendardata,andthatuserscannotblockthis.

6. Forcedenymeansthatappsmaynotaccesscalendardata,andthatuserscannotblockthis.

WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy.3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Valuefrom

themenu.4. NamethenewvalueLetAppsAccessCalendar.5. Setitsvaluetooneofthefollowingvalues:1. Valueof0meansuserisincontrol.2. Valueof1meansforceallow.3. Valueof2meansforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessCalendar)


CallHistory

TheCallHistory,justlikemostoftheotherprivacysettings,providesyouwithtwooptions:•AllowordisallowaccesstotheCallHistoryforallapplications.

•AllowordisallowindividualapplicationaccesstotheCallHistory.

Letappsaccessmycallhistory

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccesscallhistory.

Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>AppPrivacy3. OpenLetWindowsappsaccesscallhistory.4. Setthepolicytoenabled.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues:1. Userincontrolgivesuserscontroloverthecallhistory.Theymayallow

ordisallowappsaccesstothecallhistory.2. ForceAllowenablesaccesstotheCallHistoryautomatically.Users

maynotchangethis.3. ForceDenydisablesaccesstotheCallHistoryautomatically.Usersmay

notchangethis.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessCallHistory.5. Giveitoneofthefollowingvalues:1. Avalueof0meansusersareincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessCallHistory)

•Avalueof0meansuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.

Email

TheEmailprivacysettingscanbeusedtoallowordisallowapplicationaccesstoemailsonagloballevel,andtoallowordisallowaccessforindividualapplications.Thetwobuilt-inapplicationsMailandCalendarareallowedtoaccessandsendemailregardlessofhowtheoptionsareconfigured.

Letappsaccessandsendemail

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessemail.



Components>AppPrivacy3. SelectLetWindowsappsaccessemail4. Setthepolicytoenabled.5. SetthevalueofthepolicyunderDefaultforapps:1. UserisincontrolmeansthatuserscandecidewhetherWindowsapps

mayaccessemail.2. ForceAllowmeansthatWindowsappsareallowedtoaccessemail,and

userscannotchangeit.3. ForceDenymeansthatWindowsappsarenotallowedtoaccessemail,

andthatuserscannotchangeit.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NamethenewvalueLetAppsAccessEmail.1. Setitsvalueto0togiveuserscontroloverthefeature.2. Setitsvalueto1toforceallow.3. Setitsvalueto2toforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessEmail)1. 0–userisincontrol.2. 1–Forceallow3. 2–Forcedeny.

Tasks

YoumayusetheTasksprivacypagetoallowordisallowglobalaccesstotasks,ortoallowordisallowaccesstotasksforindividualapplications.Thetwobuilt-inapplicationsMailandCalendararewhitelisted.Theyhaveaccesstothetasksevenifyoudisabletasksglobally.GroupPolicy

ThispolicysettingspecifieswhetherWindowsappscanaccesstasks.



Components>AppPrivacy3. SelectLetWindowsappsaccessTasks4. Setthepolicytoenabled.5. Selectoneofthefollowingvaluesfor“defaultforallapps”.1. Userisincontrol–UsersmayenableordisableTasksaccessforallor

specificapps.2. ForceAllow–Tasksaccessisenabled,anduserscannotchangethat.3. ForceDeny–Tasksaccessisdisabled,anduserscannotchangethat.

5.3.

Messaging

YoumayusetheMessagingprivacyoptionstoturnonoroffapplicationreadandsendaccesstomessages(bothtextandMMS).Itisfurthermorepossibletoallowordisallowindividualapplicationstousemessaging.

Letappsreadorsendmessages(textorMMS)

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanreadorsendmessages(textorMMS).



Components>AppPrivacy3. SelecttheLetWindowsappsaccessmessagingpolicy.4. Setthepolicytoenabled.5. Setthedefaultforallappsvalueto1. Userisincontroltoallowuserstocontrolthefeature.2. ForceAllowtoenableappaccesstomessaging,andblockusersfrom

changingthis.3. ForceDenytodisallowappaccesstomessaging,andblockusersfrom

changingthis.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessMessaging1. Setitsvalueto0toputusersincontrol.2. Setitsvalueto1toforceallow.3. Setitsvalueto2toforcedeny.

MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessMessaging)1. Avalueof0meansuserisincontrol.2. Avalueof1meansforceallow3. Avalueof2meansforcedeny.

Radios

Someappsuseradios–likeBluetooth–inyourdevicetosendandreceivedata.Sometimes,appsneedtoturntheseradiosonandofftoworktheirmagic.YoumayusetheRadiossettingstoallowordisallowaccesstoRadiossuchasBluetoothglobally,orforindividualapplications.

LetWindowsappscontrolradios

GroupPolicyThispolicysettingspecifieswhetherWindowsappshaveaccesstocontrolradios.



Components>AppPrivacy3. SelectLetWindowsappscontrolradios.4. Setthepolicytoenabled.5. Setthedefaultforallappsvalueto1. Userisincontroltoletusersdecide.2. ForceAllowtoenableapplicationaccesstocontrolradios,andprevent

usersfromchangingthat.3. ForceDenytodisableapplicationaccesstocontrolradios,andprevent

usersfromchangingthat.WindowsRegistry1. OpentheRegistryEditor2. Goto

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessRadios.1. Setitsvalueto0foruserisincontrol.2. Setitsvalueto1forforceallow.3. Setitsvalueto2forforcedeny.

MDMpolicyofthePolicyCSP(Privacy/LetAppsAccessRadios)1. Avalueof0meansthattheuserisincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.

OtherDevices

Manageotherdevices,thosethatyousyncdatawith,orthatyouconnecttoyourWindowsmachineusingthissetting.OtherdevicesmaybeotherWindows10devicesbutalsotabletsorphones.Applicationsmayuseyourtrusteddevices,suchasyourXboxOne,TVs,orprojectors.Thefollowingoptionsareprovided:

•Enableordisablethesynchronizationofdatawithotherdevices.•Chooseappsthatcansyncwiththedeviceyouareusing.•LetapplicationsusesTrustedDevicessuchasmemorycards,Xboxandotherdevices.

Feedback&Diagnostics

TheWindows10CreatorsUpdatesupportstwodiagnosticsettings(downfromthreeinpreviousversionsofWindows.TheonlyexceptiontothatisthatEnterpriseeditionssupportturningoffdiagnosticscompletely.Basic–SeethisMicrosoftpageforafulllistofwhatiscollected:https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fieldsTheBasiclevelgathersalimitedsetofinformationthatiscriticalforunderstandingthedeviceanditsconfigurationincluding:basicdeviceinformation,quality-relatedinformation,appcompatibility,andMicrosoftStore.WhenthelevelissettoBasic,italsoincludestheSecuritylevelinformation.

TheBasiclevelhelpstoidentifyproblemsthatcanoccuronaparticulardevicehardwareorsoftwareconfiguration.Forexample,itcanhelpdetermineifcrashesaremorefrequentondeviceswithaspecificamountofmemoryorthatarerunningaparticulardriverversion.ThishelpsMicrosoftfixoperatingsystemorappproblems.

Full–includesallbasicleveldatasets,andadditionaldatasets.Youfindalistingofthosehere:https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data

https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data

Windowsshouldaskformyfeedback

GroupPolicyThispolicysettingallowsanorganizationtopreventitsdevicesfromshowingfeedbackquestionsfromMicrosoft.


Components>DataCollectionandPreviewBuilds3. SelectDonotshowfeedbacknotifications.1. EnablethispolicytoblockfeedbacknotificationsthroughtheWindows

Feedbackapplication.2. Disablethispolicy,ordon’tconfigureit,toallowfeedbacknotifications

throughtheWindowsFeedbackapplication.WindowsRegistry1. OpentheWindowsRegistryEditor.

2. GotoHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection

3. Right-clickonDataCollection,andselectNew>Dword(32-bit)Value.4. NameitDoNotShowFeedbackNotifications1. Avalueof1disablesfeedbacknotifications.2. Avalueof0allowsthem.

Alternatively1. GotoHKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\2. Right-clickonRules,andselectNew>Dword(32-bitvalue)3. NameitPeriodInNanoSeconds4. Setitsvalueaccordingtothetablebelow.5. GotoHKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\6. Right-clickonRules,andselectNew>Dword(32-bitvalue)7. NameitNumberOfSIUFInPeriod8. Setitsvalueaccordingtothetablebelow

Setting PeriodInNanoSecondsNumberOfSIUFInPeriod

Automatically DeletetheregistrysettingDeletetheregistrysetting

Never 0 0

Always 100000000 Deletetheregistrysetting

Onceaday 864000000000 1

Onceaweek 6048000000000 1

UseDiagnosticDataforTailoredExperiences

GroupPolicyThispolicysettingletsyoupreventWindowsfromusingdiagnosticdatatoprovidetailoredexperiencestotheuser.

1. OpentheGroupPolicyEditor2. GotoUserConfiguration>AdministrativeTemplates>Windows

Components>CloudContent3. SelectDonotusediagnosticdatafortailoredexperiences.

1. Setthispolicytoenabledifyoudon’twantWindowstousediagnosticdatafromthedevicetocustomizecontentshownonthelockscreen,andelsewhere.

2. Setthispolicytodisabled,toenablepersonalizedrecommendationsbasedontelemetrydata.

BackgroundApps

Applicationsmayruninthebackground,forinstancetoreceiveinformationfromtheInternetoranetwork,orsendnotifications.Ifyouturnoffthefeature,appsmaynotdosowhentheyarenotrunningonthe

system.Apositivesideeffectofturningthefunctionalityoffisthatyoumayconservepowerdependingonwhichappsareinstalledonthesystem,andhowtheyareused.TheSettingsapplicationprovidesyouwithtwooptions:

1. Turnofthefeatureforallapplications.2. Selecttheappsthatyouwanttobeabletoruninthebackground.

GroupPolicyThispolicysettingspecifieswhetherWindowsappscanruninthebackground.



Components>AppPrivacy3. SelectLetWindowsappsruninthebackground.4. Setthepolicytoenabled.5. Setoneofthefollowingoptionsunder“defaultforallapps”1. Userisincontroltoprovideuserswithoptionstoenableordisablethe

functionality.2. ForceAllowtoallowappstoruninthebackground;userscannot

changethepreference.3. ForceDenytodisallowappstoruninthebackground;userscannot

changethepreference.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications3. Right-clickonBackgroundAccessApplications,andselectNew>Dword

(32-bit)Value.4. NameitGlobalUserDisabled.

1. Avalueof0meansthefeatureisturnedon.2. Avalueof1meansthefeatureisdisabled.

LetWindowsandyourappsuseyourmotiondataandcollectmotionhistory

Windowsapplicationsmayaccessmotiondataandcollectthemotionhistory.Thisrequiresspecialsensorsinthedevice.

ThispolicysettingspecifieswhetherWindowsappscanaccessmotiondata.

Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthe

defaultsetting.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>AppPrivacy>LetWindowsappsaccessmotion•Enabled–Defaultvalue.Windowsappsmayusemotiondataandcollectmotionhistory.SetDefaultforallappsvalue:◦Userisincontrol–UsersmayenableordisableMotionintheSettings.

◦Forceallow–Motionisenabled,andusersmaynotchangethat.◦Forcedeny–Motionisdisabled,andusersmaynotchangethateither.

•Disabled–Windowsapplicationsmaynotusemotiondataorcollectmotionhistory.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacyName:LetAppsAccessMotionType:Dword

•Avalueof0meansthattheuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.

WindowsFeatures

Accounts(Local,Microsoft)Windows10supportstwotypesofaccounts:localaccountsandMicrosoftaccounts.MicrosoftprioritizesMicrosoftaccountsonWindows10,butusersmayselecttocreatelocalaccountsinstead.Thechoicethatusersmakeduringinstallationorsetup,hasabigimpactonprivacyandfunctionality.

