Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
ThecompleteWindows10PrivacyGuideFallCreatorsUpdateedition
ByMartinBrinkmann
Copyright©2010byMartinBrinkmannAllrightsreserved.Thisbookoranyportionthereofmaynotbereproducedorusedinanymannerwhatsoeverwithouttheexpresswrittenpermissionofthepublisherexceptfortheuseofbriefquotationsinabookreview.
DedicationForJulia.Thisbookwouldnotexistwithoutyourmoralsupportandunderstanding.Thankyou,mylove.
TableofContentsForewordThisguide
WhatMicrosoftsaysaboutPrivacyandWindows10PrivacyOptionsduringSetupAccountCortanaServices
5-MinutePrivacyConfigurationConfiguringPrivacySettingsafterSetupPrivacy→GeneralPrivacy→LocationPrivacy→CameraPrivacy→MicrophonePrivacy→NotificationsPrivacy->Speech,inkingandtypingPrivacy->AccountInfoPrivacy→ContactsPrivacy→CalendarPrivacy→CallHistoryPrivacy→EmailPrivacy→TasksPrivacy→MessagingPrivacy→RadiosPrivacy→OtherdevicesPrivacy→Feedback&DiagnosticsPrivacy→BackgroundappsPrivacy→AppdiagnosticsPrivacy->Automaticfiledownloads
QuickOverview:DifferencesbetweenWindows10EditionsImportantinformationabouttoolsusedinthisguide
TelemetryWhatisTelemetryTelemetrylevelsOverviewEndpointsforTelemetryServicesConfiguringWindows10TelemetrysettingsBusinessandEnterpriseoptionsManageConnectionsfromWindowscomponentstoMicrosoft
SettingsforWindows10CertificateTrustListsCortanaandSearchDate&TimeDeviceMetadataRetrievalFontStreamingInsiderPreviewBuildsMicrosoftInternetExplorerLiveTilesMailSynchronizationMicrosoftAccountMicrosoftEdgeNetworkConnectionStatusIndicatorOfflineMapsOneDrivePreinstalledApplicationsWindows10PrivacySettings
WindowsFeaturesAccounts(Local,Microsoft)CustomerExperienceProgramFeedbackandHelpInternetExplorerMicrosoftEdgeOneDrive/FileSynchronizationSmartScreen
WindowsErrorReportingWindowsMediaPlayerWindowsUpdateWi-FiMisc
WindowsServicesWindowsTasksOfficeTelemetryTurnonTelemetrydatacollection
AnnoyancesRemoveAds/Suggestions
SoftwareResourcesWindowsExperienceBlogGeneralPagesofInterestMicrosoftOfficeTelemetryandPrivacyThird-partyResourcesPrivacySettingsandFeaturesWhitepapersandDocs
Index
ForewordPrivacyisahottopicintoday’sconnectedworld.ThisistrueespeciallywhenitcomestousertrackingontheInternet,butalsotrackingbuilt-intooperatingsystemssuchasWindows10orAndroid,orprogramssuchasGoogleChromeorMozillaFirefox.Windows10hasprobablybeentheoperatingsystemthatMicrosofthasbeenattackedthemostforfromprivacyadvocatesandconcernedusersinregardstoprivacyanddatacollection.ProbablythebiggestfactorsforthisarechangesmadetoTelemetrycollectingontheoperatingsystem,alackoftransparencywhenitcomestothecollectingofdata,andalackofdistinctionbetweendatathatMicrosoftcollects,anddatathatisrequiredbyservicesorapplicationsforfunctionality.QuestionsaboutwhichdataiscollectedwhenWindows10isused,whyitiscollected,whereitisstored,andhowitisusedorshared,arenotansweredtothesatisfactionofprivacyadvocatesoruserswhoareconcernedaboutprivacy.
Asignificantissueisthetelemetrydatathecompanyreceives.WhileMicrosoftinsiststhatitaggregatesandanonymizesthisdata,ithasn’texplainedjusthowitdoesso.Microsoftalsowon’tsayhowlongthisdataisretained,insteadprovidingonlygeneraltimeframes.[1]
MicrosoftmadeconcessionstothatwiththereleaseoftheWindows10CreatorsUpdatewhenitrevealedwhattheBasic[2]andFullTelemetry[3]settingsmeanintermsofdatacollecting.ItisclearthatthedatathatiscollectedisimportanttoMicrosoft,asitusesittodetectandresolveissues,andtofindwaystooptimizetheoperatingsystem.Thenewfasterreleaseschemewithtwofeatureupdatesperyeardemandsacloserlookondataaswell,toprioritizedevelopmentforinstanceorrecognizeissuesmorequickly.Dataisrequiredforsomefunctionalityaswell.ThedigitalassistantCortanaforinstancerequiresaccesstothedevice’slocation,datafromemailsandtextmessages,thecallhistory,contactsyouhaveandhowoftenyouinteractwiththosecontacts,andtheappsyouuse.Windows10userscanopt-outofmostofthedatacollecting,butevenifthey
turnanypreferenceoffduringsetuporunderthePrivacysectionoftheSettingsapplication,datastillgetscollectedandtransferredtoMicrosoft.
TheriseofprivacyprogramsforWindows10[4]isaresponsetoMicrosoft’sinabilitytorespondtoconcernsadequately,forinstancebymakingitdifficulttocontroldatacollectionandsubmissiontoMicrosoft.Morethanadozenprogramshavebeencreatedthatperformallkindsofpro-privacyoperationsontheoperatingsystemwhenexecuted.Allofferoptionstotweakprivacysettings,andmanytoremoveWindowsapps,blockMicrosoftservers,ordisableWindowsscheduledtasksorServices.
ThisguideThisprivacyguidecoverseveryaspectofWindows10privacyanddatacollectingindetail.ItincludesinformationonallprivacysettingsthatareexposedtousersintheSettingsapplicationandothersystemlocations,andexplainsinsimplebutdetailedtermswhateachdoes.TheguidelooksatMicrosoft’sstanceonprivacy,providesyouwithresourcestodoyourownresearchonthetopic,andcomeswitha5-minuteprivacyimprovementguidetomakethemostimportantprivacyrelatedchangesrightawaysothatyoudon’thavetoreadtheentirebookfirstbeforeyoumakethemostimportantchangesinregardstoprivacy.ItlooksatdifferencesbetweenWindows10Editions,theinstallationprocess,reviewsprivacyprogramscreatedforWindows10,andatspecificfeaturesoftheoperatingsystemandhowdatacollectingplaysaroleforthesefeatures.
WhatMicrosoftsaysaboutPrivacyandWindows10
MicrosoftpublishedapostwiththetitlePrivacyandWindows10[5]backinSeptember2015ontheofficialWindowsExperienceBlogtoaddressrisingprivacyconcerns.AccordingtoTerryMyerson,ExecutiveVicePresident,WindowsandDevicesGroup,MicrosoftdesignedWindows10withtwo“straightforwardprivacyprinciples”inmind.
Windows10collectsinformationsotheproductwillworkbetterforyou.
Youareincontrolwiththeabilitytodeterminewhatinformationiscollected.
MyersongoesontoexplainthatMicrosoftthinksofdatathatthecompanydoesanddoesnotcollectinthreedifferentlevels:1. SafetyandReliabilitydata–Thisdataiscollectedto“provideasecure
andreliableexperience”.ItincludesdatasuchasananonymousdeviceID,devicetype,andapplicationcrashdatawhichMicrosoftanditsdeveloperpartnersusetoimproveapplicationreliability.
2. Personalizationdata–Thisdataisusedtoprovideuserswithacustomexperience,forinstancebyprovidingtextcompletionsuggestions,usingthedigitalassistantCortana,orgivingusersupdatesongamescoreswhentheirfavoriteteamsplay.
3. AdvertisingdatathatMicrosoftdoesnotcollect–Microsoftwon’tcollectcontentofemailsorothercommunications,orfiles,todelivertargetedadvertising.
In2017,MyersonpublishedtwoadditionalprivacyfocusedarticlesontheWindows10Experienceblog.ThenewPrivacyDashboardwasannouncedinthefirstentitledOurcontinuingcommitmenttoyourprivacywithWindows10[6].Thenewonlinedashboard[7]providesoptionstoWindowsuserswhosignintoWindowsusingaMicrosoftAccounttocontrolactivitydatathatiscollectedbyMicrosoftproductssuchasWindows10.
Microsoftannouncedaswellthatitwouldimprovetheprivacypartofthesetupexperience,simplifydiagnosticdatalevels,andreducedatacollectedattheBasiclevel(ofTelemetry).
First,wewillintroduceanewsetupexperienceforyoutochoosethesettingsthatarerightforyou.
Thisexperience,whichreplacespreviousExpressSettings,willlookslightlydifferentdependingontheversionofWindowsyouareusing.IfyouaremovingfromWindows7orWindows8,ordoingafreshinstallofWindows10,thenewsetupexperiencewillclearlyshowyousimplebutimportantsettingsandyouwillneedtochooseyoursettingsbeforeyoucanmoveforwardwithsetup.
IfyouarealreadyusingWindows10,wewillusenotificationstopromptyoutochooseyourprivacysettings.
MicrosoftmadethedecisiontoreduceTelemetrylevelsfromthreetotwoconfigurablelevelsintheSettingsapplicationoftheWindows10CreatorsUpdateversion.ThecompanyremovedtheEnhancedlevel,leavingBasicandFullasthetworemainingoptionsduringSetupandintheSettingsapplication.MyersonconfirmedthatMicrosoftreducedthedatathatiscollectedwhentheBasiclevelisenabled.
WeusethisdatatohelpkeepWindowsandappssecure,up-to-date,andrunningproperlywhenyouletMicrosoftknowthecapabilitiesofyourdevice,whatisinstalled,andwhetherWindowsisoperatingcorrectly.ThisoptionalsoincludesbasicerrorreportingbacktoMicrosoft.
Threemonthslater,inApril2017,MyersonpublishedWindows10privacyjourneycontinues:moretransparencyandcontrolsforyou[8]ontheWindowsExperienceblog.InitherevealedthreeenhancementstoprivacyonWindows10.
•In-productinformationimprovementsbyaddingshortdescriptionsandlearnmorelinkstoprivacysettingstohelpcustomersbetterunderstandeach.
•AnupdatetotheMicrosoftPrivacystatementtoincludemoreinformationabouttheprivacychangesintheCreatorsUpdate.•PublicationofmoreinformationaboutthedatathatMicrosoftcollects.
MarisaRogers,WDGPrivacyOfficer,revealed[9]inSeptember2017ontheofficialWindowsExperienceblogthatprivacyenhancementswerecomingtotheWindows10FallCreatorsUpdate.Shelistedthreeimprovementsinthearticle:1. Directaccesstotheprivacystatementduringsetup,andlinksnexttothe
availableprivacysettingsduringsetupthatleadtotheprivacystatementparagraphthatreferstoit.
2. PermissionpromptsnotonlyforlocationdatabutalsootherdatathatWindowsStoreapplicationsrequestsuchascamera,microphone,contacts,orcalendar.
3. AnewWindowAnalyticssettingforEnterprisecustomers.
PrivacyOptionsduringSetupWindows10usersandadministratorshaveonlyoneoptionwhenitcomestosettinguptheoperatingsystem.PreviousversionsofWindows10shippedwithtwo–ExpressandCustom–butMicrosoftchangedtheexperienceinWindows10version1703.Thismeansthatitisnolongerrequiredtohuntdownthe“custom”linkduringsetuptogetmorecontrol,andcustomizesomeoftheprivacyoptionsthatMicrosoftaddedasoptionstotheWindows10setupprocess.ThefollowingscreensarecapturesofWindows10version1709–TheFallCreatorsUpdate.NotethatMicrosoftchangedthesetupexperienceinthatversion,andthatthescreenswillhavedifferentoptionswhenyouinstallanearlierversionofWindows10.SetupprovidesWindowsuserswithcontrolovertwoprivacyrelatedoptions.Themostimportantpartofsetupfromaprivacyperspectiveistheprivacysettingsscreenofthesetup.Itlistsimportantprivacyoptionsthatareenabledbydefault.Youmaydisablethoseduringsetup,oraftersetupwhenyouopenthePrivacyhuboftheSettingsapplication.Notethatyoumaydisableonlyalimitednumberofprivacyrelatedoptionsduringsetuporfirstrun;theprivacyhublistswaymoreoptions,anditishighlysuggestedthatyougothroughthelistingthereatleastoncetoconfigureeachsettingaccordingly.Onechapterofthisbookwalksyouthroughallthepreferencesthatyoufindthere.ThesecondoptionthatusersgetduringsetuporfirstrunisthattheymaysetupaMicrosoftaccountoralocalaccount(Microsoftcallsitofflineaccountduringsetup)foruseonthesystem.Thisisimportantaswell,asfeaturesmaybelimitedtoacertainaccounttype.Notethatthefollowingpagesconcentrateonprivacyoptionsonly.Mostscreensofthesetupareself-explanatoryandarenotrelatedtoprivacy.
Account
TheAccountsetuppagegivesyoutwooptions:1. UseaMicrosoftAccount2. Usealocal(offline)account.
IsuggestyoucheckoutthecomparisoninalaterchapterofthisbookfordetailedinformationonlocalaccountsandMicrosoftaccounts.ThecoredifferencesbetweenlocalaccountsandMicrosoftaccountsarethefollowingones:•Localaccountsareactiveonasinglemachineonly.
•AMicrosoftaccountmaybeusedonmultipledevices.•SomeaccountpreferencesmaybesyncedacrossdevicesifaMicrosoftaccountisusedtosignin.Thisincludesthemes,languagepreferences,passwords,orInternetExplorersettings.Thisisenabledbydefault.
•SomefeaturesonWindows10requireaMicrosoftAccount.ThisisthecaseforOneDriveforinstance,thedefaultfilesynchronizationservice.•YoucanresettheMicrosoftAccountpasswordonline.•AMicrosoftAccountisnolongerrequiredtodownload(free)StoreapplicationsifyouuseWindows10ProorEnterprise.YoustillneedaMicrosoftaccounttodownloadStoreappsonWindows10Home.•YoumayuseaMicrosoftaccounttosignupanduseotherMicrosoftcompanyproducts,especiallyonlineproducts.
Microsoftlinkstoprivacy&helpinformation,andthetermsofuseonthefirstpageofsetupaswell.Generallyspeaking,aMicrosoftAccountismoreconvenientinsomeregards,butitdoeslinktheaccounttothedeviceandcomeswithdatasynchronizationenabledbydefault.
Cortana
CortanaisadigitalpersonalassistantthatMicrosoftintroducedinWindows10.YoumaycommunicatewithCortanausingspeechortext,andmayuseitforavarietyofpurposes.Someoftheseincluderunningsearches,settingupreminders,gettinganswerstodirectquestions(What’stheweather),reservingtables,composingemails,andalotmore.Cortanarequiresaccesstodataforthat,andMicrosoft“collectsandusesinformation”forthatpurposes.
..includingyourlocationandlocationhistory,contacts,voiceinput,speechpatterns,searchinghistory,relationships,calendardetails,email,contentandcommunicationhistoryfromtextmessages,instantmessagesandapps,andotherinformationonyourdevice.InMicrosoftEdge,Cortanausesyourbrowsinghistory.
Youmayselectthe“no”optiononthesetuppagetodenyCortana’s
permissionsrequest.YoumaychangewhatCortanaisallowedtodolateronaswell.
Services
TheServicessetuppagelistsallprivacyrelatedsettingsanddescriptionsofthesetupprocess.Theyareenabledbydefault,andjustsomeoftheprivacysettingsthatWindows10shipswith.Pleasenotethatyoucanchangethestatusofanyoftheserviceslistedonthepagelateronaswell.Location–ThissettingdetermineswhetherapplicationsandWindowsmayrequestaccesstothelocationofthedeviceforfunctionality.Twoappsthatmakeuseoflocationaretheweatherapplication,andMaps.LocationdataissenttoMicrosoftandusedtoimprovelocationservicesaccordingtothedescription.Microsoftmaysharelocationdatawithtrustedpartnersforthat.
◦Microsoft’slocationserviceprovideslocationinformationtoWindows
devicesusingacombinationofglobalpositioningservice(GPS),nearbywirelessaccesspoints,celltowers,andyourIPaddress,dependingonthecapabilitiesofyourdevice.◦TurningonLocationenablescertainapps,services,andWindowsfeaturestoaskforpermissiontoaccessanduseyourlocationdatatodeliverlocation-awareservicesatasprecisealevelasyourdevicesupports.Whenyourlocationisusedbyalocation-awareapporservice,yourlocationinformationandrecentlocationhistoryisstoredonyourdeviceandsenttoMicrosoftinade-identifiedformattoimprovelocationservices.◦Inaddition,ifyouareloggedinwithyourMicrosoftaccount,yourlastknowngoodlocationinformationissavedtothecloudandavailabletootherappsorservicesusingyourMicrosoftaccountacrossdevices.Ifyourdevicecannotobtainagoodlocationonitsown(likeforexampleinabuildingorbasement),itcanuseyourlastknowngoodlocationstoredinthecloud.◦Youcanturnofflocationaccessandclearyourdevice’slocationhistoryatanytimeinStart>Settings>Privacy>Location.◦Ifyouhaveaportabledevice,suchasalaptop,turningonlocationwillalsoenabletheFindmyDevicefeature,whichusesyourlocationdatatohelpyoufindyourdeviceifyouloseit.Forthisfeaturetowork,youmustlogintoWindowswithyourMicrosoftAccount.YoucanturnthisoffatanytimeinStart>Settings>Update&Security>FindmyDevice.
Diagnostics–DiagnosticdataissenttoMicrosoft.Thisincludesinformationonbrowser,applicationandfeatureuse,inkingandtypingdata,andmore.ChecktheTelemetrychapterfordetailedinformationonwhatgetscollectedandsenttoMicrosoft.Thisfeaturecannotbeturnedoff,butyoucanswitchfromfulltobasicTelemetryduringsetup.
◦Diagnosticdatahelpsidentifyandtroubleshootproblems,andkeepthedeviceuptodataandsecure.◦ThedataistransmittedtoMicrosoft,andstoredwithoneormultipleuniqueidentifiersthatMicrosoftusestorecognizeindividualusersor
devices.◦Therearetwolevelsofdiagnosticthatcanbesetduringsetup:fullorbasic.◦BasicdataisdatathatisvitaltotheoperationofWindows.ItprovidesMicrosoftwithinformationonthedevice’scapabilities,installedsoftware,andifWindowsoperatescorrectly.◦FulldataincludesallBasicdata,andinformationonappandbrowserusage,featureusage,howlongappsareused,whichservicesyouusetosignintoapps,orhowoftenWindowsHelpandSupportisused.ThememorystateofthedeviceistransferredtoMicrosoftatthefulldatalevel.Microsoftnotesthatanyidentifyinginformationisremovedfromthetypedandhandwritteninputdata.◦MicrosoftusesthedatatoimproveproductsandservicesforallWindowsusers.Itwon’tusethedatatopersonalizeMicrosoftproductsorservices,unlessyouallowMicrosofttodoso.◦YoucanadjustthediagnosticdatalevelinStart>Settings>Privacy>Feedback&diagnosticsRelevantads–Windows10mayuseanadvertisingID,auniqueidentifier,topersonalizeadvertisementontheoperatingsystem.
Advertisementisbasedonapplicationusageifthesettingisenabled.Ifyouturnitoff,adsarestilldisplayedbuttheyarenotpersonalizedanymoreusingtheadvertisingID.
◦WindowsgeneratesauniqueadvertisingIDforeachuseronadevice.ThisIDmaybeusedbyapplicationdevelopersandadvertisingnetworksforpersonalizedadvertisement.◦MicrosoftcomparestheuseoftheadvertisingIDtotheuseofcookiesbywebsites.◦YoucanturnthisoffinStart>Settings>Privacyatanytime.
Speechrecognition–Cortana,thedigitalassistantrequiresspeechrecognitionifyouwanttousevoicecommandsandinteractwithCortanausingvoice.Similarly,Storeappsmayalsosupportvoicerecognitionandrequireitaswell.VoiceinputdataissenttoMicrosofttohelpimprovespeechservices.Ifyouturnthisoff,youcannotcommunicatewithCortanaorotherapplicationsusingvoice.Thisdoesnotimpactthefunctionalityofconnectedmicrophonesthough.
◦Windowsprovidesbothadevicebasedspeechrecognitionfeature(availablethroughtheWindowsSpeechRecognitiondesktopapp),andacloudbasedspeechrecognitionservicethatwasintroducedalongsideCortanainthosemarketsandregionswhereCortanaisavailable.◦TurningontheSpeechrecognitionsettingallowsMicrosofttocollectanduseyourvoicerecordingstoprovideyouwithcloud-basedspeechrecognitionservicesinCortana,supportedStoreapps,andovertimeinotherpartsofWindows.◦Microsoftcollectsinformationfromtheuserdictionaryaspartoftheservice.Theuserdictionarystoresuniquewordslikenamesyouwrite,whichhelpuserstypeandinkmoreaccurately.◦BoththevoicedataandtheuserdictionaryareusedbyMicrosofttoimprovetheabilitytocorrectlyrecognizeuserspeech.◦YoucanturnoffthisfeatureatanytimeinStart>Settings>Privacy>Speech,inking&typing.
Tailoredexperienceswithdiagnosticdata–Microsoftmayusediagnosticdatatodisplaytipsandrecommendationstousers.
◦Microsoftwillusesomediagnosticdatato“personalizeyourexperienceswithWindowsandotherproductsandservices”.Thisincludes,accordingtoMicrosoft,suggestionsonhowtocustomizeandoptimizeWindows:andrecommendationsandoffersofWindowsfeaturesandsupportedapps,services,hardware,andperipherals.◦Thisfeaturepowerscampaignsthatsuggestappstousersthatdothingsbetterthanothers,accordingtoMicrosoft.ChromeorFirefoxusersmaygetEdgerecommendedtothemforinstance.◦MicrosoftmayalsosuggesttryingOneDriveforstorage,orpurchasemorespaceonOneDrive,orgiveOffice365atry.◦Fullincludesadditionalinformation,e.g.theuseofbrowsersorapplications.◦Tailoredexperienceswon’tusecrash,speech,typing,orinkinginputdataforpersonalization.◦YoucanturnthisoffinStart>Settings>Privacy>Feedback&diagnostics.