MicrosoftaccountvslocalaccountsAMicrosoftaccountisarelativelynewtop-levelaccountforMicrosoftsoftwareandserviceusers.ThebestwaytodescribeitisthatitisanonlineaccountforallthingsMicrosoft.InsteadofhavingtosignupfordifferentMicrosoftproductsandservicesindividually,youmayuseaMicrosoftaccountforthemajorityofthose.ManyWindowsusersmayhaveaccesstoaMicrosoftaccountalready.ThisisthecaseforinstancewhentheyuseoneofMicrosoft’semailservices,forinstanceOutlook.com.ItneedstobenotedthatMicrosoftaccountsdon’thaveasingledomaintheyareassociatedwith.Infact,itispossibletouseanyemailaddresstosetupaMicrosoftaccount.TheeasiestwaytodistinguishlocalfromMicrosoftaccountsisthatMicrosoftaccountsalwaysuseanemailaddressastheusername.TheuseofaMicrosoftaccountonWindows10comeswithcertainbenefits:

Datasynchronization–Someoperatingsystempreferences,customization,andsomedataissyncedautomaticallytoanydevicethatrunsWindows10providedthatyousigninwiththesameMicrosoftAccount.Thisincludesthethemeanddesktopwallpaper,InternetExplorersettings,theEdgebrowsinghistory,savedpasswords,andEaseofAccess.CheckouttheOneDrive/FileSynchronizationchapterforadditionalinformationonthat.Passwordresetandchange–SinceaMicrosoftaccountisanonlineaccount,youmaygoonlinetoresettheaccountpassword,orchangethepassword.

Directaccesstoappsandservices–OtherappsandservicesthatrunonaWindows10machinemaypickuptheMicrosoftaccountautomaticallysothatyoudon’tneedtocreateanaccount,orsignintoone.OneDrivemaysignyouintoyouronlinestorage,oryoumayseeyouremailsorcontactslisteddirectlyintheappsthatprovidetheinformation.Multi-deviceaccess–YoucansignintoanyWindows10deviceusingaMicrosoftaccount,whileyouwouldneedtocreatelocalaccountsonanydeviceyouwanttouseifyouuselocalaccounts.WindowsStore–WindowsStorerestrictsaccesstonon-Microsoftaccounts:Windows10Pro,EnterpriseandEducationeditionssupportthedownloadingoffreeappsandgamesfromthestore.AMicrosoftisrequiredonHomeeditions,andforanypurchasesmadeintheStore.

Thecorebenefitofusingalocalaccountisprivacy.MicrosoftaccountdataissubmittedtoMicrosoftbydefault,andstoredoncompanyservers.Microsoft’sprivacystatementconfirmsasmuch:Microsoftcollectsdatatooperateeffectivelyandprovideyouthebestexperienceswithourproducts.Youprovidesomeofthisdatadirectly,suchaswhenyoucreateaMicrosoftaccount,submitasearchquerytoBing,speakavoicecommandtoCortana,uploadadocumenttoOneDrive,purchaseanMSDNsubscription,signupforOffice365,orcontactusforsupport.[15]

PleasenotethatyoumaylimitthedatathatissharedwithMicrosoftbycustomizingWindows10settingsasdescribedinthisbook.Otherdifferencesexist:youcannotchangeaMicrosoftaccountpasswordonthelocalWindows10machine,asInternetaccessisrequiredforthat.Thesameisnottrueforchangingthepasswordofalocalaccount,asyoucandosodirectlyonthelocalmachine,evenwithoutInternetaccess.

WindowsSetupwithalocalaccountMicrosoftputsthefocusonMicrosoftaccountsduringsetup.Itdisplaysthe“signinwithMicrosoft”optionduringsetup,andgivescustomerstheoptiontosigninusinganexistingaccount,ortocreateanewaccount.Thelocalaccountoptionisstillthere,butitisnothighlightedasmuch.ThefollowingguidewalksyouthroughthestepsofsettingupalocalaccountonaWindows10machineduringsetup.Step1:SelectOfflineaccountonthe“SigninwithMicrosoft”pageduringsetup.

Step2:SelectNoorLateronthenextscreen.MicrosofttriesonemoretimeonthispagetogetyoutosignuporinusingaMicrosoftaccount.

Step3:Selectausernameforthelocalaccount,andclickontheNextbuttonafterwards.

Step4:Typeapassword,orleavethepasswordfieldempty,andclickonnext.That’sit;youhavecreatedalocalaccountduringsetupwhichyoucanusefromthatmomentontosignintothedevice.

ConvertaMicrosoftaccountlogintoalocalaccount(orviceversa)YouhavetwooptionswhenitcomestoswitchingfromalocalaccounttoaMicrosoftaccount,oraMicrosoftaccounttoalocalaccount.Conversionisusefulifyouhaveselectedeitheraccounttypeduringsetup,andwanttoswitchtotheother.Whileyoucancreateanewuseraccountonthedeviceandmakeitthepreferredaccounttype,youmayalsoconvertanexistingaccounttypeintotheother.Convertingoffersadvantagesoverthecreationofnewuseraccountsonthedevice.,Notethatconvertingtotheotheraccounttypedoesnotchangefilesorinstalledapplicationsonthedevice.Accessremains,andthatisthemaindifferencetocreatinganewuseraccountonthedeviceforuseasalocalorMicrosoftaccount.YoumaybeaskedtosignintoappsthatrequireaMicrosoftaccountwhenyouswitchtoalocalaccountthough.SwitchfromalocalaccounttoaMicrosoftaccount

StartbyopeningtheSettingsapplication.GotoAccounts>YourInfo.Thepageliststheaccounttype,e.g.localaccountasyouseeonthescreenshotabove,andalinkto“signinwithaMicrosoftaccountinstead”.AclickonthelinkstartstheconversionprocessfromusingalocalaccounttousingaMicrosoftaccount.YouareaskedtoauthenticatebyenteringtheMicrosoftaccountemailaddress,phonenumberassociatedwithaMicrosoftaccount,oraSkypeID.Onceyoucompletetheauthenticationprocess,youareaskedtoenterthepasswordofthelocalWindowsaccounttocompletetheprocess.ThenexttimeyousignintotheWindows10device,youareaskedtoentertheMicrosoftaccountpasswordandnotthelocalpassword.

SwitchfromaMicrosoftaccounttoalocalaccount

YoumayswitchfromaMicrosoftaccounttoalocalaccountaswell.TheprocessisnearlyidenticaltoswitchingfromalocalaccounttoaMicrosoftaccount.StartbyopeningtheSettingsapplication.GotoAccounts>YourInfo.Ifyouseeanemailaddresslistedonthepagethatopens,youaresignedinusingaMicrosoftaccount.Scrolldownuntilyoufindthe“signinwithalocalaccountinstead”link,andactivateit.FirstthingyouareaskedtodoisenterthecurrentMicrosoftaccountpassword.

Onceyouhavedonethat,youcreateanewlocalaccountbyselectingausername,passwordandpasswordhint.Notethattheusernameistheonlymandatoryfield.Whenyousigninthenexttime,youareaskedtoenterthelocalaccountpasswordforauthentication.

UseaMicrosoftaccountinselectapplicationsWindows10userswhosigninwithalocalaccountmaynoticethatsomefunctionalitythatapplicationsprovidemaybecomeunavailablebecauseofthat.ThisisthecaseusuallyforanyapplicationthatislinkedtoaMicrosoftAccount.OneDriveforinstancerequiresaMicrosoftaccount,andsodootherapplicationssuchasCalendarorMusic.Otherapplicationsmayfunctionpartiallyonly.WindowsStoreworkswithalocalaccountifyourunWindows10ProorEnterpriseforinstance,butonlytodownloadandinstallfreeapps.AruleofthumbisthatWindowsappswillnotifyyouwhentheyneedaccesstoaMicrosoftaccount.YoudoneedtobecarefulhoweverwhenyousignintoaMicrosoftaccountthisway.MicrosoftdisplaysanauthenticationprompttousetheMicrosoftaccountforthisparticularapplication.ThenextscreendisplaysanoptiontoswitchtoaMicrosoftaccountwhensigningin.Ifyouwanttokeeponusingyourlocalaccount,youneedtoclickonthelinkthatisdisplayedbeneaththepasswordfieldtousetheMicrosoftaccountonlyfortheselectedapplicationandnotWindowsingeneral.

ManagethedatathatMicrosoftassociateswithaMicrosoftaccountMicrosoftcreatedamanagementinterfaceforMicrosoftaccountontheofficialcompanywebsite.Itprovidesuserswithoptionstomanageuserinformation,privacy,andsecurityonline.Themainentrypointsare:

YourInfo:https://account.microsoft.com/profile/Privacy:https://account.microsoft.com/privacy/Security:https://account.microsoft.com/security

YourInfoYourInfolistsprofileandcontactinformation,andoptionstomodifythose.Youmayusethepagetomanageyoursign-inemailaddressesandphonenumbers,editpersonalorbillinginformation,andtochangetheaccountpicture.

https://account.microsoft.com/profile/

https://account.microsoft.com/privacy/

https://account.microsoft.com/security

PrivacyThePrivacytabontheMicrosoftaccountwebsitelistssomeofthedatathatMicrosoftcollectswhenyouuseWindows10orcompanyservices.BrowseUserswhosignintoWindows10,useCortana’sbrowsinghistoryfeature,anduseMicrosoftEdge,havetheirbrowsinghistorysenttoMicrosoftsothatMicrosoft,appsandWindowsfeaturesmayprovide“timelyandintelligentanswersandproactivepersonalizedsuggestions”.Tip:Windows10usersmaydisablethetransferalofthebrowsinghistorybyopeningCortana,selectingNotebook>Permissions,andsettingtheBrowsingHistoryoptiontooff.SearchBingusesauser’ssearchhistorytoimproveresults,personalizationandsuggestions.Cortanamayusethesearchhistoryaswelltoprovideservices.LocationMicrosoftservicessuchasMapsuselocationdatatoshowuserswheretheyare,andwhatisnearby.Itmayalsobeusedtoprovidedirections,andbyotherapplicationsthatshipwithWindows10toprovidecertainfunctionality.Cortana’sNotebookThedigitalagentCortanakeepstrackofinterestswhenitisactiveonaWindows10device.ThenotebooklistsinterestsassociatedwiththeMicrosoftaccountandsortedintocategoriessuchasNews,Shopping,orWeather.Tip:SelectNotebook>ConnectedServiceswhenCortanaisopentomanagethird-partyservicesthatCortanamayshareinformationwith.Thefollowingoptionsareprovidedatthetimeofwriting:

Managethebrowsinghistory.Microsoftdisplaysthemostrecentbrowsinghistorydata,andoptionstoclearit.Managethesearchhistory.Thislistsrecentsearches,andoptionstoclearthesearchhistory.Managethelocationhistory.Youmaylistthelocationhistory,andclearitonthepage.ManageCortanaNotebookdata.ListthedatathatCortanaassociateswith

yourinterests,anddeletethedata.

SecurityTheSecuritytablistsoptionstochangetheaccountpassword,updatesecurityinformation,andtoviewtherecentactivity.Youmaycheckandupdatesecurityinformationthere.ThisisimportantasMicrosoftwillusetheinformationyouprovideforaccountrecoveryoperations.The“reviewrecentactivity”optionliststhelastsign-instotheaccount,andfromwheretheyhappened.Usefultomakesureallarelegit.

CustomerExperienceProgramTurnoffWindowsCustomerExperienceImprovementProgram

Theprogramcollectsinformationaboutthehardwareconfiguration,andsoftwareandservicesuse,toidentifytrendsandusagepatterns.

Microsoftstatesthatitwon’tcollectpersonallyidentifiableinformationsuchasnamesoraddresses.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>TurnoffWindowsCustomerExperienceImprovementProgram•Enabled–Whenenabled,allusersareoptedoutoftheWindowsCustomerExperienceImprovementProgram.

•Disabled–AllusersareoptedintotheWindowsCustomerExperienceImprovementProgram.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\WindowsName:CEIPEnableType:Dword

•0–Thefeatureisdisabled.•1–Thefeatureisenabled.

AllowCorporateRedirectionofCustomerExperienceImprovementuploads

Thissettingallowsyoutochangetheresourcethecollecteddatagetsuploadedto.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>WindowsCustomerExperienceImprovementProgram>AllowCorporateRedirectionofCustomerExperienceImprovementuploads•Enabled–ThisredirectsallCustomerExperienceImprovementuploadstotheselectedaddress.

•Disabled–Uploadsarenotredirectedbygotothedefaultaddress.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClientName:CorporateSQMURLType:String

•Setnewresourceaddress,orredirecttolocalhost127.0.0.1

TurnofftheWindowsMessengerCustomerExperienceImprovementProgram

ThissettingdefineswhetherWindowsMessengercollectsanonymousinformationabouthowWindowsMessengerisusedonthesystem.Policy:ComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>TurnofftheWindowsMessengerCustomerExperienceImprovementProgram•Enabled–WindowsMessengerdoesnotcollectusageinformationabouthowtheproductisused.

•Disabled–AnonymousWindowsMessengerusagedataiscollectedandsubmittedtoMicrosoftKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\ClientName:CEIP

Type:Dword•2–Anonymoususagedataisnotcollected.

TurnoffHelpExperienceImprovementProgram

ThispolicydetermineswhetherusersmayparticipateintheHelpExperienceImprovementprogram.TheprogramcollectsinformationonhowusersuseWindowsHelp.GroupPolicy:UserConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>TurnoffHelpExperienceImprovementProgram

Enabled–UserscannotparticipateintheHelpExperienceImprovementProgram.Disabled–Sameasnotconfigured.Userscanturnthefeatureon.

WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0Name:NoExplicitFeedback

Type:Dword0–ExplicitFeedbackisturnedoff.1–ExplicitFeedbackisturnedon.

Name:NoImplicitFeedbackType:Dword

0–ImplicitFeedbackisturnedoff.1–ImplicitFeedbackisturnedon.

WindowsMediaPlayerUsageTracking

WindowsMediaPlayerSettings:OpenWindowsMediaPlayer,andselectTools>Options>Privacy.Findthepreference“IwanttohelpmakeMicrosoftsoftwareandservicesevenbetterbysendingPlayerusagedatatoMicrosoft”andmakesureitisdisabled.

WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\PreferencesName:UsageTrackingType:Dword

•0–TheWindowMediaPlayerCustomerExperienceImprovement

Programisdisabled.•1–TheWindowMediaPlayerCustomerExperienceImprovementProgramisenabled.

TurnoffMicrosoftConsumerExperiences

MicrosoftConsumerExperienceswereaddedtoWindows10inversion1511.Thefeaturepowersseveralthingsonthedevice,includingwhichthird-partyapplicationsareshownonStartafterinstallationorupgradeofacomputersystem,andpersonalizedrecommendationsandnotifications.ThepolicyappliesonlytoEnterpriseandEducationversionsofWindows10.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnoffMicrosoftConsumerExperiences.

•Enabled:MicrosoftConsumerExperiencesisdisabledifyouenablethepolicy.Ifyoudisablethefeature,Windows10won’tpushthird-partyapplicationsuggestionsanymoreonthesystem.ItwillalsoblockrecommendationsandnotificationsthatMicrosoftConsumerExperiencespowersaswell.•Disabled:Sameasnotconfigured.MicrosoftConsumerExperiencesis

enabled.WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContentName:DisableWindowsConsumerFeaturesType:Dword

•0–Thefeatureisactiveonthesystem.•1–Thefeatureisdisabled.

FeedbackandHelpTurnoffActiveHelp

Thissettingdefineswhetherso-calledactivecontentlinksarerenderedintrustedassistancecontent.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>OnlineAssistance>TurnoffActiveHelp•Enabled–ActiveContentlinksarenotrenderedifyouenablethepolicysetting.Whilethetextisstilldisplayed,linksarenotdisplayed.

•Disabled–Defaultbehaviorapplies.WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0Name:NoActiveHelp

Type:Dword•1–ThisturnsofftheActiveHelpfeature.•0–Sameasnosetting.ActiveHelpisenabled.

InternetExplorerWindows10comeswithInternetExplorer11,butitisnolongerthedefaultwebbrowseronmachinesrunningtheoperatingsystem.

AllowMicrosoftservicestoprovideenhancedsuggestionsastheusertypesintheAddressbar

Microsoft’sInternetExplorermaydisplaysuggestionsbasedontheuser’sinput.EnhancedsuggestionsarereturnedwhenthekeystrokesaresenttoMicrosoft.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>AllowMicrosoftservicestoprovideenhancedsuggestionsastheusertypesintheAddressbar

Enabled–UserswillgetenhancedsuggestionswhentheytypeinInternetExplorer’saddressbar.ThismeansthatthekeystrokesaresenttoMicrosoft.Usersmaynotchangethesetting.Disabled–Enhancedsuggestionsareturnedoff.Usersmaynotchangethesetting.NotConfigured–Usersareallowedtochangethesetting.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MicrosoftName:AllowServicePoweredQSAType:Dword

0–EnhancedSuggestionsareturnedoffinInternetExplorer.1–EnhancedSuggestionsareenabledinthewebbrowser.

TurnonSuggestedSites

MicrosoftInternetExplorermaydisplaysitesuggestionsbasedontheuser’sbrowsinghistory.Ifthefeatureisturnedon,auser’sbrowsinghistoryissubmittedtoMicrosoft.InternetOptions:OpenMicrosoftInternetExplorer,andclickonMenu>InternetOptions.SwitchtotheAdvancedtabwhentheInternetOptionswindowopens,andcontrol“enablesuggestedsites”underBrowsingonthepage.

GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>TurnonSuggestedSites

Enabled–Thefeatureisenabled,andusersarenotpromptedtoenableSuggestedSites.ThebrowsinghistoryissenttoMicrosoft.Disabled–TheSuggestedSitesfeatureisturnedoff,andcannotbeturnedonbytheuser.Notconfigured–Theusermayturnthefeatureonoroff.

WindowsRegistry:Key:HKLM\Software\Policies\Microsoft\InternetExplorer\SuggestedSitesName:EnabledType:Dword

0–SuggestedSitesisdisabled.1–SuggestedSitesisenabled.

TurnoffURLSuggestions

Microsoft’sInternetExplorerdisplayssuggestionsbasedonwhattheusertypesinthebrowser’saddressbar.InternetExplorerusesalocallystoredlistfortheautocompletefeature.UserdataisnotsentovertheInternetwhenthefeatureisenabled.InternetOptions:OpenMicrosoftInternetExplorer,andclickonMenu>InternetOptions.SelectContent>Settings(nexttoAutoComplete).Remove“suggestingURLs”fromthelistofsourcesthatInternetExplorerusesforthefeature.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>InternetSettings>AutoComplete>TurnoffURL

SuggestionsEnabled–URLsuggestionsaredisabled.Userscannotenablethefeature.Disabled–URLsuggestionsareenabled,andusersmaynotturnthefeatureoff.NotConfigured–Usersmayenableordisablethefeature.

WindowsRegistryKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteName:AppendCompletionType:StringValue

yes–InternetExplorertriestomatchwhattheusertypeswiththelocallystoredautocompletelisting.no–URLsuggestionsaredisabledinInternetExplorer.

TurnoffWindowsSearchAutoComplete

ThisdetermineswhetherWindowsSearchmayprovideautocompleteresultswhenuserstypeintheInternetExploreraddressbar.InternetOptions:OpenMicrosoftInternetExplorer,andclickonMenu>InternetOptions.SelectContent>Settings(nexttoAutoComplete).Remove“UseWindowsSearchforbetterresults”fromthelistofsourcesthatInternetExplorerusesforthefeature.

GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>InternetSettings>AutoComplete>TurnoffWindowsSearchAutoComplete

Enabled–Ifyouenablethispolicy,InternetExplorerwon’tuseWindowsSearchforprovidingresultsintheaddressbar.Userswon’tbeabletochangethesetting.Disabled–InternetExplorerusesWindowsSearchtoprovideresultsinthebrowser’saddressbar.Usersmaynotchangethesetting.NotConfigured–Usersmayturnthefeatureonoroff.Thefeatureisenabledbydefault.

WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\WindowsSearch\Name:AutoCompleteGroupsType:Dword

0–DisabletheuseofWindowsSearchforAutoCompletefunctionality.

MicrosoftEdgeMicrosoftEdgeisthedefaultsystembrowserofWindows10.ItisnottheonlybrowserthatshipswithWindows10,asInternetExplorer11isavailableaswell.ThemainreasonwhyMicrosoftmadethedecisiontoincludeEdgeandIEinWindows10isbackwardscompatibility.MicrosoftEdgewasdesignedtobealightweightbrowserthatsupportsmajorwebstandards.ItcomeswithoutfeaturessuchasupportforActiveXorBrowserHelperObjectswhichInternetExplorercontinuestosupport.

AllowAddressbardrop-downlistsuggestions

MicrosoftEdgemaydisplaysuggestionsintheAddressbardrop-downmenuwhenusersstarttotype.Thisparticularsettingdisablesthewholedrop-downmenu.Ifyoudon’twantsearchresultsdisplayedonly,youmayleavethissettingaloneandconfigure“ConfiguresearchsuggestionsinAddressbarinstead”.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>AllowAddressbardrop-downlistsuggestions

Enabled–Sameasnotconfigured.Addressbardrop-downfunctionalityisenabledinMicrosoftEdge.MicrosoftEdgemayconnecttoMicrosoft

servicesforthefunctionalityifthesettingisenabled.Disabled–Drop-downsuggestionsaredisabled.Settingthispolicytodisabled,disables“showsearchandsitesuggestionsasItype”aswell.

AllowMicrosoftCompatibilityList

MicrosoftmaintainsalistofsiteswithknowncompatibilityissuesinMicrosoftEdge.EdgepromptsuserstoopensitesthatareonthelistinInternetExplorerinstead.Thisisdonesothatthesesites,usuallysitesoptimizedforaparticularversionofInternetExplorer,correctly.TheMicrosoftCompatibilityListisenabledbydefaultandWindows10willcheckforupdatesofthelistfrequently.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>AllowMicrosoftCompatibilityList

Enabled–Sameasnotconfigured.MicrosoftEdgedownloadsanupdatedcompatibilitylistperiodically.Disabled–TheMicrosoftCompatibilityListisnotused.

AllowwebcontentonNewTabpage

ThepolicyletsyouconfigurethecontentoftheNewTabpageinMicrosoftEdge.MicrosoftEdgedisplaystopsitesandcontentsuchasnewsthatitpullsfromtheInternetontheNewTabpagebydefault.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>AllowwebcontentonNewTabpage

Enabled–MicrosoftEdgedisplaysthedefaultNewTabpageofthewebbrowser.Disabled–MicrosoftEdgedisplaysablankNewTabpagewithoutanycontent.Notconfigured–UsersmaychoosewhatappearsontheNewTabpage.

ConfigureCookies

EdgeusersmayconfigurehowcookiesarehandledbythebrowserdirectlyinEdge.Apolicyisavailabletoconfigurecookiebehaviorforallusersofamachine.MicrosoftEdgeSettings:

OpenMicrosoftEdge.SelectMenu(thethreedots),andSettingsfromthemenu.Scrolldownandclickon“viewadvancedsettings”.Locatethecookiessectionbyscrollingdown.Youhavethreeoptionswhenitcomestoconfiguringthebehavior:

BlockallcookiesBlockonlythird-partycookiesDon’tblockcookies(default)

GroupPolicy:

ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>Configurecookies

Enabled–Whenyouenablethissetting,youmayusethepolicytoconfigurethecookiebehavioroftheEdgewebbrowser.Youmaysetittothefollowing:

Allowallcookies–ThisisthedefaultbehaviorofMicrosoftEdge.Allcookiesareallowed.Blockallcookies–YoumayblockanycookiefrombeingsetinEdge.