5-MinutePrivacyConfigurationThisbookoffersalotofinformationwhenitcomestoprivacy,Windowsconfigurationandrelatedtopicsofinterest.This5-minuteguideisdesignedtomakethemostimportantprivacy-relatedchangesrightawaywithouthavingtoreadforhourswhateachsettingdoes.Irecommendthatyoureadthroughtherestofthebook,butsinceitmaytakeawhile,youmaywanttomakesomechangesasquicklyaspossible.Thefollowingsettingsconcentrateontwothings:settingTelemetrydatacollectingtoBasic,thelowestavailablelevel(unlessyourunEnterprise,EducationorIoTeditionsofWindows),andturningofffeaturesthatmaydisplaysuggestions/advertisement.Let’sstart:1. UsetheshortcutWindows-ItoopentheSettingsapplication.2. GotoPrivacy>Feedback&Diagnostics.3. SetthediagnosticandusagedataleveltoBasic.4. Set“LetMicrosoftprovidetailoredexperienceswithrelevanttipsand
recommendationsbyusingyourdiagnosticdata”tooff.5. GotoGeneralusingtheleftsidebar.6. Set“LetappsuseadvertisingIDtomakeadsmoreinterestingtoyoubased
onyourappusage(turningthisoffwillresetyourID)tooff.7. Set“ShowmesuggestedcontentintheSettingsapp”tooff.8. GotoPersonalization>LockScreen.9. Set“Getfunfacts,tips,tricks,andmoreonyourlockscreen”tooff.10. GotoStartusingtheleftsidebar.11. Set“OccasionallyshowsuggestionsinStart”tooff.12. GotoSystem>Notifications&actions13. Set“gettips,tricks,andsuggestionsasyouuseWindows”tooff.14. Set“ShowmetheWindowswelcomeexperienceafterupdatesand
occasionallywhenIsignintohighlightwhat’snewandsuggested”tooff.15. GotoAccounts>SyncyourSettings.16. Set“Syncsettings”tooff,unlessyouwantyoursettingstosynctothe
cloud.Ifyoudo,disablealldatasetsonthesamepagethatyoudon’trequireinstead.
17. GotoUpdates&security>Advancedoptions>Choosehowupdatesaredelivered,andset“downloadWindowsupdatesandappsfromotherPCs..”tooff,and“getupdatesfromMicrosoft..”toPCsonmylocalnetwork.
18. OpenFileExplorer.19. SelectFile>Changefolderandsearchoptions.20. SwitchtotheViewtab.21. Disable“showsyncprovidernotifications”.
ConfiguringPrivacySettingsafterSetupYoucanconfigureanyoftheprivacysettingsthatweredisplayedtoyouduringsetupafterwardsaswell;plus,alotmorethatwerenotexposedduringsetup.ThispartoftheguidelooksatPrivacyoptionsintheWindows10Settingsapplication.FordetailedinformationonprivacyoptionsnotlistedunderSettings,checkoutthefollowingchaptersasyoufindthosethere,aswellasoptionsthatarenotinSettings>Privacy,andinformationonGroupPolicyandRegistrysettings.YoustarttheSettingsapplicationeitherwithaclickonStart>Settings,orbyusingthekeyboardshortcutWindows-I.OpenthePrivacysectiononcetheSettingsapplicationopens.Note:Somefeaturescomewithadefaultlistofapplicationsthatareallowedtousethatfeature.Thislistmayvaryslightlyfromregiontoregion.Itisagoodideatogothroughtheselistingstodisablepermissionsforapplicationsthatyoudon’tplanonusing,ordon’twanttohaveaccesstoafeature.
Privacy→General
ThisisthestartpageofthePrivacycategoryoftheSettingsapplication.Youfindthefollowingoptionshere:•LetappsuseadvertisingIDtomakeadsmoreinterestingtoyoubasedonyourappusage(turningthisoffwillresetyourID).Ifyouhavedisabledtheoptionduringsetup,itisalreadysettooff.Turningthistooffresultsinnon-personalizedads,butnotfewerads.Basically,whatthismeansisthatMicrosoftcreatesnoprofileofyourintereststouseittodisplayadvertisementtoyou.
•Letwebsitesprovidelocallyrelevantcontentbyaccessingmylanguagelist.Websitesmaylookupsupportedlanguagestocustomizecontentbasedonthose.•LetWindowstrackapplaunchestoimproveStartandsearchresults.Ifthisisturnedon,WindowsmaintainsalistofmostusedappsthatitdisplaystoyouinStartandwhenrunningsearches.•ShowmesuggestedcontentintheSettingsapp.Windows10maydisplaysuggestionsintheSettingsapplication.
Privacy→Location
TheLocationsettingsallowyoutomanagelocation-basedfeaturesandfunctionality.LocationmaybeusedbyapplicationssuchasMapsorWeatherforpersonalizedresults.Youfindthefollowingoptionshere:•Changethestatusofthedevice’slocationfeature.Youcanturnthelocationfeatureonoroffhereforthedevice.ThissettingwaspartofSetupaswell.
•Setadefaultlocation.Windowsusesthedefaultlocationforitsfunctionality,andappsmayuseitaswell,ifamoreexactlocationcannotbedetected.•Manageandclearthelocationhistory.Locationhistoryisstoredonthedeviceforalimitedtime.AppsandWindowsmayuseitifthelocationcannotbedeterminedotherwise.•Chooseappsthatmayuselocation.YoumayenableordisablelocationuseforapplicationsindividuallyaswellifLocationisenabled.Worksonlyiflocationisenabled.ThefollowingappsareconfiguredtouseLocation:◦Camera◦Cortana◦MailandCalendar◦Maps◦Messaging◦Microsoft
Edge◦News◦Twitter◦Weather•ControlGeofencing–usinglocationdatatoseewhenyoucrossinoroutofaboundarydrawnaroundaplaceofinterest.
Privacy→Camera
Cameraletsyoucontrolwhetherapplicationsmayusecamerahardware,aconnectedwebcamforinstance.Thefollowingoptionsareprovided:•Letappsusemycamerahardware.Youcanturnthefeatureonoroffhereforthedevice.Notethatturningitoffherewon’timpacttheuseofthecameraindesktopprograms.
•Chooseappsthatmayusethecamera.Youmaypreventselectapplicationsfromusingthecamera.Thisworksonlyifcameraisenabledonthedevice.Thefollowingapplicationsarelistedbydefault:◦Cortana◦FeedbackHub◦Fotos◦Maps◦MicrosoftEdge◦OneNote◦Skype◦Store◦Twitter
Privacy→Microphone
MicrophoneworksidenticaltotheCameraoption,onlythatitcontrolsconnectedmicrophones.Thefollowingoptionsareavailable:•Letappsusemymicrophone.Youmayenableordisabletheuseofthemicrophonebyappshere.Notethatturningthisoffwon’timpactmicrophoneuseindesktopprograms.
•Chooseappsthatmayusethemicrophone.Youcanpreventselectapplicationsfromusingthemicrophone.Themicrophonefeatureneedstobeenabledforthistowork.Thefollowingapplicationsarelistedtherebydefault:◦FeedbackHub◦Fotos◦Messaging◦Microsoftaccounts◦MicrosoftEdge◦OneNote◦Skype◦Store◦TakeaTest◦Twitter◦VoiceRecorder◦Xbox◦XboxGamebar
Privacy→Notifications
Thispageprovidesyouwithoptionstodisableaccesstonotificationsbyapplications.Thefollowingoptionsareprovided:•Letappsaccessmynotifications.Thisenablesordisablesthenotificationssystemforapplicationssystemwide.
•Chooseappsthatcanusenotifications.Ifnotificationsareenabled,youmayusethissettingtopreventselectapplicationsfromusingnotifications.
Windows10FallCreatorsUpdateshipswithoutappsthatarepermittedtoaccessnotificationsonthedevice.
Privacy->Speech,inkingandtyping
Youmaychangethestatusofspeechservicesandtypingsuggestionsonthispage.Thefollowingoptionsareprovided:•Turnspeechservicesandsuggestionsonoroff.Ifyouturnthisoff,youcannotspeaktoCortanaanymore,andthepersonaluserdictionarywillbecleared.Thiswon’timpactspeechservicesthatdon’trelyonthecloud.Youmayalsofollowthe“managemyvoicedatathat’sstoredinthecloudwithmyMicrosoftaccount”linktomanagevoicedataontheweb.[10]
Privacy->AccountInfo
Hereyoumayselectwhetherappsmayaccessaccountrelatedinformationsuchasyournameorpicture.Thefollowingoptionsareprovidedonthispage:•Letappsaccessmyname,pictureandotheraccountinfo.
•TurnoffaccesstoAccountinformationforselectapplications.NotethatthisworksonlyifAccountInfoisturnedon.
ThefollowingapplicationsarelistedunderAccountInfoautomatically:Microsoftcontent
Privacy→Contacts
TheContactsprivacysettingsallowyoutodefinewhetherapplicationsmayaccesscontactsonthedevice.Someapps,MailandCalendar,PeopleandPhone,haveaccesstocontactsevenifthefeatureisturnedoff.Thefollowingoptionsareprovided:•Letappsaccessmycontacts.ThissettingdetermineswhetherWindowsStoreapplicationsmayaccesscontactsifyouallowthemdotoso(orifWindowsallowsthemtodothatbydefault).
•TurnoffaccesstoContactsforindividualapplications.Thefollowingappsarelistedtherebydefault:◦Emailandaccounts◦Maps◦Photos◦Skype◦Twitter◦VoiceRecorder◦Xbox
Privacy→Calendar
Thispagecontrolswhichapplicationsmayaccesscalendarinformation.TheMailandCalendarapplicationhasaccesstocalendardataevenifthisisturnedoff.Thefollowingoptionsareprovided:•Letappsaccessmycalendar.Determineswhethercalendarfunctionalityisenabled.
•TurnaccesstoCalendardataoffforselectapplications.Thefollowingappsarelistedbydefault:◦People◦Windows
Privacy→CallHistory
ControlaccesstotheCallHistorybyapplicationsonthispage.ThePhoneapplicationhasaccesstothecallhistoryevenifthefeatureisturnedoff.
•Letappsaccessmycallhistory.Thissettingdetermineswhetherapplicationsmayaccessthecallhistoryonthedevice.•TurnoffaccesstotheCallHistoryforselectapplications.Thisworksonlyifthesettingisenabled.Thefollowingapplicationsareconfiguredforaccessautomatically.
◦Messaging◦People•ThefollowingapplicationhashardcodedaccesstotheCallHistory◦Phone
Privacy→Email
Thepageallowsyoutocontrolifapplicationsmayaccessandsendemail.TheMailandCalendarapplicationisallowedtosendandaccessemailregardlessofsetting.Thefollowingoptionsareprovided:•Letappsaccessandsendemail.Appsneedpermissiontoaccessortransferemails.
•Chooseappsthatcanaccessandsendemail.Thisreliesonthegeneralsettingtowork.Thefollowingapplicationissetupbytoaccessandsendemailbydefault.
◦People•Thefollowingapplicationshavehardcodedaccessthatcannotberevoked:◦MailandCalendar
Privacy→Tasks
YoumayallowordenyTasksaccesstoapplications.TheMailandCalendarapplicationhasaccesstoTasksregardlessofsetting.Youcanchangethefollowingpreferenceshere:•ControlTasksaccessbyapplicationsforthewholedevice.
•ControlTasksaccessforindividualapplications.•ThefollowingapplicationshavehardcodedaccesstoTasks;thiscannotbeturnedoff:◦MailandCalendar
Privacy→Messaging
HereyoumaydefineifapplicationsmayreadorsendmessagesusingtextorMMS.Thefollowingoptionsarelisted:•Letappsreadorsendmessages(textorMMS).Turnthefeatureonoroffcompletely.