Blockonly3rd-partycookies–Thisallowsfirst-partycookies,butblocksallthird-partycookiesinthebrowser.

Disabled–Sameasnotconfigured.Allcookiesareallowed.

ConfigureDoNotTrack

MicrosoftEdgedoesnotsendDoNotTrackrequestsbydefault.ThissettingletsyouenableDoNotTrackinMicrosoftEdge,orgiveusersthechoicetodoso.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>ConfigureDoNotTrack

Enabled–DoNotTrackisenabled,andEdgesendstheheaderinformationwhenitconnectstowebsites.Disabled–DoNotTrackisdisabled.Notconfigured–UsersmayenableordisableDoNotTrack.

ConfiguresearchsuggestionsinAddressbar

MicrosoftEdgedisplayssearchsuggestionsasyoutypeinthebrowser’saddressbar.TheinformationthatyouenterissenttoBingifthefeatureisenabled.MicrosoftEdgeSettings:

OpenMicrosoftEdge.SelectMenu(thethreedots),andSettingsfromthemenu.Scrolldownandclickon“viewadvancedsettings”.Toggle“ShowsearchandsitesuggestionsasItype”tooff.

GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>ConfiguresearchsuggestionsinAddressbar

Enabled–SearchsuggestionsaredisplayedwhenyoutypeintheMicrosoftEdgeaddressbarDisabled–Searchsuggestionfunctionalityisdisabled.NotConfigured–UsersmayenableordisablethefeatureinMicrosoftEdge’ssettings.

WindowsRegistry:

PreventMicrosoftEdgefromgatheringLiveTileinformation

MicrosoftEdgemaycontactieonline.microsoft.comtogatherLiveTilemetadatato“provideabetterexperience”whilepinningaLiveTiletotheStartmenu.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>PreventMicrosoftEdgefromgatheringLiveTileinformation

Enabled–Ifyouenablethepolicy,MicrosoftEdgewon’tcontactieonline.microsoft.comtogatherLiveTiledata.

Disabled–Sameasnotconfigure.MicrosoftwillgatherLiveTilemetadata.

PreventtheFirstRunwebpagefromopeningonMicrosoftEdge

MicrosoftEdgedisplaysaFirstRunwebpagewhenauserstartsthewebbrowserforthefirsttime.Thebrowser’sFirstRunpageofferstipsandhighlightschangestoimproveauser’sexperience.Thispageisshownonfirstrunafteranewinstallation,butalsowhenanewfeatureupdateisinstalled.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>PreventtheFirstRunwebpagefromopeningonMicrosoft

EdgeEnabled–-TheFirstRunpageisnotdisplayedwhenusersopenMicrosoftEdgeforthefirsttime.Disabled–Sameasnotconfigured.TheFirstRunpageisshown.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\MainName:PreventFirstRunPageType:Dword

0–TheFirstRunpageisshowninMicrosoftEdge.1–TheFirstRunpageisblockedinMicrosoftEdge.

PreventusingLocalhostIPaddressforWebRTC

WebRTCmayrevealthelocahostIPaddressofadevicethatMicrosoftEdgerunsonwhenmakingcallsusingtheWebRTCprotocol.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>PreventusingLocalhostIPaddressforWebRTC

Enabled–theLocalhostIPaddressisnotrevealedwhenusersaremakingcallsusingtheWebRTCprotocol.

Disabled–Sameasnotconfigured.LocalhostIPaddressesareshownwhenmakingcallsusingtheWebRTCprotocol.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\MainName:HideLocalHostIPType:Dword

0–LocalhostIPaddressesareshownwhenmakingWebRTCcalls.1–LocalhostIPaddressesarenotshownwhenmakingWebRTCcalls.

OneDrive/FileSynchronizationPreventtheusageofOneDriveforfilestorage

YoumayusethispreferencetodisableOneDriveontheWindows10machine.Pleasenotethatthisimpactsseveralareasoftheoperatingsystem:•OneDrivefilesarenotsynchronized.

•Theautomaticuploadingofphotosandvideosfromthecamerarollfolderisdisabled.•OneDriveisnotlistedinFileExplorer.

•OneDrivecannotbeaccessedfromtheOneDriveapporfilepicker.•WindowsStoreappscannotaccessOneDrive.

GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>OneDrive>PreventtheusageofOneDriveforfilestorage•Enable–ThisdisablesOneDriveontheWindows10device.

•Disable–Default,sameasnotconfigured.OneDriveisenabled.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDriveName:DisableFileSyncNGSCType:Dword

•Avalueof0meansOneDriveisenabled.•Avalueof1meansOnedriveisdisabled.

DonotSync

Controlwhethersettingsaresyncedonthedevice,andwhetherusersmaycontrolthepreferenceintheSettingsapplication.Windows10maysynchronizethefollowingsettingsordata:•Theme•InternetExplorersettings•Passwords•Languagepreferences•Easeofaccessed•OtherWindowssettingsGroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsync•Enabled–Syncyoursettingsisturnedoffon

thedevice,andnodatathatislistedunder“syncyoursettings”issynchronized.Youmayset“allowuserstoturnsyncingon,toallowuserstooverridethedefault.

•Disabled–Syncyoursettingisonbydefault,andusersmaycontrolit.WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableSettingSyncType:Dword

•1–SyncyourSettingsisenabled.•2–SyncyourSettingsisdisabled.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableSettingSyncUserOverrideType:Dword

•1–UsersmaynotoverridethedefaultvalueofSyncyoursettings.

DonotSyncApplicationSettings

ThispolicymaypreventthesynchronizationofapplicationsettingsfromonePCtoanother.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncappsettings•Enabled–Thispreventsthesynchronizationofapplicationsettings.Youmaysetthe“allowuserstoturnappsettingssyncon”togiveusersanoptiontoturnthefunctionalitybackon.

•Disabled–Appsyncingisonbydefault,andusersmaycontrolthepreferenceintheSettingsapplication.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncValue:DisableAppSyncSettingSyncType:Dword

•1–Theapplicationsyncsettingisenabled.•2–Thesynchronizationofindividualapplicationsettingsisdisabled.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableAppSyncSettingSyncUserOverrideType:Dword

•1–Usersmaynotoverridetheapplicationsyncsetting

Donotsyncpasswords

Thissettingcontrolswhetherpasswordsaresyncedaspartofthe“syncyoursettings”functionalityoftheWindows10operatingsystem.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncpasswords•Enabled–Passwordswon’tbesyncedbydefaultifthepolicyisenabled.Administratorsmaycheck“allowuserstoturnpasswordssyncingon”togiveuserstheoptiontoturnthefeatureonintheSettingsapplication.

•Disabled–Passwordsyncingisenabled.UsersmayturnitoffintheSettingsapplication.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableCredentialsSettingSyncType:Dword

•1–Passwordsyncingisenabled.•2–Passwordsyncingisdisabled.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableCredentialsSettingSyncUserOverrideType:Dword

•1–UsersmaynotenablepasswordsyncingintheSettingsapplication.

Donotsyncdesktoppersonalization

ThispolicydetermineswhetherapersonalizeddesktopissynchronizedoriftheoptionisconfigurableintheSettingsapplication.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncdesktoppersonalization•Enabled–Desktoppersonalizationsyncingisturnedoff.Administratorsmayenable“allowuserstoturndesktoppersonalizationsyncingon”,togiveuserscontroloverthesyncfeatureintheSettingsapplication.

•Disabled–Desktoppersonalizationissynced.UsersmayturnoffthesyncingintheSettingsapplication.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableDesktopThemeSettingSyncType:Dword

•1–Desktoppersonalziationsyncingisenabled.•2–Desktoppersonalizationsyncingisdisabled.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableDesktopThemeSettingSyncUserOverrideType:Dword

•1–UsersmaynotchangethesyncsettingintheWindows10Settingsapplication.

Donotsyncpersonalize

Windows10maysyncpersonalizedpreferences,sothatthesebecomeavailableonallWindows10devicestheusersignsinwithaMicrosoftaccount.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncpersonalize•Enabled–Whenthepolicyisenabled,“personalize”groupdatawillnotbesynced.Administratorsmayenable“allowuserstoturn“personalize”syncingon,toprovideuserswithoptionstoturnthefeatureonmanually.

•Disabled–Sameasnotconfigured.The“personalize”groupissyncedbydefault,andtheusermaydisablethefeatureintheSettingsinterface.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisablePersonalizationSettingSyncType:Dword

•1–The“personalize”groupissynced.•2–The“personalize”groupisnotsynced.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisablePersonalizationSettingSyncUserOverrideType:Dword

•1–UsersmaynotchangethepersonalizesyncsettingintheWindows10Settingsapplication.

Donotsyncstartsettings

Windows10maysyncthestartlayoutsothatitisavailableonallWindows10machinesausersignsinusingaMicrosoftaccount.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncstartsettings•Enabled–The“startlayout”groupisnotsynced.Administratorsmayenablethe“allowuserstoturn“startlayout”syncingon,toprovideuserswithoptionstoenablethesyncfeature.

•Disabled–Sameasnotconfigured.“Startlayout”syncingisenabledbydefault.UsersmaydisablethesyncingintheSettingsUI.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableStartLayoutSettingSyncType:Dword

•1–The“startlayout”groupissynced.•2–ThelayoutofStartisnotsynced.

Key:DisableStartLayoutSettingSyncName:DisableStartLayoutSettingSyncUserOverrideType:Dword

•1–Usersarenotallowedtoselectwhethertheywantthe“startlayout”tosyncornot.

Donotsyncbrowsersettings

Thispolicymaybeusedtopreventbrowsersettingssuchasthebrowsinghistoryorfavoritesfrombeingsynced.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncbrowsersettings•Enabled–The“browser”groupanditsdatawon’tbesynced.Administratorsmayenable“Allowuserstoturn“browser”syncingon,toprovideuserswithanoptiontoenablethesyncoptionintheSettingsapplication.

•Disabled–Sameasnotconfigured.Browserdataissyncedbydefault.UsersmaydisablethesyncingintheSettingsapplication.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWebBrowserSettingSyncType:DWORD

•1–Webbrowsersyncingisenabled.•2–Webbrowsersyncingisdisabled.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWebBrowserSettingSyncUserOverrideType:DWORD

•1–Usersarenotallowedtooverridethewebbrowsersyncsetting.

DonotsyncotherWindowssettings

ThispolicymaybeusedtopreventthatotherWindowssettingsaresynced.Itisunclearwhat“otherWindowssettings”includeswhenitcomestosynchronization.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>DonotsyncotherWindowssettings.

•Enabled–Thesynchronizationof“otherWindowssettings”isdisabled.Administratorsmaycheck“AllowuserstoturnotherWindowssettings

syncingon”togiveusersanoptiontoenablethesyncingintheSettingsapplication.•Disabled–Sameasnotconfigured.Windows10willsync“otherWindowssettings”bydefault.UsersmayturnoffthefeatureintheSettingsUI.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWindowsSettingSyncType:DWORD

•1–Thedefaultvalue.“OtherWindowssettings”aresynced.•2–Thesyncingof“OtherWindowssettings”isdisabled.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWindowsSettingSyncUserOverrideType:DWORD

•1–Usersmaynotoverridethe“OtherWindowssyncing”settingintheSettingsUI.

Donotsynconmeteredconnections

ThispolicydefineswhethersynchronizationofdataisenabledwhenthePCisonameteredInternetconnection.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsynconmeteredconnections

Enabled–SyncingisturnedoffwhenthePCisconnectedusingameteredconnection.Disabled–Sameasnotconfigured.Syncingonmeteredconnectionsis

enabledbydefault,butcanbeturnedoffbytheuser.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableSyncOnPaidNetworkType:Dword

1–SyncingisdisabledwhenthePCisonameteredInternetconnection.

SmartScreenConfigureWindowsDefenderSmartScreen(Edge)

ThispolicydefineswhetherWindowsDefenderSmartScreenisenabledwhenMicrosoftEdgeisusedasthesystembrowser.SmartScreenprovidesdefenseagainstmalware,phishingandotherthreatsthatoriginateontheInternet.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>

MicrosoftEdge>ConfigureWindowsDefenderSmartScreenFilterWindowsServerGroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>ConfigureSmartScreenFilter

Enabled–WindowsDefenderSmartScreenisturnedon,anduserscannotturnitoff.Disabled–WindowsDefenderSmartScreenisturnedoff,anduserscannotturniton.NotConfigured–EmployeesmayenableordisableWindowsDefenderSmartScreen.

WindowsRegistryKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost.Name:EnableWebContentEvaluationType:Dword

0–WindowsDefenderSmartScreenisdisabled.1–WindowsDefenderSmartScreenisenabled.

Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SystemName:EnableSmartScreenType:Dword

0–WindowsDefenderSmartScreenisdisabled.1–WindowsDefenderSmartScreenisenabled.

ConfigureWindowsDefenderSmartScreen

ThispolicydefineswhetherWindowsDefenderSmartScreenisenabledontheWindowsPC.ThefeatureprotectsthePCagainstprogramsdownloadedfromtheInternetthatarenotrecognizedbyWindowsDefender.InformationonthefilesandprogramsthatarerunonthePCaresenttoMicrosoftwhenthefeatureisenabled.

GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>FileExplorer>ConfigureWindowsDefenderSmartScreen

Enabled–Whenyouenablethepolicy,youmaysetitto“warnandpreventbypass”,or“warn”.Thefirstpickprovidesuserswiththemeanstorunthefilebybypassingthewarning,thesecondwon’tallowuserstodothat.Disabled–WindowsDefenderSmartScreenwillbeturnedoff.NotConfigured–SmartScreenisenabled,butusersmaychangethesetting.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerName:SmartScreenEnabledType:Stringvalue

Off–ThisdisablesSmartScreenFilter.RequireAdmin–AdministratorapprovalrequiredbeforeanunrecognizedInternetprogramisrun.Prompt–DisplayawarningbeforerunninganunrecognizedInternetprogram,butdon’trequireAdminapprovaltorunit.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ExplorerName:SmartScreenEnabledType:Stringvalue

Off–ThisdisablesSmartScreenFilter.RequireAdmin–AdministratorapprovalrequiredbeforeanunrecognizedInternetprogramisrun.Prompt–DisplayawarningbeforerunninganunrecognizedInternetprogram,butdon’trequireAdminapprovaltorunit.

WindowsErrorReportingWindowsErrorReportingallowsMicrosofttogaininformationaboutWindowssystem,featureandapplicationerrors.Itfurthermoreprovidesusersandadministratorswithoptionstoreceiveinformationaboutpotentialsolutionsforencounteredissues.DisableWindowsErrorReporting

ThepolicyturnstheWindowsErrorReportingfeatureoff.ThishastheeffectthatreportsarenotcollectedorsenttoMicrosoftorinternalserverswhen

softwarefailsorstopsworking.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsErrorReporting>DisableWindowsErrorReporting

Enabled–Ifyouenablethispolicy,WindowsErrorReportingisdisabled.SolutioninformationunderSecurityandMaintenanceisnotavailableanymorewhenyoudisableerrorreporting.Disabled–Sameasnotconfigured.WindowsErrorReportingisenabled.Notethatthismaybeoverriddenby“TurnoffWindowsErrorReporting”policysettinginComputerConfiguration/AdministrativeTemplates/System/InternetCommunicationManagement/InternetCommunication

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsErrorReportingName:DisabledType:Dword

0–WindowsErrorReportingisenabled.1–WindowsErrorReportingisdisabled.

Donotsendadditionaldata

Thisdefineswhetheradditionaldatain“supportoferrorreports”canbesenttoMicrosoftautomatically.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsErrorReporting>DisableWindowsErrorReporting

Enabled–AnyadditionaldatarequestsfromMicrosoftinresponsetoWindowsErrorReportingaredeclinedautomaticallywithoutuser

notification.Disabled–Sameasnotconfigured.Thefeatureisenabled.NotethatconsentpolicysettingsinComputerConfiguration/AdministrativeTemplates/WindowsComponents/WindowsErrorReporting/Consenttakeprecedence.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsErrorReportingName:DontSendAdditionalDataType:Dword

0–Sendadditionaldata1–Donotsendadditionaldata.

WindowsMediaPlayerWindowsMediaPlayerisalong-standingmediaplayerthatshipswithWindows10.Itplaysaudioandvideofiles,andsupportsavarietyoffeaturessuchasInternetstreamingorlookingupinformationonlineformediathatisplayedusingit.PreventMusicfileMediaInformationRetrieval

WindowsMediaPlayermaydownloadmediainformationfromtheInternetformusicfilesthatareplayedintheapplicationtodisplaytheinformationinits

interface.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaPlayer>PreventMusicFileMediaInformationRetrieval•Enabled–WindowsMediaPlayerispreventedfromretrievingmediainformationformusicfiles.Additionally,UpdateMyMusicfilesisnotavailableintheplayer.

•Disabled–Thedefaultsetting.WindowsMediaPlayerretrievesmusicinformationfromtheInternet,andusersmayusetheupdatemymusicfilesoptionaswell.

WindowsRegistry:Key:HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsMediaPlayerName:PreventMusicFileMetadataRetrievalType:Dword

•0–Thedefaultvalue.WindowsMediaPlayermayretrievemusicinformationautomaticallyfromtheInternet.•1–Avalueof1disablesthefeature.

PreventCDandDVDMediaInformationRetrieval

WindowsMediaPlayermaylookupinformationonCDsorDVDsthatareloadedwhileitisrunningbyqueryingInternetservers.Informationthatitretrievesarethendisplayedinthemediaplayer.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaPlayer>PreventCDandDVDMediaInformationRetrieval•Enabled–WindowsMediaPlayerisblockedfromretrievingCDorDVDmedia

informationfromtheInternet.TheRetrieveMediaoptionisnotavailable.•Disabled–Thedefaultsetting.WindowsMediaPlayermayretrievemediainformationforCDsorDVDs.TheRetrieveMediacheckboxisavailable.

WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayerName:PreventCDDVDMetadataRetrievalType:Dword

•0–Thedefaultvalue.WindowsMediaPlayermaylookupCDorDVDmetadata.•1–ThispreventsWindowsMediaPlayerfromdoingso.

PreventRadioStationPresetRetrieval

WindowsMediaPlayermayretrieveRadioStationpresetsfromtheInternet.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaPlayer>PreventRadioStationPresetRetrieval•Enabled–WindowsMediaPlayerisblockedfromretrievingRadioStationpresetsautomaticallyfromtheInternet,anddisplayingtheminthelibrary.Presetsthatexistedbeforethepolicyissettoenabledarenotupdated,andpresetsauser

addsarenotdisplayed.•Disabled–Thedefaultsetting.WindowsMediaPlayerretrievesandupdatesRadioStationpresets.

WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayerName:PreventRadioPresetsRetrievalType:Dword

•0–Thedefaultvalue.WindowsMediaPlayermayretrieveRadioStationpresets.•1–ThispreventsWindowsMediaPlayerfromdoingso.

PreventWindowsMediaDRMInternetAccess

WindowsMediaPlayermayacquirelicensesforsecurecontent,upgradeWindowsMediaDRMsecuritycomponents,orrestorebackedupcontentlicensesautomatically.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaDigitalRightsManagement>PreventWindowsMediaDRMInternetAccess•Enabled–WindowsMediaPlayerisblockedfromacquiring

DRMlicensesorperformingotherDRMrelatedoperations.Thiswon’taffectmediawithDRMthatisalreadyonthelocalcomputerandalreadylicensed.

•Disabled–Thedefaultvalue.WindowsMediaPlayermayobtaindigitallicenses,andperformotherDRMtasks.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRMName:DisableOnlineType:Dword

•0–Thedefaultvalue.MediaPlayermayconnecttotheInternetforDRMlicenseretrievalsandupdatesofDRMfunctionality.•1–WindowsMediaPlayerisblockedandcannotretrievedigitallicensesonlineanymore.

WindowsUpdateWindowsUpdateisanessentialcomponentoftheWindows10operatingsystem.Itisabuilt-inupdatingsystemthatchecks,downloads,andinstallsupdatesautomaticallyoronuserrequestdependingonhowitisconfigured.Thedefaultconfigurationissettoautomatic.ThismeansthatWindowsUpdatewillqueryMicrosoftserversautomaticallyinintervalsforupdates(thedefaultisonceperhouronWindows10Pro).AllupdatesreceivearatingbyMicrosoftthatisanindicatoroftheirimportance.WindowsUpdateonWindows10isconfiguredtodownloadandinstallcriticalandimportantupdatesautomaticallybydefault.Optionalupdates,andthosethatrequireuserinput,forinstancebyacceptingterms,arenotdownloadedandinstalledautomatically.WindowsUpdateisagoodfeatureforthemostpart.ItensuresthatWindowsdevicesreceivethelatestsecuritypatchesandupdates,sothattheyareprotectedagainstattacksthattargetknownvulnerabilities.MicrosoftchangedhowupdatesaredeliveredonWindows10however.Itintroducedcumulativeupdatesinsteadofindividualupdatesforeachpatchthatitreleases.Thismeansthatitisnolongerpossibletodecideonaper-updatebasisiftheupdateshouldbeinstalledonamachineornot;itisallornothingonWindows10.TheonlyoptionsthatWindows10administratorsandusershaveistodecidewhentheywanttoinstallupdates.PatchesmayresetprivacysettingsorintroducenewprivacyrelatedfeaturestoWindows10.UnlikeonWindows7orWindows8,Microsoftdoesnotreleaseasecurity-onlyupdateforWindows10oneachPatchTuesday.Thismeansthatyouendupwithanallornothingapproachthatisbadfromauser’spointofview.

WindowsUpdateSuggestionsIrecommendthefollowingwhenitcomestoWindowsUpdate:1. AlwayscreateabackuppriortoinstallingWindowsupdates.Thisensures

thatyoucangobacktoapreviousversionofWindowsiftheinstallation

goeswrong,iftheupdatecausesissuesonthesystem,orifchangesaremadethatyouwantreversed.

2. Checkthechangelogsforupdates,andreadsitesthatwriteaboutnewupdatesthatarereleasedforWindows10.Thisprovidesyouwithinformationontheupdates,andalsousercommentsonsitesthatallowthemsothatyoumayknowinadvanceifanupdateisbrokenforinstance.

3. Securitypatchesareimportant.Generallyspeaking,itisrecommendedtoinstallthoseontheWindows10machineassoonaspossible.

4. VerifythatsettingshavenotchangedafteranupdatehasbeeninstalledonaWindows10machine.

WindowsUpdateDownloadandUploadsources

Windows10mayuseothersourcesthanMicrosoftserverstodownloadupdatestoalocalmachine.ThesesourcesmaybeonthesameLAN,adomain,orevenontheInternet.BandwidthofthelocalsystemmaybeusedthereforetodistributepartsofWindowsupdatestothird-partyInternetuserswhorunWindows10aswell.Thebestsettingdependslargelyontheenvironmentyouusethecomputerin.Ifyouuseasinglecomputer,youmaynotwanttoenablenetworkorInternetupdating.ThereasonwhyIrecommendthatisthatitmaysaveyouquiteabitofbandwidth,andensuresthatyourPC’sbandwidthisnotusedtotransferupdatestothird-partysystemsontheInternetthatyoudon’tknowanythingabout.IfthedeviceisinalocalareanetworkwithotherWindows10devices,itmaymakesensetoenabledirectandLanpeering,asbandwidthmaybesavedasaconsequence.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>DeliveryOptimization>DownloadMode•HTTPOnly–NoPeering.