•Choosewhichapplicationsmayreadorsendmessages.Thefollowingappsareconfiguredtodosobydefault:◦People◦Skype
Privacy→Radios
Youcancontrolradiousebyapplications,Bluetoothfunctionalityforinstance,onthispage.Thissettingdoesnotdefinewhetherapplicationsmayuseradios,butwhethertheymaycontrolthem.Thefollowingoptionsareprovided:•SelectwhetherapplicationsmaycontrolradiossuchasBluetooth.Thisallowsthemtoturnthemonoroff,ormakeuseofradios.
•Choosewhichapplicationsmaycontrolradios.Thefollowingapplicationsaresetuptocontrolradiosbydefault:◦Windows
Privacy→Otherdevices
“Otherdevices”definesthesyncbehaviorwithotherdevicessuchasPCs,tabletsorphones.Thissettingisfor“otherdevices”thatdon’tpairexplicitlywiththedevicealready.Thefollowingoptionsareprovided:•Letyourappsautomaticallyshareandsyncinfowithwirelessdevicesthatdon’texplicitlypairwithyourPC,tabletorphone.
•Selectwhichappsmaysyncinfoorshareautomaticallywithwirelessdevices.•Managethelistofotherdevices.
Privacy→Feedback&Diagnostics
YoucontrolhowmuchdataissenttoMicrosofthere.Also,ifthatdataisusedfortailoredexperiences,andthefrequencythatWindowsdisplaysfeedbackprompts.Thefollowingoptionsareprovided:•SelecthowmuchdatayousenttoMicrosoft.SwitchbetweenFullandBasictelemetrysettings.ThisisoneoftheoptionsdisplayedonthePrivacypageduringsetup.FordetailedinformationonTelemetry,checkouttheTelemetrychapterofthisbook.
•LetMicrosoftprovidemoretailoredexperienceswithrelevanttipsandrecommendationsbyusingyourdiagnosticdata.Enableordisablethetailoredexperiencesfunctionality.ThiswasalsopartofthePrivacypageduringsetup.•Controlthefeedbackfrequency(defaultautomatic),orturnthefeatureoffcompletely.
Privacy→Backgroundapps
Youmayallowordenyapplicationstoruninthebackgroundusingthissetting.Thefollowingoptionsareprovided:•Turnbackgroundapplicationfunctionalityonoroffforallapplications.
•Choosewhichapplicationsmayruninthebackground.Thisisonlyactiveifthegeneralsettingisturnedon.Thefollowingapplicationsaresetuptoruninthebackgroundbydefault:◦3DViewer◦Alarms&Clock◦Calculator◦Camera◦Connect◦FeedbackHub◦GetHelp◦GetOffice◦GrooveMusic◦Mail◦Maps◦Messaging◦MicrosoftEdge◦MicrosoftSolitaireCollection◦Minecraft:Windows10Editions◦Movies&TV
◦News◦OneNote◦PaidWi-Fi&Cellular◦Paint3D◦People◦Photos◦Settings◦Skype◦StickyNotes◦Store◦Tips◦Twitter◦VoiceRecorder◦Weather◦WindowsDefenderSecurityCenter◦Xbox
Privacy→Appdiagnostics
Thelastprivacysettinglistsoptionstocontrolwhetherapplicationsmayaccessdiagnosticdata.Diagnosticdatamayincludethenamesofrunningapplications,theuseraccountthatlaunchedanapp,appmemoryinformation,CPU,diskandnetworkusage.Thefollowingoptionsareprovided:
•Choosewhetherappsmayusediagnosticdataonthemachine.•Selectwhichindividualappsmayaccessdiagnosticdata.
Privacy->Automaticfiledownloads
Windows10maydownloadfilesautomaticallyfromonlinestorageproviderssuchasOneDriveifthefilesareavailableonlyonline.Thesettingletsyouunblockapplicationsthatyoublockedfromdownloadingfilesautomatically.Windows10notifiesyouwhenappswanttodownloadfilesautomatically,andyoumayallowit,dismissthemessage,cancelthedownloadingorblocktheapplicationfrom
QuickOverview:DifferencesbetweenWindows10EditionsTheWindows10operatingsystemisofferedinmultipleeditions.Thesecanbedividedintoretail,organizationalandspecialeditions.Retail:Windows10HomeandWindows10ProOrganizational:Windows10Enterprise,Windows10EnterpriseLTSC,Windows10Education,Windows10ProEducation,Windows10MobileEnterpriseSpecial:Windows10Mobile,Windows10IoT,Windows10S,Windows10Team,Windows10ProforWorkstationsConsumersmayselectbetweenWindows10HomeandPro.ThecoredifferencefromaprivacyperspectiveisthatHomedoesnotshipwiththeGroupPolicyEditor.Thismakesitmoredifficulttoapplycertainsettingsonthesystem.Windows10ProincludesbusinessrelatedfeaturessuchasRemoteDesktop,creatingandjoiningdomains,TrustedBoot,orEnterpriseModeInternetExplorerontopofthat,andismoreexpensivethantheHomeeditionoftheoperatingsystem.TherearecoredifferencesbetweenRetailandOrganizationaleditions.Organizationaleditionssupportthe“Security”TelemetrylevelwhichHomeandProeditionsdonotsupport.TheyalsosupporttherecentlyannouncedWindowAnalyticssetting.ThedefaultTelemetrylevelisFullonalleditionsofWindows10though.Note:ThenextchaptergivesyouanoverviewofTelemetry;itoffersdetailedinformationonwhatTelemetryis,andhowthedifferentTelemetrylevelsdifferfromeachother(basedoninformationthatMicrosoftprovidedinthepast).OrganizationaleditionsofWindows10giveyouthebestcontroloverprivacyrelatedfeatures.IfyourunWindows10already,youcanfindoutwhichversionyouhavebytappingontheWindows-key,typingwinver,andhittingtheEnter-key.
Thewindowthatopensliststheversionandbuildoftheoperatingsystem,andtheedition.Windows10HomesystemscanbeupgradedtoWindows10Pro.
ImportantinformationabouttoolsusedinthisguideTostarttheGroupPolicyEditor:1. TapontheWindows-key,typegpedit.msc,andhittheEnter-key.Notethat
theGroupPolicyEditorisonlyavailableinprofessionalversionsofWindows(basically,notinHome).
ToloadtheWindowsRegistryEditor:1. TapontheWindows-key,typeregedit.exe,andhittheEnter-key.2. ConfirmtheUACprompt.
AddingkeystotheRegistry:IfaRegistrypathislisted,itcanhappensometimesthatakeydoesnotexist.Youmaycreateitwitharight-clickonitsparentkeyintheRegistryEditor,andselectingNew>Keyfromthemenu.ToloadtheSettingsapplication:1. UsethekeyboardshortcutWindows-I.
Toloadanadministrativecommandprompt:1. TapontheWindows-key,typecmd.exe,holddowntheShift-keyandthe
Ctrl-key,andhittheEnter-keywhilethetwokeysarehelddown.ToloadanelevatedPowerShellprompt:1. TapontheWindows-key,typepowershell,holddowntheShift-keyand
theCtrl-key,andhittheEnter-key.
TelemetryWindowsasaServiceisafundamentalchangetoMicrosoft’sprevioussystemofplanning,developingandreleasingoperatingsystems.MicrosoftreleasednewWindowsversionseveryfewyearsinthepast;Windows7in2009andWindows8in2012forinstance,butthatchangedwiththereleaseofWindows10intheyear2015.MicrosoftrealizedthatcreatinganddeployinglargeWindowsupdateswasasubstantialeffortinthepastasittookthreeyearsofdevelopmenttoreleaseanewversionofWindows.WindowsasaServicechangestheoldreleasemodelbypushingoutfrequentupdates–socalledFeatureUpdates–instead.Mainbenefitsofthenewstrategyarethatdevelopmentrequireslessresources,thatitislesstimeconsuming,andthatnewfeaturesandchangesarepushedoutfastertotheexistingcustomerbase.ThecompanyplanstoreleasetwofeatureupdatesperyearforWindows10;amuchfasterpacewhencomparedtotheclassicreleasemodel.Thefollowingfeatureupdateshavebeenreleasedsofar:
July29,2015–Windows10RTM(ReleasetoManufacturing)November12,2015–Windows10NovemberUpdate,version1511August2,2016–Windows10AnniversaryUpdate,version1607April5,2017–TheWindows10CreatorsUpdate,version1703October17,2017--TheWindows10FallCreatorsUpdate,version1709
Telemetryisnotanewconcept;MicrosoftdidcollectTelemetrydatainpreviousversionsofthecompany’sWindowsoperatingsystemaswell,forinstancetocheckwhethertheinstallationofWindowsupdateswassuccessful,ortogatherreliabilityinformationthroughtheCEIP(WindowsCustomerExperienceImprovementProgram).WindowsasaServicemakesTelemetrydatamoreimportanthoweverin
Windows10.Theshorterreleasecycleisonecorereasonforthat,asthenextWindows10featureupdateisjustsixmonthsawayandnotthreeyearsanymore.Microsofthastoprioritizedecisionmakinganddevelopment,andTelemetrydatahelpsthecompanyinthatdecision-makingprocess.
WhatisTelemetryMicrosoftdefinesTelemetryinthefollowingways:
WindowstelemetryisvitaltechnicaldatafromWindowsdevicesaboutthedeviceandhowWindowsandrelatedsoftwareare
performing.[11]
TelemetryissystemdatathatisuploadedbytheConnectedUserExperienceandTelemetrycomponent.ThetelemetrydataisusedtokeepWindowsdevicessecure,andtohelpMicrosoftimprovethequalityofWindowsandMicrosoftservices.Itisusedtoprovidea
servicetotheuseraspartofWindows.AccordingtoMicrosoft,Telemetryisusedfor
•KeepingWindowsuptodate.•KeepingWindowssecure,reliableandperformant.•ImprovingWindowsthroughtheuseofaggregateWindowsusedata.•PersonalizingtheWindowsengagementsurface.•Betterunderstandinghowcustomersuse(ordon’t)useoperatingsystemfeaturesandservices.
SpecificexamplesofWindowstelemetrydatathatMicrosoftprovidesinclude:
•Thetypeofhardwarethatisbeingused.•Theapplicationsthatareinstalled,andusageinformation.•Devicedriverreliabilityinformation.•MonitoringthescalabilityoftheCortanacloudservice.•HowuserscustomizetheWindowsStartMenu.
MicrosoftstatesthatitusesTelemetrydatatoidentifysecurityandreliabilityissuesinWindows10,toanalyzeproblems,toimprovethequalityofWindows,andformakingfuturedevelopmentdecisions.ItneedstobenotedthatTelemetryisnotaWindows-specificfeature.Manycompanies,includingGoogle,MozillaorTesla,collectTelemetrydata.MicrosoftdifferentiatesbetweenTelemetryandfunctionaldata.Telemetry
iswhatMicrosoftcollects,asdescribedabove.