•LAN–HTTPandpeeringbehindthesameNAT.•Group–HTTPandpeeringonthesamedomainorinthesameActiveDirectorySite(crossNAT)•Internet–HTTPandInternetpeering.•Simple–NopeeringanddoesnottrytocontacttheDeliveryOptimizationService.•Bypass–DonotuseDeliveryOptimization,anduseBITSinstead.

WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimizationName:DODownloadModeType:Dword

•0–Featureisdisabled.•1–AcceptonlypeersonthesameNAT.•2–Acceptlocalnetwork/privatepeering(samedomain).•3–InternetPeering.•99–SimpleDownloadMode.

•100–BypassMode.MicrosoftintroducedanewfeatureintheFallCreatorsUpdateforWindows10thatgivesuserssomecontroloverthedownloadanduploadlimits.ThesehavebeenavailableasGroupPolicyoptionsinpreviousversionsalready,buttheyarelistedintheSettingsUIaswellnow.Settings:Settingsapplication>Update&Security>WindowsUpdate>AdvancedOptions>DeliveryOptimization>AdvancedOptions.Windowsoptimizesbandwidthdynamicallybydefault.Theseoptionsprovideuserswithsettingstolimitthefeatureinthefollowingways:

Limitdownloadbandwidth.Limituploadbandwidth.Setmonthlyuploadlimit.

GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>DeliveryOptimization

MaximumDownloadBandwidth(percentage)MaximumDownloadBandwidth(KB/s)MaxUploadbandwidth(inKB/s)MonthlyUploadDataCap(inGB)

ConfigureAutomaticUpdates

ThispolicyprovidesyouwithoptionstochangethedefaultupdatingbehaviorofWindowsUpdate.Youcanuseittoconfigureautomaticupdatingandscheduledupdating.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>WindowsUpdate>ConfigureAutomaticUpdates

Enabled–Whenyouenablethepolicy,youneedtoselectoneoutoffouroptionsthatdefinethePCsautomaticupdatingbehavior.

NotifyfordownloadandautoinstallAutodownloadandnotifyforinstall(default)Autodownloadandscheduletheinstall

InstallduringautomaticmaintenanceScheduledinstalldayandtimeInstallupdatesforotherMicrosoftproducts

Allowlocaladmintochoosesetting.Disabled–Ifthispolicyisdisabled,updatesmustbedownloadedandinstalledmanuallyusingWindowsUpdate.

Wi-Fi

MicrosoftWindows10supportedafeaturecalledWi-FiSenseupuntilrecently.ThisfeaturewasdesignedtoimprovethesharingofWi-Fipasswordswithothers.Insteadofhavingtohandoutpasswordsdirectlytootherusers,Wi-FiSensecouldbeusedtosharethepasswordsdirectlywiththedevice.Thebenefitwasthattheuserwhousedthedevicedidnotknowwhatthe

passwordwas.MicrosoftremovedtheWi-FiSensefeature,anditisnolongeravailableinitsform.YoudofindotherWi-Firelatedsettingshoweverthatyoumaywanttocontrol.ThepolicydetermineswhetherWi-Fifeaturesareenabled,andifusersofthedevicemaycontrolthefunctionality.Settingsapplication:Settings>Network&Internet>Wi-FiWhenyouopenthesettingspage,yougetthefollowingoptionswhichyoumaywanttotoggletooffifyoudon’tplanonusingthem.

FindpaidplansforsuggestedopenhotspotsnearmeConnecttosuggestedopenhotspotsHotspot2.0–LetmeuseOnlineSign-Uptogetconnected

GroupPolicy:ComputerConfiguration>AdministrativeTemplates>Network>WLANService>WLANSettings>AllowWindowstoautomaticallyconnecttosuggestedopenhotspots,tonetworkssharedbycontacts,andtohotspotsofferingpaidservices.

Enabled–Sameasnotconfigured.Windowsusersmaychoosetoenableordisable“connecttosuggestedopenhotspots”and“connecttonetworkssharedbymycontacts”usingtheSettingsapplication.Disabled–Wi-FiSenseisturnedoff,anduserscannotturnitbackon.

WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\Name:AutoConnectAllowedOEMType:Dword

0–Avalueof0disablesWi-FiSense.

MiscDisableApplicationTelemetry

TheApplicationCompatibilityEnginecheckswhetheranapplicationthatisrunonthesystemisfoundinthecompatibilitydatabase.Ifthatisthecase,itofferssolutionsandcompatibilityfixes,oranApplicationHelpmessageiftheproblemisknown.

Note:WindowsResourceProtectionandUserAccountControlrelyontheApplicationCompatibilityEnginetoprovidesolutionsforknowncompatibilityissues.Ifyouturnoffthefeature,thesemitigationsarenotapplied,andinstallationorthestartofprogramswithknowncompatibilityissuesmayfail.Systemsmaycachethevalueofthissettingforperformancepurposes.Youmayneedtorestartthesystembeforethechangetakeseffect.Microsoftnotesthatdisablingtheengineisusefulinhighloadenvironments,forinstanceinserverenvironmentswhereapplicationsmaybeloadedseveralhundredtimespersecond.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>ApplicationCompatibility>TurnoffApplicationCompatibilityEngine•Enabled:WhenyouturnofftheApplicationCompatibilityEngine,youwillimprovesystemperformance.Itmayhoweverresultinissuessuchasdegradingthecompatibilityoflegacyapplications.Itmayalsoblockincompatibleprogramsfrominstallingatall,ormayresultincrashesorbluescreens.

•Disabled:Sameasnotconfigured.TheApplicationCompatibilityEngineruns.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompatName:AITEnableValue:

•0–DisablestheApplicationCompatibilityEngine.•1–SameasiftheDworddoesnotexist.ApplicationCompatibilityEngineisenabled.

DisableInventoryCollector

TheInventoryCollectorcollectsapplication,file,device,anddriverinventorydataonasystemrunningWindows10,andsendstheinformationtoMicrosoft.Microsoftstatesinthepolicydescriptionthatitusestheinformationtoassistinthediagnosisofcompatibilityproblems.Note:ThepolicyhasnoeffectiftheCustomerExperienceImprovementProgramisdisabled.TheInventoryCollectorisdisabledthenaswell

automatically.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>ApplicationCompatibility>TurnoffInventoryCollector•Enabled:Ifyouenablethepolicy,theInventoryCollectoristurnedoff,anddataisnolongersenttoMicrosoft.ThisdisablesthecollectionofinstallationdatathroughtheProgramCompatibilityAssistantaswell.

•Disabled:Sameasnotconfigured.InventoryCollectorworksnormally.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompatName:DisableInventoryValues:

•0–SameasiftheDworddoesnotexit.InventoryCollectorworksnormally.•1–DisabletheInventoryCollector.

Turnoffdownloadingofgameinformation

WindowsmaylookupinformationaboutgamesonlinetoretrievegameboxartandratingsusingWindowsMetadataServices.Thisispartoftheoperatingsystem’sGameExplorerfeature.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>GameExplorer>Turnoffdownloadingofgameinformation•Enabled–Thisblocksthedownloadingofgameboxartandratingsbyquerying

WindowsMetadataServices.•Disabled–Sameasnotconfigured.WindowsMetadataServicesareusedtodownloadgameboxartandratings.

Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameUXName:DownloadGameInfoType:Dword

•0–Thefeatureisturnedoff,GameBoxArtandratingsarenotdownloaded.•1–Thefeatureisenabled.

TurnoffautomaticdownloadandupdateofMapdatabase

Windows10maydownloadandupdatethemapdatabaseautomatically.Thefeatureiscontrolledbythesesettings.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Maps>TurnoffautomaticdownloadandupdateofMapdatabase•Enabled–Whenthesettingisenabled,theautomaticdownloadingandupdatingofmapdataisdisabled.

•Disabled–Sameasnotconfigured.ThismeansMapdataisautomaticallydownloadandupdated.

WindowsServicesServicesareacorepartoftheWindowsoperatingsystem.Changingtheirstate,ordisablingservicesaltogethermayresultinfunctionalityorstabilityissuesonthesystem.Generallyspeaking,itissuggestedtoleavethemajorityofservicesalonewiththeexceptionofConnectedUserExperiencesandTelemetry,andDmwappushservice.Thischapterlooksatsomeservicesthathaveprivacyimplicationsandexplainswhattheydowhentheyrun.ConnectedUserExperiencesandTelemetryThisisthemainTelemetryserviceonWindows10machines.Itmanagesthe“eventdrivencollectionandtransmissionofdiagnosticandusageinformation”.DmwappushserviceTheWAPPushMessageRoutingService.UsedtotransferdatatoMicrosoftservers.Notalotofinformationonthisservice.ConnectedDevicesPlatformServiceCDPUserSvc_xxxxxThisserviceisusedforConnectedDevicesPlatformscenarios.Notalotofinformationonthisserviceeither.MaynotwanttodisableifyouuseBluetoothorwirelessonthedesktop.Youmaydisabletheservicetoseewhathappensthough.Ifyourunintoconnectivityissueswithdevices,youneedtoenableitagain.

WindowsTasksWindows10shipswithanumberofscheduledtasksthatarerunregularly.SomeofthesetasksareusedtocollectTelemetrydata,andtransferthedatatoMicrosoft.ThefollowinglistfocusesontasksthatcollectTelemetrydata.TaskScheduler>TaskSchedulerLibrary>Windows>ApplicationExperience>MicrosoftCompatibilityAppraiserCollectsprogramtelemetryinformationifopted-intotheMicrosoftCustomerExperienceImprovementProgram.TaskScheduler>TaskSchedulerLibrary>Windows>ApplicationExperience>ProgramDataUpdaterTaskScheduler>TaskSchedulerLibrary>Windows>Autochk>ProxyThistaskcollectsanduploadsautochkSQMdataifopted-intotheMicrosoftCustomerExperienceImprovementprogram.TaskScheduler>TaskSchedulerLibrary>Windows>CustomerExperienceImprovementProgram>ConsolidatorIftheuserhasconsentedtoparticipateintheWindowsCustomerExperienceImprovementProgram,thisjobcollectsandsendsusagedatatoMicrosoftTaskScheduler>TaskSchedulerLibrary>Windows>CustomerExperienceImprovementProgram>KernelCeipTaskTheKernelCeip(CustomerExperienceImprovementProgram)taskcollectsadditionalinformationaboutthesystemandsendsthisdatatoMicrosoft.IftheuserhasnotconsentedtoparticipateinWindowsCEIP,thistaskdoesnothing.TaskScheduler>TaskSchedulerLibrary>Windows>CustomerExperienceImprovementProgram>USBCeipTheUSBCEIP(CustomerExperienceImprovementProgram)taskcollectsUniversalSerialBusrelatedstatisticsandinformationaboutyourmachineandsendsitottheWindowsDeviceConnectivityengineeringgroupatMicrosoft.

Theinformationreceivedisusedtohelpimprovethereliability,stability,andoverallfunctionalityofUSBinWindows.IftheuserhasnotconsentedtoparticipateinWindowsCEIP,thistaskdoesnothing.

TaskScheduler>TaskSchedulerLibrary>Windows>DiskDiagnostic>Microsoft-Windows-DiskDiagnosticDataCollectorTheWindowsDiskDiagnostictaskreportsgeneraldiskandsysteminformationtoMicrosoftforusersparticipatingintheCustomerExperienceProgram.TaskScheduler>TaskSchedulerLibrary>Windows>DiskFootprint>DiagnosticsDiskFootprintcollectsdriveusagestatistics,andsubmitsthemto

MicrosoftiftheuserconsentedtoparticipateinWindowsCEIP.TaskScheduler>TaskSchedulerLibrary>Microsoft>Office>OfficeTelemetryAgentFallBack2016

ThistaskinitiatesthebackgroundtaskforOfficeTelemetryAgent,whichscansanduploadsusageanderrorinformationforOfficesolutions.

TaskScheduler>TaskSchedulerLibrary>Microsoft>Office>OfficeTelemetryAgentLogOn2016

ThistaskinitiatesthebackgroundtaskforOfficeTelemetryAgent,whichscansanduploadsusageanderrorinformationforOfficesolutionswhenauserlogsontothecomputer.

OfficeTelemetryOfficeTelemetryisacompatibilitymonitoringframeworkthatMicrosoftintroducedinOffice2013andOffice365ProPlusthatreplacedtheOfficeMigrationPlanningManager,OfficeCodeCompatibilityInspector,andOfficeEnvironmentAssessmentToolofOffice2010.MicrosoftdescribeshowOfficeTelemetryworksinOffice2013inthefollowingway:OfficeTelemetryinOffice2013worksasfollows:WhenanOfficedocumentorsolutionisloaded,used,closed,orraisesanerrorincertainOffice2013applications,theapplicationaddsarecordabouttheeventtoalocaldatastore.Eachrecordincludesadescriptionoftheproblemandalinktomoreinformation.Inventoryandusagedataisalsotracked.MicrosoftdistinguishesbetweenOfficeTelemetrytoolsandcomponents.TheTelemetryDashboardandtheTelemetryLogaretools,whileTelemetrylogging,theTelemetryagent,orGroupPolicysettingsareconsideredTelemetrycomponents.TurnonTelemetrydatacollectionThissettingallowsyoutoenableordisablethedatacollectioninOfficeusedbytheTelemetryDashboardandtheTelemetrylog.Note:YouneedtoaddtheOfficeAdministrativeTemplateFilestotheGroupPolicytomakethechangeintheGroupPolicyEditor.Youfindlinkstothetemplatefilesunder“TelemetryandPrivacy”intheresourcesectionattheendofthisbook.GroupPolicy:UserConfiguration>AdministrativeTemplates>MicrosoftOffice2016>TelemetryDashboard>TurnonTelemetrydatacollection

Enabled–OfficeTelemetryAgentandOfficeapplicationswillcollecttelemetrydata.ThisincludesOfficeapplicationusage,alistofrecentOfficedocumentsincludingfilenames,solutionsusage,compatibilityissues,andcriticalerrors.Disabled–Sameasnotconfigured.OfficeTelemetryAgentandOfficeapplicationsdonotgenerateorcollecttelemetrydata.

WindowsRegistry:Key:HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osmName:

EnableloggingType:Dword

0–Loggingisdisabled.1–Loggingisenabled.

AnnoyancesRemoveAds/SuggestionsTurnoffallWindowsSpotlightfeatures

WindowsSpotlightisanewfeatureofWindows10.Whenenabled,itwilldownloadphotosandimagesfromBingtodisplaythemonthelockscreenoftheWindows10device.WindowsSpotlightmaydisplayadvertisementonthelockscreen,andalsoothercontentsuchassuggestionsortips.ThisparticularoptiondisablesWindowsSpotlightcompletely.

Windows10Settings:OpentheSettingsapplicationandgotoPersonalization>LockScreen.Locatethe“Background”itemonthepageandusethemenutoswitchfromWindowsSpotlighttoadifferentlockscreenbackground.GroupPolicy:(Enterpriseonly)UserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnoffallWindowsSpotlightfeatures

Enabled–WindowsSpotlightandallrelatedfeaturessuchasWindowstipsonthelockscreenareturnedoff.Disabled–Sameasnotconfigured.WindowsSpotlightisenabled.

Donotsuggestthird-partycontentinWindowsSpotlight

WindowsSpotlight,afeatureofWindows10thatdisplaysdifferentwallpapersonthelockscreenoftheoperatingsystem,maysuggestappsandcontentfromthird-partysoftwarepublishersandMicrosoftappsandcontent.GroupPolicy1. OpentheGroupPolicyEditor.2. GotoUserConfiguration>AdministrativeTemplates>Windows

Components>CloudContent3. SelectDonotsuggestthird-partycontentinWindowsspotlight.1. Setthispolicytoenabled,todisallowsuggestingthird-partycontenton

thelockscreen.2. Setthispolicytodisabled,toallowsuggestions.


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManage3. Right-clickonContentDeliveryManage,andselectNew>Dword(32-bit)

Value.4. NameitRotatingLockScreenEnabled.1. Avalueof0disablesfunfacts,tips,tricksandmoreonthelockscreen.2. Avalueof1enablesthefeature.

5. Right-clickonContentDeliveryManage,andselectNew>Dword(32-bit)Value.

6. NameitRotatingLockScreenOverlayEnabled1. Avalueof0meansdisable.2. Avalueof1meansenable.

RelatedEnterprisepoliciesUserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>ConfigureWindowsSpotlightonLockScreen

Ifyousetthistodisabled,WindowsSpotlightisturnedoffanduserswon’tbeabletoselectitasthelockscreenbackground.

UserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnofftheWindowsSpotlightonActionCenter

Ifyouenablethispolicy,WindowsSpotlightnotificationsarenolongershownonActionCenter.

UserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnofftheWindowsWelcomeExperience

Ifyouenablethepolicy,TheWindowsWelcomeExperiencewillnolongerdisplaywhenthereareupdatesandchangestoWindowsanditsapps.

ShowoccasionalsuggestionsintheStartMenu

Windows10maydisplaysuggestionsintheStartMenu,usuallyforapplicationsthatareinstalled(Edge)ornotinstalled.GroupPolicyThispolicysettingturnsoffexperiencesthathelpconsumersmakethemostoftheirdevicesandMicrosoftaccount.

Note:OnlyappliestoEnterpriseandEducationSKUs.UsetheRegistrymethodbelowinsteadifyourunHomeorPro.1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>CloudContent.3. SelectTurnoffMicrosoftConsumerExperience.1. Setthepolicytoenabledtoturnoffpersonalizedrecommendationsfrom

Microsoft,andnotificationsabouttheMicrosoftAccount.2. Setthepolicytodisabled,toallowrecommendationsandnotifications.


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager3. Right-clickonContentDeliveryManager,andselectNew>Dword(32-bit)

Value.4. NameitSystemPaneSuggestionsEnabled.1. Setitsvalueto0todisablesuggestionsintheStartMenu.2. Setitsvalueto1toenablesuggestions.

WindowsTipsandFeedback

Windows10maydisplaycontextualpopupsthatexplainhowtouseWindowsifthefeatureisenabledonthedevice.Microsoftusesdiagnosticandusagedatatodeterminewhichtipsorsuggestionstoshowtousers.GroupPolicy

ThispolicysettingpreventsWindowstipsfrombeingshowntousers.

Note:OnlyappliestoEnterpriseandEducationSKUs.UsetheRegistrymethodbelowinsteadifyourunHomeorPro.1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows

Components>CloudContent.3. SelectDonotshowWindowstips.1. Setthispolicytoenabled,todisablecontextualpopupsontheWindows

desktopthatshowtips.2. Setthispolicytodisabled,toallowfortipstobedisplayed.


HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\ContentDeliveryManager3. Right-clickonContentDeliveryManager,andselectNew>Dword(32-bit)

Value.4. NameitSoftLandingEnabled1. Setitsvalueto0todisablethefeature.2. Setitsvalueto1toenablethefeature.

SyncProviderNotificationsinFileExplorer

Windows10maydisplaynotificationsinFileExplorer,thedefaultfilebrowseroftheWindows10operatingsystem.FolderOptionsYoumaydisableSyncProviderNotificationsintheFolderOptionswindow.1. OpenFileExplorer.2. SelectView>Options.3. SelectViewwhentheFolderOptionswindowopens.4. Locate“Showsyncprovidernotifications”onthepage,andremovethe

checkmarkfromthepreference.5. ClickonApply.6. ClickonOK.

WindowsRegistryKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvanceName:ShowSyncProviderNotificationsType:Dword

0–ThenotificationsarenotshowninFileExplorer.1–ThenotificationsareenabledandshowninFileExplorer.

SoftwareSoftwaremayassistyouinmanagingWindows10operatingsystems.ThisbooklooksatprivacysoftwareforWindows10,andotherrecommendedsoftwarethatmayhelpyouwhenyoustarttomakeprivacyrelatedchangestotheoperatingsystem.Windows10PrivacySoftwareThereleaseofWindows10andtheprivacycontroversythatsurroundeditpavedthewayformorethanadozensoftwareprogramsthatweredesignedtoimproveprivacyonWindows10machinesinaneasierenvironment.Themainadvantagethattheseprogramsofferisthattheybundlemostoftheprivacyrelatedtweakssothatyoucanadjustthemaccordingtoyourneedsfromasingleinterface.You’djugglebetweenGroupPolicyentries,theWindowsSettingsapplication,theWindowsRegistryEditor,Services,Tasksandeventhecommandline/PowerShellotherwise.Thischapterlistssomeofthesetools,especiallytheonesthatareupdatedregularlytoreflectchangesthatMicrosoftmakestoWindows10withnewfeaturereleases.Note:Irecommendthatyoucreateabackupofthesystembeforeyourunthesetools.YoucanuseafreebackupsoftwarelikeVeeamAgentforWindowsforthat.Checkoutthe“otherrecommendedsoftware”listingbelowforinformationonit.MostprogramsbelowsupportthecreationofSystemRestorepoints.Whilethatissufficientmostofthetime,itisbettertobesafethansorrywhenitcomestothis.

W10PrivacyHomepage:https://www.winprivacy.de/english-home/

W10Privacyisaportableprogramthatyoucanrunfromanylocation.Itisrecommendedtorunitwithelevatedrights–right-clickandselectrunasadministrator–assomefunctionalitysuchasthecreationofaSystemRestorepointonstartisnotsupportedotherwise.

https://www.winprivacy.de/english-home/

Theapplicationusestabstogroupthetweaksthatitcomeswithandmakeorientationabiteasier.Itcolorcodestweaksontopofthatwhichhelpsdistinguishbetweensafetweaksandtweaksthatmayorwillimpactfunctionalityofthesystem.Youmayusetheprogramexclusivelyformakingchangestoprivacysettings,forinstancetoblockapplicationaccesstofeaturesordisablewebsearch.TheprogramchecksallsettingsonStartandchecksanythatarealreadyappliedonthesystem.Thishelpsyoufindsettingsthatmayrequireattention.TheTweaksontheirownareverypowerful,butitdoesnotendthere.TheappsupportstheblockingofMicrosoftserversinthehostsfiletoblockconnections,offersoptionstodealwithtasksandservicesthatareprivacyrelated,andevenprovidesyouwithoptionstouninstallapplications.

ShutUp10Homepage:https://www.oo-software.com/en/shutup10

O&OShutUp10isaportableprogramthatyoucanrunfromanylocation.Itlistsalltweaksonasinglepageandnotintabs.Alltweaksaretoggledusingasliderthatisdisplayedinfrontofthem.Aratingisdisplayednexttoeachtweakthatindicateswhetheritissafetomakeunderanycircumstances,somethingthatcouldbecomeproblematic,ornotrecommended.

https://www.oo-software.com/en/shutup10

Youmayusetheactionsmenutoapplyallrecommendedtweaksatonce,orgothroughthelistingoftweaksmanuallytoadjustthemasyouseefit.ShutUp10promptsyouwitharequesttocreateasystemrestorepointwheneveryoumakechangestotheconfiguration.Theprogramfeaturestweaksonly,anddoesnotshipwithoptionstohandleServices,Tasks,orblockMicrosoftserversusingthehostfile.

WindowsPrivacyDashboardHomepage:https://getwpd.com/

WindowsPrivacyDashboardisanotherportableprogramforWindows10thatprovidesyouwithoptionstomanageprivacyrelatedpreferencesonWindows10machines.Theapplicationdisplaysthefourgroupsprivacy,firewall,appsandtweakeronstart.Privacyisthemainentrypointwhenitcomestomanagingprivacyusingtheprogram.Itisdividedintolocalgrouppolicy,servicesandscheduleroptions.Whilemostoptionsareclear–AllowCortanaenablesordisablesthedigitalassistantforinstance–somearenot.That’swherethequestionmarkiconisputtouse.Simplyclickonthequestionmarkicontodisplayadetaileddescriptionoftheselectedentry.