Operationaldata,suchastelemetry,enablesustoprovideyouwithcoreoperatingsystemservices,suchasWindowsUpdate,andgiveseveryenterprisecustomeravoiceinhelpingshapefutureversionsofWindows.Wecanprovidequickresponsestoyourfeedbackandyourfeedbackhelpsusdefinenewfeaturesand
improvequality.[12]
FunctionaldataontheotherhandisexchangedbyWindowsappsandcomponentstoprovideuserswithinformationorfunctionalitytheyrequireorprovide.Abasicexampleistheuseoflocationdatatolookupweatherinformationordisplaylocalnews.
FunctionaldataiscreatedandusedbyspecificapplicationsorcomponentsofWindows,suchasCortanaandBing,andgivesyoucustomizedexperiencesthathelpincreaseyourproductivityand
enjoymentofyourWindowsdevices.[13]
WhileTelemetrycannotbeturnedoffcompletely,dependingontheeditionthatisuseditiseithersettoSecurityorBasicataminimum,functionaldatacanbeblockedcompletely.
TheblockingoffunctionaldatarestrictssomefeaturesoftheWindows10operatingsystemandapplicationsthatrequirethedatatofunctionproperly.
Important
TelemetryonlyappliestoWindows,WindowsServer,andSystemCentercomponents,andappsthatuseConnectedUserExperienceorTelemetrycomponents.
TherearefourTelemetrylevelsasofWindows10version1709whicharedescribedindetailonthenextpages.
ThelowestTelemetrylevelsupportedthroughManagementPoliciesisSecurity,andonlyavailableinEnterpriseeditionsofWindows10(seeTelemetryLevelsbelowfordetailedinformationoneditions).
ThelowestTelemetrylevelsupportedthroughtheSettingsUIisBasic.
AllTelemetrydataisencryptedusingSSLwhenitistransferredtotheMicrosoftDataManagementService.Microsoft’simplementationusescertificatepinningaswell.
Telemetrydataisuploadedonaschedulethattakesintoaccounteventpriority,batteryuse,andnetworkcosts.
WithWindows10,dataisuploadedonaschedulethatissensitivetoeventpriority,batteryuse,andnetworkcost.Real-timeevents,suchasWindowsDefenderAdvancedThreatProtection,are
alwayssentimmediately.Normaleventsarenotuploadedonmeterednetworks,unlessyouareonameteredserverconnection.Onafreenetwork,normaleventscanbeuploadedevery4hoursifonbattery,orevery15minutesifonA/Cpower.Diagnosticandcrashdataareonly
uploadedonA/Cpowerandfreenetworks.[14]
HowdoesWindows10collectTelemetrydata?
AllWindows10editionscomewiththeConnectedUserExperiencesandTelemetryservice.ThisserviceisrunbytheConnectedUserExperienceandTelemetrycomponent.Theservice’snameisConnectedUserExperiencesandTelemetry,itsdisplaynameisDiagTrack,anditsservicenameisutcsvc.Theservice’sdescriptionreads:
TheConnectedUserExperiencesandTelemetryserviceenablesfeaturesthatsupportin-applicationandconnecteduser
experiences.
Additionally,thisservicemanagestheeventdrivencollectionandtransmissionofdiagnosticandusageinformation(usedtoimprove
theexperienceandqualityoftheWindowsPlatform)whenthediagnosticsandusageprivacyoptionsettingsareenabledunder
FeedbackandDiagnostics.Telemetrydataisstoredinthehiddensystemfolder%ProgramData%\Microsoft\DiagnosisNotethatthedataisencrypted,andthatpermissionsmakeitdifficulttoaccessthesefolders.
Windows10connectstotheTelemetryendpoints,listedinthefollowingchapter,whenitistimetotransferdatatoMicrosoft.TheTelemetryclientconnectstosettings-win.data.microsoft.comtodownloadasettingsfileandprovideadeviceIDandotherbasicinformation.Thesettingsfileisparsed,andthenusedtoconnecttov10.vortex-win.data.microsoft.com,theMicrosoftDataManagementServicetouploadtheTelemetrydata.
TelemetrylevelsOverviewWindows10supportsthefourTelemetrylevels:Security,Basic,EnhancedandFull.Onlytwoofthoselevels,BasicandFull,canbesetintheSettingsapplicationbyusersoftheoperatingsystem.Onelevel,Security,isonlyavailableinWindows10Enterprise,Windows10Server,andEducation.Thefourthlevel,Enhanced,isavailableinalleditions,butcanonlybesetusingtheGroupPolicyorbymakingchangestotheWindowsRegistry.Security–InformationrequiredtohelpkeepWindowssecure.ItcollectsdatathatisrequiredtokeepWindowssecureandprotectedwiththelatestsecurityupdates.NotanoptionunderSettings.
appliesto:WindowsServer2016,Windows10Enterprise,Windows10Education,Windows10MobileEnterprise,andWindowsIoTCoreeditions
Basic–BasicincludesallSecuritydata,anddatathatMicrosoftcalls“criticalforunderstandingthedeviceanditsconfiguration”.
•appliesto:alleditionsofWindows10.MinimumsettingforalleditionsthatarenotlistedunderSecurityabove.
Enhanced–ATelemetrylevelofEnhancedincludesalldatathatissentontheBasiclevel,plusadditionaldataonhowapps,Windows,WindowsServer,orSystemCenterareused,andhowtheyperform.NotanoptionunderSettings,canonlybesetusingpoliciesortheRegistry.
•appliesto:alleditionsofWindows10.Full–TheFulllevelincludesallbasicandsecuritydatasets.Additionally,•appliesto:alleditionsofWindows10.
•Defaulton:Windows10InsiderPreviewsystems,onWindows10ProandHome.Windows10Enterprise,Windows10Education,Windows10Server.
SecurityNote:OrganizationsshouldnotusetheSecuritytelemetryleveliftheyrelyonWindowsUpdateforupdatesaccordingtoMicrosoft.ThemainreasonMicrosoftgivesforthatisthatWindowsUpdateinformationisnotgatheredonthislevel,andthatmeansthatinformationaboutupdatefailuresisnotsubmitted.Microsoftusesthedatatorepairissuesthatcauseupdatestofail,andtoimprovethequalityofupdates.OrganizationsmaywanttousethisTelemetrylevelforcomputersystemswithoutInternetconnectivity,asthisstopsthegatheringofdatathatwouldnotbetransferredanyway.Also,thelevelissuitableformachineswhichshouldnotcommunicatewiththeoutsideworld,andforenvironmentswherecommunicationwithoutsideserversneedstobekepttoaminimum.DatagatheredonthislevelSecurityisthelowestTelemetrylevel.ItisonlyavailableinEnterprise-editionsofWindows10(seefullcompatibilitylistinthepreviouschapter).ConnectedUserExperienceandTelemetrycomponentsettingsIfgeneraltelemetrydatahasbeengatheredandisqueued,itissenttoMicrosoft.Alongwiththistelemetrydata,theConnectedUserExperienceandTelemetrycomponentmaydownloadaconfigurationsettingsfilefromMicrosoft’sservers.ThisfileisusedtoconfiguretheConnectedUserExperienceandTelemetrycomponentitself.
ThedatagatheredbytheclientforthisrequestincludesOSinformation,deviceid(usedtoidentifywhatspecificdeviceisrequestingsettings)anddeviceclass(forexample,whetherthedeviceisserverordesktop).
MaliciousSoftwareRemovalTool(MSRT)TheMSRTinfectionreportcontainsinformation,includingdeviceinfoandIPaddress.Note:MSRTinfectionreportscanbeturnedoff.SeeDeployWindowsMaliciousSoftwareRemovalToolinanEnterpriseenvironmentforinformation:https://support.microsoft.com/en-us/help/891716/deploy-windows-malicious-software-removal-tool-in-an-enterprise-environment
WindowsDefender/EndpointProtection
WindowsDefenderandSystemCenterEndpointProtectionrequiressomeinformationtofunction,including:anti-malwaresignatures,diagnosticinformation,UserAccountControlsettings,UnifiedExtensibleFirmwareInterface(UEFI)settings,andIPaddress.
Note:Thereportingcanbeturnedoff:https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender
Microsoftstatesthatnousercontentisgatheredatthislevel.Usercontentincludesuserfilesorcommunication.Stepsaretakentoavoidthegatheringofuserorcompanyidentifyinginformationsuchasemailaddresses,names,oraccountIDs.
ItmayhappenunintentionallyhoweverthroughMSRTasreportsmaycontainpersonalinformation.
MSRTinformationmayunintentionallycontainpersonalinformation.Forinstance,somemalwaremaycreateentriesinacomputer’sregistrythatincludeinformationsuchasausername,causingittobegathered.MSRTreportingisoptionalandcanbeturnedoffatanytime.
BasicBasicisoneofthetwoTelemetrylevelsthatMicrosoftlistsduringsetupandintheWindows10Settingsapplication.Itisnotthedefaultlevelhowever,andmustbesetbyusersoradministrators.DatagatheredonthislevelBasicisthesecond-lowestTelemetrylevel.ItincludesalldatathatiscollectedontheSecuritylevel(seedescriptionabove),plusadditionaldata.Thisadditionaldatacanbedividedintodeviceinformation,qualityrelatedinformation,andinventoryrelatedinformation.BasicDeviceData
•InternetExplorerversion•Deviceattributessuchascameraresolutionanddisplaytype.•Batteryattributes.•NetworkingattributessuchasthenumberofnetworkadaptersorIMEInumber.•Processorandmemoryattributessuchasnumberofcores,memorysize,orarchitecture.•Storageattributessuchasthenumberofharddrives,typeofdrives,andsize.•OperatingsystemattributessuchastheWindowseditionandvirtualizationstate.•Virtualizationattributes,suchasguestoperatingsystemorSLATsupport.
ConnectedUserExperienceandTelemetrycomponentqualitymetricsThisincludesinformationonhowTelemetryandConnectedUserExperiencecomponentsfunctionandwork.Informationthatistransferredincludesdataonuploadedanddroppedevents,andthelastuploadtime.QualityrelatedinformationDatathatprovidesMicrosoftwithinformationonhowadeviceandWindowsperforms.Dataincludesthenumberofcrashesandhangs,applicationstatechangedetailssuchashowmuchmemoryandprocessortimewereused,andcharacteristicsof
aConnectedStandbydevice.Compatibilitydata
•Listofinstalledapplicationsincludingapplicationnames,publisherinformation,versions,aswellasInternetExploreradd-ons.•Dataonhowappsareused,howlongindividualappsareopen,havefocus,andwhenappsarestarted.•SystemdatathatMicrosoftusestodeterminewhetheradevicemeetstheminimumrequirementstoupdatetothenextversionofWindows.Alsoincludesmemory,aswellasinformationontheprocessorandBIOS.•Listofaccessorydevicessuchasprintersorexternalharddrives.Also,compatibilityinformationtodetermineiftheyarecompatiblewiththenextversionofWindows.•Dataoninstalleddrivers,includingwhetherthesearecompatiblewiththenextversionofWindows.
MicrosoftStoreThissetofdataincludesinformationonhowMicrosoftStoreperformsonthedevice.Informationincludesthenumberofappdownloads,installationsandupdates.Also,MicrosoftStorelaunches,pageviews,suspendandresumeoperations,andlicenseobtaining.
EnhancedTheEnhancedTelemetrylevelcanonlybesetusingpoliciesortheRegistry.Seethenextchapter–ConfiguringTelemetryonWindows10–forinstructionsonchangingtheTelemetrylevel.Thislevelhelpstoimprovetheuserexperiencewiththeoperatingsystemandapps.