Tweakerlistsadditionalprivacyrelatedoptions,mostlywhatappsandmaynotinteractwithoruseonthedevice.AppslistallsystemappsthataredistributedwithWindows10,andoptionstoremoveanyofthosefromtheWindows10machine.FirewallfinallyprovidesyouwithoptionstoblockTelemetry,third-partyappsandWindowsUpdateconnections.

Resources

WindowsExperienceBlogOurcontinuingcommitmenttoyourprivacywithWindows10:https://blogs.windows.com/windowsexperience/2017/01/10/continuing-commitment-privacy-windows-10/PrivacyandWindows10byTerryMyerson,ExecutiveVicePresident,WindowsandDevicesGroup:https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/PrivacyenhancementscomingtotheWindows10FallCreatorsUpdate:https://blogs.windows.com/windowsexperience/2017/09/13/privacy-enhancements-coming-to-the-windows-10-fall-creators-updateWindows10privacyjourneycontinues:moretransparencyandcontrolsforyou:https://blogs.windows.com/windowsexperience/2017/04/05/windows-10-privacy-journey-continues-more-transparency-and-controls-for-you/YourfeedbackishelpingshapeWindowsprivacy:https://blogs.windows.com/windowsexperience/2017/08/07/feedback-helping-shape-windows-privacy/

https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/

https://blogs.windows.com/windowsexperience/2017/04/05/windows-10-privacy-journey-continues-more-transparency-and-controls-for-you/

GeneralPagesofInterestMicrosoftAccountPasswordReset:https://account.live.com/password/resetMicrosoftAdsOpt-out:http://choice.microsoft.com/en-US/opt-outMicrosoftPrivacyStatement:https://privacy.microsoft.com/en-us/privacystatementMicrosoftServicesAgreement:https://www.microsoft.com/en/servicesagreement/MicrosoftYourPrivacy:https://account.microsoft.com/privacyPolicyCSP:https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-providerPrivacyatMicrosoft:https://privacy.microsoft.com/en-US/

http://choice.microsoft.com/en-US/opt-out

https://privacy.microsoft.com/en-us/privacystatement

https://www.microsoft.com/en/servicesagreement/

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

https://privacy.microsoft.com/en-US/

MicrosoftOfficeManageprivacysettingsinTelemetryDashboard(Office2013):https://technet.microsoft.com/en-us/library/jj591589.aspx?f=255&MSPPError=-2147217396Office2013AdministrativeTemplateFilesandOfficeCustomizationTool:https://www.microsoft.com/en-us/download/details.aspx?id=35554Office2016AdministrativeTemplateFilesandOfficeCustomizationTool:https://www.microsoft.com/en-us/download/details.aspx?id=49030OverviewofOfficeTelemetry(Office2013,Office365ProPlus):https://technet.microsoft.com/en-us/library/jj863580.aspx?f=255&MSPPError=-2147217396

https://www.microsoft.com/en-us/download/details.aspx?id=35554

TelemetryandPrivacyConfigureWindowstelemetryinyourorganization:https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organizationDeployWindowsMaliciousSoftwareRemovalToolinanenterpriseenvironment:https://support.microsoft.com/en-us/help/891716/deploy-windows-malicious-software-removal-tool-in-an-enterprise-environmentDiagnostics,feedbackandprivacyinWindows10:https://privacy.microsoft.com/en-us/windows-10-feedback-diagnostics-and-privacyHowtodisabletelemetryforServiceManagementAutomation,ServiceProviderFoundation,andServiceManagerSelf-ServePortal:https://support.microsoft.com/en-us/help/3096505/how-to-disable-telemetry-for-service-management-automation,-service-provider-foundation,-and-service-manager-self-serve-portalManageconnectionsfromWindowsoperatingsystemcomponentstoMicrosoftservices:https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-servicesManagePrivacy:WindowsErrorReportingandResultingInternetCommunication:https://technet.microsoft.com/en-us/library/jj618323(v=ws.11).aspxMicrosoftTrustCenter–Windowstelemetryprivacy:https://www.microsoft.com/en-us/trustcenter/privacy/windows-telemetry-privacy-and-trust.aspxWindowsErrorReportingSettings:https://msdn.microsoft.com/en-us/library/windows/desktop/bb513638%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization

https://privacy.microsoft.com/en-us/windows-10-feedback-diagnostics-and-privacy

https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services

https://www.microsoft.com/en-us/trustcenter/privacy/windows-telemetry-privacy-and-trust.aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/bb513638%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Third-partyResourcesAskWoody:https://www.askwoody.com/Born’sTechandWindowsWorld:http://borncity.com/win/ComparisonofWindows10Privacytools:https://www.ghacks.net/2015/08/14/comparison-of-windows-10-privacy-tools/GhacksTechnologyNews:https://www.ghacks.net/WithWindows10,MicrosoftBlatantlyDisregardsUserChoiceandPrivacy:ADeepDive:https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive

https://www.askwoody.com/

https://www.ghacks.net/2015/08/14/comparison-of-windows-10-privacy-tools/

https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive

PrivacySettingsandFeaturesConnectingtoopenWi-FihotspotsinWindows10:https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-hotspotsGeneralprivacysettingsinWindows10:https://privacy.microsoft.com/en-us/general-privacy-settings-in-windows-10MicrosoftEdge,browsingdata,andprivacy:https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacyOptoutoflocationservices:https://support.microsoft.com/en-us/help/20039/opt-out-of-location-servicesSpeech,inking,typing,andprivacyhttps://privacy.microsoft.com/en-us/windows-10-speech-inking-typing-and-privacy-faqWindows10Camera,MicrophoneandPrivacy:https://privacy.microsoft.com/en-US/windows-10-camera-and-privacyWindows10LocationServiceandprivacy:https://privacy.microsoft.com/en-us/windows-10-location-and-privacyWindows10privacysettingsthatappsuse:https://privacy.microsoft.com/en-us/windows-10-privacy-settings-that-apps-useWindows10UpdateDeliveryOptimization:https://privacy.microsoft.com/en-US/windows-10-windows-update-delivery-optimization

https://privacy.microsoft.com/en-us/general-privacy-settings-in-windows-10

https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacy

https://privacy.microsoft.com/en-US/windows-10-camera-and-privacy

https://privacy.microsoft.com/en-us/windows-10-location-and-privacy

https://privacy.microsoft.com/en-US/windows-10-windows-update-delivery-optimization

WhitepapersandDocsAvailablepoliciesforMicrosoftEdge:https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policiesGroupPoliciesthatapplyonlytoWindows10EnterpriseandWindows10Education:https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editionsTheBonesoftheSystem:ACaseStudyofLoggingandTelemetryatMicrosoft:https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/ICSE-logging-submisson.pdfWindowsServer2016andSystemCenter2016Telemetry:https://aka.ms/winservtelemetryWindows10,version1703basiclevelWindowsdiagnosticeventsandfields:https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fieldsWindows10,version1703DiagnosticData:https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data

https://aka.ms/winservtelemetry

https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fields

https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data

Index

3DBuilder,42Account,31,140,172advertising,9,17,19,108,110advertisingID,17Alarms,42AllowTelemetry,63Annoyances,272apps,42,121,168automaticlearning,130Basic,9,54,57,62Calendar,23,34,146CallHistory,149Camera,23,25,120CDPUserSvc_xxxxx,268CertificateTrustLists,65Clock,42Collector,263Compatibilitydata,57Connected,25,42ConnectedUserExperience,50,52,55,57,268Contacts,32,143Cookies,207Cortana,7,17,23,30,50,59,67,68,70,80,181CustomerExperienceProgram,182Datasynchronization,172Date,81devices,40,162diagnosticdata,17,166diagnostics,44Diagnostics,16,41,163DiagTrack,52DisableRootAutoUpdate,66Dmwappushservice,268DoNotTrack,209

DRM,251Edge,18,24,25,27,43,95,203,213Email,32,36,152Enhanced,54,59errorreporting,60ErrorReporting,241Feedback,41,163,193,278Feedback&Diagnostics,62FeedbackHub,25,27,42FileExplorer,280FontStreaming,85Full,54,60,62Gamebar,28General,108Geofencing,24GetOffice,42GrooveMusic,42GroupPolicyEditor,48handwriting,136,138Help,193HelpExperienceImprovementProgram,188History,35Hyper-V,59IMEInumber,57inking,30,60,129InsiderPreviewBuilds,87InternetExplorer,57,89,194LiveTiles,91localaccount,12localaccounts,12Location,15,23,114,181Mail,23,93Maps,23,25,32,43,100,267Media,247Messaging,24,27,35,38,43,156Messenger,64Metadata,83Microphone,27,123MicrosoftAccount,12,13,27,94,172

MicrosoftConsumerExperiences,191MicrosoftSolitaireCollection,43Minecraft,43motiondata,170Movies&TV,43MSRT,55Network,98News,24,43Notifications,29,126Office365,18OfficeTelemetry,271OneDrive,13,18,102,217OneNote,25,27,43PaidWi-Fi&Cellular,43Paint3D,43People,34,35,36,38,43personalization,136,225Personalization,132Personalizationdata,9Photos,43PowerShell,48Preinstalled,104privacy,9Privacy,7,21,62,106,180PrivacyDashboard,9PrivacySoftware,282Radios,39,159RegistryEditor,48Search,67,70,71,72,74,76,78,80,181,201Security,51,54,55,181Services,268Settings,43,48,272Setup,11ShutUp10,285Skype,25,27,32,38Speech,30,129Start,109StartMenu,276StickyNotes,43

Store,26,28,43,58,59,173suggestions,195,197,199,204,210,276SurfaceHub,59sync,219,221,227,229,231,233,235Synchronization,217SystemCenter2016,63TakeaTest,28Tasks,37,155,269Telemetry,9,19,41,46,49,50,51,52,57,61,62,64,261,271TerryMyerson,9TheFallCreatorsUpdate,11Time,81Tips,43,278track,113Twitter,24,26,28,32,43typing,30,60,129updates,134,257VoiceRecorder,28,32,43W10Privacy,283Weather,23,24,43WebRTC,215Wi-Fi,259Windows,34,39Windows10CreatorsUpdate,7Windows10Editions,46Windows10Education,46Windows10Enterprise,46,54Windows10Home,46Windows10Mobile,46Windows10Pro,46Windows10S,46Windows10Server,54WindowsasaService,49WindowsDefender,43,55,237,239WindowsMediaPlayer,190,245WindowsMessenger,186WindowsPrivacyDashboard,287WindowsRegistry,54WindowsSpotlight,274

WindowsUpdate,253,254Xbox,28,33,43

[1]https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive[2]https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fields[3]https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data[4]https://www.ghacks.net/2015/08/14/comparison-of-windows-10-privacy-tools/[5]https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/[6]https://blogs.windows.com/windowsexperience/2017/01/10/continuing-commitment-privacy-windows-10/[7]https://account.microsoft.com/privacy[8]https://blogs.windows.com/windowsexperience/2017/04/05/windows-10-privacy-journey-continues-more-transparency-and-controls-for-you/[9]https://blogs.windows.com/windowsexperience/2017/09/13/privacy-enhancements-coming-to-the-windows-10-fall-creators-update/[10]https://account.microsoft.com/privacy[11]https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization[12]https://www.microsoft.com/en-us/trustcenter/Privacy/windows-telemetry-privacy-and-trust.aspx[13]https://www.microsoft.com/en-us/trustcenter/Privacy/windows-telemetry-privacy-and-trust.aspx[14]https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization[15]https://privacy.microsoft.com/en-us/privacystatement

Documents

The Complete Windows 10 Privacy Guide