DatafromthislevelcanbeabstractedintopatternsandtrendsthatcanhelpMicrosoftdeterminefutureimprovements.DatagatheredonthislevelTheenhancedlevelincludesalldatafromtheSecurityandBasiclevel.
•Operatingsystemeventsincludingnetworking,Hyper-V,Cortana,storage,filesystem.•OperatingsystemappeventsthatresultfromMicrosoftapplicationsandmanagementtoolsdownloadfromStore,orthatcamepre-installedwiththeoperatingsystem(suchasMicrosoftEdge,Mail,orPhotos).•DevicespecificeventssuchasSurfaceHuborMicrosoftHoloLensdata(whichisnotpartonregularcomputersystems).•Aselectionofcrashdumptypes.
FullFulldataincludesalldatathatiscollectedontheSecurity,BasicandEnhancedlevel,plusadditionalinformationlistedbelow.Itisthedefaultlevelonallnon-Enterprise,EducationandServeroperatingsystemeditionsofWindows10.
Datagatheredonthislevel
◦Appusage,inputreaction,orhowlongeachappruns.◦Browserusage,includingbrowsinghistoryandsearchterms.◦Samples(smallaccordingtoMicrosoft)ofinkingandtypingsupport.Microsoftnotesthatthedataisprocessedtoremoveidentifiableinformationsuchasemailaddresses,names,ornumericvalues.◦Enhancederrorreportinglikethememorystateofthedevice,whensystemorappcrashesoccurred.◦Statusandlogginginformationaboutthehealthoftheoperatingsystem.◦Additionaldevicedata,connectivityinformation,andconfigurationdatabeyondthatwhatisalreadycollectedontheBasiclevel.
EndpointsforTelemetryServicesService Endpoint
ConnectedUserExperienceandTelemetrycomponent
v10.vortex-win.data.microsoft.comsettings-win.data.microsoft.com
WindowsErrorReporting watson.telemetry.microsoft.comOnlineCrashAnalysis oca.telemetry.microsoft.comOneDriveappforWindows10 vortex.data.microsoft.com/collect/v1
ConfiguringWindows10TelemetrysettingsWindows10usersandadministratorshavethreeoptionswhenitcomestosettingtheTelemetrylevel(switchingtoalevelthatisnotthedefault).TheSettingsapplicationlimitsthelevelstoBasicandFull.YoucansettheSecurityandEnhancedlevelsonlythroughothermeans,forinstancebyusingtheGroupPolicyoreditingtheRegistry.NotethatyoucansettheSecuritylevelonnon-EnterpriseversionthroughtheRegistryorGroupPolicy,butthatthesettingischangedtoBasicautomaticallyinthatcase.Option1:Settingsapplication
1. UsethekeyboardshortcutWindows-ItoopentheSettingsapplication.2. NavigatetoPrivacy>Feedback&Diagnostics3. Locatethe“SelecthowmuchdatayousendtoMicrosoft”section.4. YouhavetheoptiontoswitchbetweenBasicandFulllevelsthere.
Option2:GroupPolicy1. TapontheWindows-key,typegpedit.msc,andhittheEnter-keyonthe
keyboard.2. UsethefolderstructureonthelefttonavigatetoComputerConfiguration
>AdministrativeTemplates>WindowsComponents>DataCollectionandFeedback
3. Double-clickon“AllowTelemetry”.4. SetthepolicytoEnabled.5. Selectoneoftheavailablelevels(Security,Basic,Enhanced,Full).1. NotethatSecurityappliesonlytoEnterprise,EDUandIoT.Whileyou
maysetthelevelonothereditionsofWindows10,thisisthenhandledlikeBasicautomatically.Inotherwords,thelowestlevelyoucansetonHomeandProeditionsofWindows10isBasic.
Option3:WindowsRegistry1. TapontheWindows-key,typeregedit.exe,andhittheEnter-keyonthe
keyboard.2. Navigatetothefollowingkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection3. Right-clickonDataCollection,andselectNew>Dword(32-bit)Value.4. NameitAllowTelemetry.5. Double-clickonthenewvalueAllowTelemetry,andsetitsvalueaccording
tothetablebelow.Again,SecurityisautomaticallychangedtoBasiconHomeandProeditionsofWindows10.
6. RestartthePCafterwards.Level Datagathered Value
Security Securitydataonly. 0Basic Securitydata,andbasicsystemandqualitydata. 1
Enhanced Securitydata,basicsystemandqualitydata,andenhancedinsightsandadvancedreliabilitydata. 2
Full Securitydata,basicsystemandqualitydata,enhancedinsightsandadvancedreliabilitydata,andfulldiagnosticsdata. 3
BusinessandEnterpriseoptions
OptionstoturnoffTelemetryarealsoprovidedinSystemCenter2016byusingtheSystemCenterUIConsolesettingsworkspace.AnotheroptionisprovidedbyMDM.YoumayusethePolicyConfigurationServiceProvider(CSP)toapplytheAllowTelemetryMDMpolicy.
ManageConnectionsfromWindowscomponentstoMicrosoftWindows10andWindows10ServeradministratorsandusersmaycontrolthehandlingofTelemetryandotherconnectionsthatWindowsandappsmaketoMicrosoftindividuallyaswell.Thefollowingchaptershighlighttheseoptions.MostapplytoalleditionsofWindows10.Itneedstobenotedthatsomeoptions,suchasMDMpolicyorGroupPolicy,arenotavailableforallversionsofWindows10.Pleasenotethatitisrecommendedtogothroughthelistanddecideforeachsettingindividuallyhowyouwanttoconfigureit.Somemayberequiredforfunctionality.Ifyoudisablelocationforallapps,youcannotusecertainfeaturesthatrequirelocation.Thesameistrueforotherfeatures,sothatthedecisionshouldbebasedonyouruseoftheoperatingsystem,andwhatyoufeelcomfortablewith.
SettingsforWindows10SomeprogramsandservicesshipwiththeirownTelemetrydatasettingswhichyouneedtodisablemanuallyifyoudon’twantthedatatobesenttoMicrosoft.Ihavelistedthoseinotherchaptersinthisguide.ThisistrueforinstancefortheMessengerapplication.
CertificateTrustListsApredefinedlistofitems,forinstanceofcertificatehashesorfilenames,thataresigned.Windowswilldownloadanupdatedcertificatetrustlistwhenitisupdated.Youcanturnofftheautomaticdownloadingoftheupdatedlistbyturningoffautomaticrootupdates.Note:Webconnectivityissuesmayoccurwhenyoudisabletherootcertificateupdating.
1. OpentheGroupPolicyEditor,andgotoComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationSettings>TurnoffAutomaticRootCertificatesUpdate.SetthistoenabledtodisabletheautomaticupdatingofRootCertificates
2. IfyouprefertheWindowsRegistryinstead,dothefollowing:1. OpentheWindowsRegistryEditor,andgoto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot2. Ifakeydoesnotexist,right-clickontheparentkey,andselectNew>
Keytocreateit.3. Right-clickonAuthRoot,andselectNew>Dword(32-bit)Value.4. NameitDisableRootAutoUpdate.5. Double-clickonthenewvalue,andsetitsvalueto1.
3. WhilestillintheGroupPolicyEditor,gotoComputerConfiguration>WindowsSettings>SecuritySettings>PublicKeyPolicies
1. SelectCertificatePathValidationSettingsbydouble-clickingonit.2. OntheNetworkRetrievaltab,selectDefinethesepolicysettings.3. UnchecktheAutomaticallyupdatecertificatesintheMicrosoftRoot
CertificateProgram(recommended)
CortanaandSearchCortanaisadigitalagentthatispartoftheWindows10operatingsystem.MicrosoftlinkedCortanatosearch,asitmaybeusedtorunwebsearchesfortheuser.Cortanaisconfiguredtomakelifeeasierfortheuser.Thedigitalagentmaybeusedtokeeptrackofdatesorevents,trackpages,yourfavoritesportsteamorflights,tocreateandmanagelists,andtosendemailsortexts.CortanareturnswebsearchresultspoweredbyBingbydefaultforqueries.ThiswaslimitedtosearchtermsuggestionsinolderversionsofWindows10,buthassincethenbeenexpandedbyMicrosoft.WebsearchdisplaystheBingresultspageonthedesktopwhenyourunsearchesintheFallCreatorsUpdate.WindowsusersmaydisableCortana,butmaystilluseWindowsSearchtofindlocalfiles,settingsandinformationwhentheydoso.
AllowCortana
ThispolicydetermineswhetherCortanaisallowedonthedevice.NotethatusersmaystilluseWindowsSearchtofindfiles,settingsandotherinformationonthedevicewhentheydisableCortanaonthemachine.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>AllowCortana
Enabled–Sameasnotconfigured.Cortanaisallowedonthedevice.Disabled–Cortanaisdisabled.
WindowsRegistry1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Experience2. IfExperiencedoesnotexist,right-clickondeviceandselectNew>
Key.NamethekeyExperience.3. Right-clickonExperience,andselectNewDword(32-bit)Value.
1. Setitsvalueto0todisallowCortana.2. Setitsvalueto1toallowCortana.
Alternatively2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearch
3. CreateDword(32-bit)ValueAllowCortana1. Setitsvalueto0todisallowCortana2. Setitsvalue1ordeletethepreferencetoallowCortana.
4. Additionally,on64-bitversionsofWindows:1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsSearch\
2. Right-clickonWindowsSearch,selectNew>Dword(32-bit)Value.
3. NameitAllowCortana1. Setitsvalueto0todisallowCortana2. Setitsvalueto1toallowCortana
AllowSearchandCortanatouselocation
ThispolicydefineswhetherWindowsSearchandCortanacanusethedevice’slocationtodeliverlocationawaresearchresults.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>AllowsearchandCortanatouselocation
Enabled–CortanaandSearchareallowedtoaccesslocationinformation,andwillusethedataforlocationawaresearchresults.Disabled–CortanaandSearchmaynotuselocationinformation.
WindowsRegistryAllowsearchandCortanatouselocationKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:AllowSearchToUseLocationType:Dword
Setitsvalueto0todisallowsearchtousethelocation.Setthevalueto1ordeletetheDwordvaluetoallowsearchtousethelocation.
Donotallowwebsearch
ThispolicydefineswhetherWindowsDesktopSearchmaysearchtheWebwhenyoutypeinthesearcbbox,andreturnWebresults.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>Donotallowwebsearch
Enabled–Ifyouenablethepolicy,WebSearchoptionsarenotavailable.Disabled–Sameasnotconfigured.Theoptiontosearchthewebisavailable,anduserscansearchtheWebusingthedefaultsearchengine.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:DisableWebSearchType:Dword
Setitsvalueto1todisablewebsearching.Setitsvalueto0toenablewebsearching,ordeletethevalue.
Don’tsearchthewebordisplaywebresultsinSearch
ThispolicyallowsyoutocontrolwhetherSearchmayrunwebsearchqueries,andwhetherwebresultsaredisplayedbyWindowsSearch.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>Don’tsearchthewebordisplaywebresultsinSearch
Enabled–Ifyouenablethepolicy,WindowsSearchwon’trunorreturnwebqueries.Disabled–WindowsSearchwillsearchtheWeb,andwebresultsaredisplayedinSearch.NotConfigured–UsersareincontrolandmayconfigureSearchtoincludeWebresults,orblockSearchfromdoingso.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchUseWebType:Dword
Setitsvalueto0todisablesearchingthewebordisplayingwebresults.Setitsvalueto1ordeletethepreferencetoallowwebsearching
Don’tsearchthewebordisplaywebresultsinSearchovermeteredconnections
Thisisessentiallythesameasthepolicyabove,butitappliesonlytometeredconnections.Ifyouenablethe“Don’tsearchthewebordisplaywebresultsinSearch”policy,querieswon’tbeperformedregardlessofhowyouconfigurethispolicy.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>Don’tsearchthewebordisplaywebresultsinSearchovermetered
connectionsEnabled–Ifyouenablethispolicy,Searchwon’trunwebsearchesordisplaythemintheSearchresultsifthePCisameteredconnectionisused.Disabled–Websearchesarerunovermeteredconnections,andresultsaredisplayedbySearch.NotConfigured–Usersareincontrol,andmayenableordisablethefeature.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchUseWebOverMeteredConnectionsType:Dword
Setitsvalueto0todisablethefeature.WebSearchisenabledovermeteredconnections.Setitsvalueto1toenableit.
SetwhatinformationissharedinSearch
ThispolicydefineswhichinformationissharedwithBingwhenwebsearchesarerun.Availableoptionsincludesharinguserinformationandlocation,userinformationonly,oranonymousinformation.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>SetwhatinformationIssharedinSearch
Enabled–Ifyouenablethissetting,youmayselectoneofthefollowingdatasetswhenitcomestosharingwithBing:
Userinfoandlocation–Sharesbothinformationontheuser,thesearchhistory,andspecificlocationinformationtopersonalizesearchand“otherMicrosoftexperiences”.Userinfoonly–Thissharesuserinformation,butnolocationinformation.Anonymousinfo–Sharesusageinformation,butnoMicrosoftAccount,searchhistory,orlocationdata.
Disabled--Sameasnotconfigured.UsersmaychoosewhatissharedinSearch.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchPrivacyType:Dword
Avalueof1meansUserinfoandlocationisshared.Avalueof2meansonlyuserinfoisshared.Avalueof3meansonlyanonymousinfoisshared.
SettheSafeSearchsettingforSearch
SafeSearchdetermineswhetherafilterisbeingusedtofilteroutinappropriatecontent.ThisisthesamefilterthatisavailableonBingdirectlywhenyourunsearchesusingthesearchengine.Optionsincludesettingthesearchfiltertostrict,moderateoroff.Usersareallowedtospecifythefilterifthepolicyisnotconfigured.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Search>SettheSafeSearchsettingforSearch
Enabled–Ifyouenablethepolicy,youmaysettheSafeSearchfiltertothefollowingvalues:
Strict–Filtersoutadulttext,images,andvideosfromsearchresults.
Moderate–Filtersadultimagesandvideosonly.Off–Doesnotfilter.
Disabled–Sameasnot.Configured.Searchisenabled,andusersmayconfigurethefilterlevel.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsSearchName:ConnectedSearchSafeSearchType:Dword
1--Valueof1meansstrictfiltering.2--Valueof2meansmoderatefiltering.3--Valueof3meansnofiltering.
CortanaandSearchMDMPoliciesThefollowingCortanaMDMpoliciesareavailableinthePolicyCSP
•Experience/AllowCortana–SelectwhethertoallowordisallowCortanaonWindows10machines.•Search/AllowSearchToUseLocation–ChoosewhetherCortanaorSearchmayuselocationdatatoprovidelocation-awaresearchresults•LinguisticDataCollectioncanbedisabledinSettings>Privacy.MicrosoftusesdatacollectedbytheEnhancedandFullTelemetrylevelstoimprovefeaturessuchasspellchecking,suggestions,ordictionaries.•WindowsDefenderCloud-basedProtectionandAutomaticSampleSubmissioncanbeturnedoffinSettings>Update&Security>WindowsDefender.•WindowsUpdateTelemetrycanonlybeturnedoffifyoudisableWindowsUpdates,orifyousetthedevicetobemanagedbyanonpremisesupdateserversuchasWSUS(WindowsServerUpdateServices),orSystemCenterConfigurationManager.•YoucandisabletheinfectionreportingoftheMicrosoftRemovalToolaswellbyaddingthefollowingRegistrykeytotheWindows10system:◦HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
◦Dword(32-bit)Name:DontReportInfectionInformation◦Valuedata:1
Date&TimeYoucanconfigureWindowssothatitwon’tsetthetimeautomatically.YoumayturnoffthefeatureintheSettingsapplication:1. OpentheSettingsapplicationwithWindows-I.2. GotoTime&language>Date&Time3. ToggleSetTimeAutomatically.4. SetTimeZoneautomaticallytooff.Notethatifyoudo,youmayneedtosetthetimemanually.Thisisthecaseforinstanceyouneedtoadjustthetimeforwardorbackwardonehourfordaylightsavingtime.Windowshandlesthisforyouautomaticallyifyouletitsyncthetime.Ifyoudisablesettimezoneautomatically,Windowswon’tadjustthetimeautomaticallywhenyoutraveltolocationsthatareinadifferenttimezone.NotethatsomeWindowsfeatures–suchasWindowsUpdate–relyonaccuratedateandtimeinformation.Theymaynotworkproperlyifdateandtimeareinaccurate.
YoumayalsodisablethesyncingoftimeusingtheRegistryOpentheWindowsRegistryEditor.1. Goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\2. Right-clickonParameters,andselectNew>StringValue3. SetthevaluetoNoSync.
Thendoeitherofthefollowing:1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient2. Right-clickonTimeProviders,andselectNew>Dword(32-bit)Value.3. NameitEnabled.4. Setitsvalueto0.
4.
DeviceMetadataRetrieval
YoucanpreventWindowsfromretrievingDeviceMetadatafromtheInternet.Ifyouenablethispolicysetting,WindowsdoesnotretrievedevicemetadataforinstalleddevicesfromtheInternet.ThispolicysettingoverridesthesettingintheDeviceInstallationSettingsdialogbox(ControlPanel>SystemandSecurity>System>AdvancedSystemSettings>Hardwaretab).
Thiscanbeconfiguredthroughpolicies:
1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>System>
DeviceInstallation3. Double-clickon“PreventdevicemetadataretrievalfromtheInternet.4. Setthepolicytoenabled.
OrintheWindowsRegistry:1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata
3. Right-clickonDeviceMetadata,andselectNew>Dword(32-bit)Value.4. NameitPreventDeviceMetadataFromNetwork5. Setitsvalueto1.
FontStreaming
Windowsmaydownloadfontsondemandthatarenotstoredonthelocaldevice.YoucandisablefontstreamingintheRegistryorthroughpolicies1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\3. Right-clickonSystem,andselectNew>Dword(32-bit)Value.4. NameitEnableFontProviders
5. Setitsvalueto1.Or,byusingtheGroupPolicy:
Ifyoudisablethispolicysetting,Windowsdoesnotconnecttoanonlinefontproviderandonlyenumerateslocally-installedfonts.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Network>
Fonts3. Double-clickonEnableFontProviders.4. Setthepolicytodisabled.
Or,byapplyingtheSystem\AllowFontProvidersMDMpolicyfromthePolicyCSPandsettingthepolicytofalsetodisablefontstreaming.
InsiderPreviewBuilds
WindowsInsiderPreviewBuildsareopt-intestversionsofupcomingversionsofWindows10.ThesettingbelowpreventschecksfornewInsiderBuilds.ItiseasytosignupamachineforjoiningtheInsiderprogram,butnotsoeasytoleaveitagain.Note:YouneedtorollbacktoareleaseversionofWindows10beforethefollowingsettingscanbeused.ToturnoffInsiderPreviewBuildsforWindows10:
1. OpentheSettingsapplication.2. GotoUpdate&security>WindowsInsiderProgram3. SelectStopInsiderPreviewbuilds.
YoucanturnthisoffusingtheGroupPolicyaswell.ThispolicysettingdetermineswhetheruserscanaccesstheInsiderbuildcontrolsintheAdvancedOptionsforWindowsUpdate.Thesecontrolsarelocatedunder"GetInsiderbuilds,"andenableuserstomaketheirdevicesavailablefordownloadingandinstallingWindowspreviewsoftware.
Ifyoudisablethispolicysetting,theitem"GetInsiderbuilds"willbeunavailable.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>DataCollectionandPreviewBuilds3. SelectToggleusercontroloverInsiderBuilds.4. SetthepolicytoDisabled.
YoucanturnInsiderBuildsoffintheWindowsRegistryaswell:1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds3. Right-clickonPreviewBuilds,andselectNew>Dword(32-bit)Values.4. NameitAllowBuildPreview5. Setitsvalueto0.
YoumayalsoapplytheSystem/AllowBuildPreviewMDMpolicyfromthePolicyCSP.Setitto0topreventusersfrommakingtheirdeviceavailableforinstallingpreviewsoftware.
MicrosoftInternetExplorerAdministratorsmayusetheGroupPolicytoconfigurevariousprivacyortelemetryrelatedsettings.1. OpentheGroupPolicy.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>InternetExplorer.1. TurnonSuggestedSites–Definewhetherusersmayconfigure
suggestedsites.Settodisabletoturnoff.2. AllowMicrosoftservicestoprovideenhancedsuggestionsasuser
typesintheAddressBar–Selectwhetherusersseesuggestionswhentheytypeintheaddressbar.Settodisabledtoturnoff.
3. Turnofftheauto-completefeatureforwebaddresses–ChoosewhetherInternetExplorer’sauto-completefeaturedisplaysmatcheswhenuserstypeURLsintheaddressbar.Setthistoenabledtoturnitoff.
4. Turnoffbrowsergeolocation–ChoosewhetherwebsitesmayrequestlocationdatafromInternetExplorer.SettoEnabledtoturnitoff.
5. PreventmanagingSmartScreenfilter–SelectwhetherusersmaymanagetheSmartScreenFilterinInternetExplorer.Defaultisturnedoff.
3. GotoUserConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>SecurityFeatures>Add-onManagement
1. SelectTurnoffAutomaticdownloadoftheActiveXVersionList–ThispolicydefineswhetherInternetExplorerwilldownloadupdatedversionsoftheVersionList.XMLfromMicrosoft.
2. Setthispolicytoenabled.Warning:Turningoffthisautomaticdownloadbreakstheout-of-dateActiveXcontrolblockingfeaturebynotlettingtheversionlistupdatewithnewlyoutdatedcontrols,potentiallycompromisingthesecurityofyourcomputer.ItisalternativelypossibletoconfigurethesettingsintheWindowsRegistry.1. OpentheWindowsRegistryEditor.
2. ForTurnonSuggestedSites:1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer\SuggestedSites
2. Right-clickonSuggestedSites,selectNew>Dword(32-bit)Value.3. Setthevalueto0.
3. ForAllowMicrosoftservicestoprovideenhancedsuggestionsastheusertypesintheAddressBar
1. GotoHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer
2. Right-clickonInternetExplorer,andselectNew>Dword(32-bit)Value.
3. NameitAllowServicePoweredQSA4. Setitsvalueto0.
4. ForTurnofftheauto-completefeatureforwebaddresses1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Explorer\AutoComplete2. Right-clickonAutoComplete,andselectNew>StringValue.3. NameitAutoSuggest4. GiveitthevalueNo
5. ForTurnoffbrowsergeolocation1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InternetExplorer\Geolocation
2. Right-clickonGeolocation,andselectNew>Dword(32-bit)Value.3. NameitPolicyDisableGeolocation4. Giveitthevalue0.
6. ForPreventManagingSmartSCreenFilter1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet
Explorer\PhishingFilter2. Right-clickonPhishingFilter,andselectNew>Dword(32-bit)Value.3. NameitEnabledV9.
4. Setitsvalueto0.7. FordisablingthedownloadofupdatedActiveXcontrollists1. HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\VersionManager2. SelectDownloadVersionList3. Setitsvalueto0.
LiveTiles
LiveTilesareusedbyapplications.Aweatherapplicationmaydisplayweatherinformationforinstance,andpulldatafromaserverontheInternettoupdatetheinformation.
TurnoffnetworkusageoflivetilesusingtheGroupPolicy1. OpentheGroupPolicyEditor.2. GotoUserConfiguration>AdministrativeTemplates>StartMenuand
Taskbar>Notifications3. SelectTurnoffnotificationsnetworkusage.4. Setthepolicytoenabled.
Thispolicysettingblocksapplicationsfromusingthenetworktosendnotificationstoupdatetiles,tilebadges,toast,orrawnotifications.ThispolicysettingturnsofftheconnectionbetweenWindowsandtheWindowsPushNotificationService(WNS).Thispolicysettingalsostopsapplicationsfrombeingabletopollapplicationservicestoupdatetiles.Ifyouenablethispolicysetting,applicationsandsystemfeatureswillnotbeablereceivenotificationsfromthenetworkfromWNSorvianotificationpollingAPIs.ToturnoffnetworkusageofLiveTilesusingtheWindowsRegistryOpentheWindowsRegistryEditor.1. Goto
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications2. Right-clickonPushNotifications,andselectNew>Dword(32-bit)Value.3. NameitNoCloudApplicationNotification4. Setitsvalueto1
MailSynchronization
YoucanturnoffmailsynchronizationforMicrosoftAccountsconfiguredonthedevice.ToturnoffMailSynchronizationintheSettingsapplication:1. OpentheSettingsapplication.2. GotoAccounts>Youremailandaccounts.3. RemoveanyMicrosoftAccountconnectedthere.
ToturnofMailSynchronizationusingMDMpolicy1. ApplytheAccounts/AllowMicrosoftAccountConnectionMDMpolicy
fromthePolicyCSPandsetitto0todisallowit.
MicrosoftAccountWindows10usersmaysignintotheoperatingsystemusingaMicrosoftAccount,oralocalaccount.AdministratorsmayblockMicrosoftAccountcommunicationwiththeMicrosoftAccountcloudauthenticationservice.
Warning:Ifyoudisablethis,someappsmaylosefunctionality.
ToturnoffMicrosoftAccountsusingtheGroupPolicyThispolicysettingpreventsusersfromaddingnewMicrosoftaccountsonthiscomputer.
Ifyouselectthe"Userscan’taddMicrosoftaccounts"option,userswillnotbeabletocreatenewMicrosoftaccountsonthiscomputer,switchalocalaccounttoaMicrosoftaccount,orconnectadomainaccounttoaMicrosoftaccount.
Ifyouselectthe"Userscan’taddorlogonwithMicrosoftaccounts"option,existingMicrosoftaccountuserswillnotbeabletologontoWindows.Selectingthisoptionmightmakeitimpossibleforanexistingadministratoronthiscomputertologonandmanagethesystem.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>WindowsSettings>SecuritySettings>
LocalPolicies>SecurityOptions3. SelectAccounts:BlockMicrosoftAccounts4. SetittoUserscan'taddMicrosoftaccounts
TopreventusersfromaddingMicrosoftAccountsusingtheRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System3. Right-clickonSystem,andselectNew>Dword(32-bit)Value.
4. NameitNoConnectedUser5. Setitsvalueto3.
5.
MicrosoftEdge
YoucancontrolthefollowingfeaturesusingtheGroupPolicyEditor1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>MicrosoftEdge1. ConfigureAutofill–Defineswhetherusersmayuseautofill
functionality.2. ConfigureDoNotTrack–DefineswhetherDoNotTrackheadersare
sentwithrequests.3. ConfigurePasswordManager–Defineswhetherusersmaysave
passwordsinEdge.4. ConfigureSearchsuggestionsinAddressbar–Definesifsuggestions
aredisplayedwhenuserstypeintheaddressbar.5. ConfigureWindowsDefenderSmartScreenFilter–Thissettingdefines
whetherSmartScreenFilteristurnedonoroff.6. AllowwebcontentonNetTabPage–Choosewhethertodisplay
contentfromtheInternetonthebrowser’sNewTabpage.
7. Configurestartpages–Setthestartpagefordomain-joineddevices.8. PreventFirstRunwebpagefromopeninginMicrosoftEdge–Choose
whetherafirstrunpageisdisplayedonfirststartofMicrosoftEdge.YoumayconfigurethesefeaturesintheRegistryaswell1. OpentheWindowsRegistryEditor1. ConfigureAutofill1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main2. Right-clickonMain,selectNew>StringValue.3. NameitUseFormSuggest4. Setitsvaluetono.
2. ConfigureDoNotTrack1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main2. Right-clickonMain,andselectNew>Dword(32-bit)Value.3. NameitDoNotTrack4. Setitsvalueto1.
3. ConfigurePasswordManager1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main2. Right-clickonMain,andselectNew>Stringvalue.3. NameitFormSuggestPasswords4. Setitsvaluetono.
4. ConfigureSearchsuggestionsinAddressbar1. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes2. Right-clickonSearchScopes,andselectNew>Dword(32-bit)
Value.3. NameitShowSearchSuggestionsGlobal4. Setitsvalueto0
5. ConfigureWindowsDefenderSmartScreenFilter
1. GotoHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter
2. Right-clickonPhishingFilter,andselectNew>Dword(32-bit)Value.
3. NameitEnabledV94. Setitsvalueto0
6. AllowwebcontentonNetTabPage–ChoosewhethertodisplaycontentfromtheInternetonthebrowser’sNewTabpage.
7. Configurestartpages–Setthestartpagefordomain-joineddevices.8. PreventFirstRunwebpagefromopeninginMicrosoftEdge–Choose
whetherafirstrunpageisdisplayedonfirststartofMicrosoftEdge.MicrosoftEdgeMDMpolicies
•Browser/AllowAutoFill•Browser/AllowDoNotTrack•Browser/AllowMicrosoftCompatbilityList•Browser/AllowPasswordManager•Browser/AllowSearchSuggestionsinAddressBar•Browser/AllowSmartScreen•Browser/FirstRunURL
NetworkConnectionStatusIndicator
TheNetworkConnectionStatusIndicatorisanautomatictestthatWindowsrunstotestInternetconnectivityandnetworkconnectivity.ItsendsaDNSrequestoraHTTPrequesttohttp://www.msftconnecttest.com/connecttest.txttofindoutifthedeviceisconnectedtotheInternet.NCSIcanbeturnedoffusingtheGroupPolicyIfyouenablethispolicysetting,NCSIdoesnotruneitherofthetwoactivetests.ThismayreducetheabilityofNCSI,andofothercomponentsthatuseNCSI,todetermineInternetaccess.1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>System>
InternetCommunicationManagement>InternetCommunicationSettings3. OpenTurnoffWindowsNetworkConnectivityStatusIndicatoractive
tests.4. Setthepolicytoenabledtodisablethetesting.
YoucanturnofNCSIusingtheWindowsRegistryaswell1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator3. Right-clickonNetworkConnectivityStatusIndicator,andselectNew>
Dword(32-bit)value.4. NameitNoActiveProbe.5. Setitsvalueto1.
OfflineMaps
OfflineMapsisafeatureoftheMapsapplication.Youmayuseittosavemapstothelocalsystem,andtoupdatethesemapsforofflineuse.ThedefaultMapsapplicationofWindows10workssimilartoGoogleMapsinmanyregards.Youcanuseittobrowsetolocations,finddirections,orlocatespecificbuildingsonthemap.Itsupportsfeaturessuchasturnbyturndirections,voiceguidenavigationandmore.Youmaysavemapssothattheybecomeavailableevenwhenthedeviceisoffline.UsefulforsituationswhenInternetconnectivityisflakyornotavailableatall.SettingsapplicationYoucanmanageofflinemapsusingtheSettingsapplication.GotoSettings>Apps>OfflineMapstogetstarted.Youfindoptionsonthepagetodownloadnewmaps,todeleteexistingmaps,andconfigurationoptions.OneoftheseoptionsletsyoudefinewhethermapsareupdatedautomaticallybyWindows.Toggle“Automaticallyupdatemaps”onthepagetodisablethefunctionality.
Notethatyouonlyneedtoconfigurethisifyouhavedownloadedmapsactively.GroupPolicyIfyouenablethissettingtheautomaticdownloadandupdateofmapdataisturnedoff.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>Maps3. OpenTurnoffAutomaticDownloadandUpdateofMapData4. Setthepolicytoenabled,todisablethefeatureonthesystem.
WindowsRegistryOfflineMapscanbeturnedoffintheWindowsRegistryaswell.1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps3. Right-clickonMaps,andselectNew>Dword(32-bit)Value.4. NameitAutoDownloadAndUpdateMapData.5. Giveitavalueof0.
OneDrive
OneDrive,formerlyknownasSkyDrive,isMicrosoft’scloudstorageservice.OneDriveisintegratedinWindows10bydefault.DisablingOneDriveimpactssomefunctionality,including:•Thecamerarollthatuploadsphotosandvideosautomaticallywon’tworkanymore.
•OneDrivefilesarenotkeptinsyncwithcloudservers.•OneDrive’slistinginFileExplorerisremoved.
•WindowsStoreapplicationscannotaccessOneDriveusingtheWinRTAPI.•UserscannotaccessOneDriveusingtheapp.
YoucanturnoffOneDriveusingtheGroupPolicy1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>OneDrive3. SelectPreventtheusageofOneDriveforfilestorage.4. SetthepolicytoEnabled.
OneDrivecanbeturnedoffusingtheWindowsRegistryaswell1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive3. Right-clickonOneDrive,andselectNew>Dword(32-bit)Value.4. NameitDisableFileSyncNGSC5. Giveitthevalueof1.
PreinstalledApplicationsWindows10shipswithpreinstalledapplications.Someoftheseapplicationsgetcontentbeforetheyareopenedbyusers(forabetteruserexperience)SomeofthesecanberemovedusingtheSettingsapplication,allofthemusingPowerShell.Settingsapplication1. OpentheSettingsapplicationontheWindows10machine.2. GotoApps.3. Clickontheapplicationthatyouwanttoremoveunder“Apps&
Features”.4. Selectuninstall,andfollowtheinstructions.
PowerShell(removingappsforcurrentuser)1. OpenanelevatedPowerShellcommandprompt.2. ToremovetheWeatherapp,run:Get-AppxPackage
Microsoft.BingWeather|Remove-AppxPackage3. ToremovetheMoneyapp,runGet-AppxPackageMicrosoft.BingFinance|
Remove-AppxPackage4. ToremovetheSportsapp,run:Get-AppxPackageMicrosoft.BingSports|
Remove-AppxPackage5. ToremovetheTwitterapp,run:Get-AppxPackage*.Twitter|Remove-
AppxPackage6. ToremovetheXboxapp,run:Get-AppxPackageMicrosoft.XboxApp|
Remove-AppxPackage7. ToremovetheSwayapp,run:Get-AppxPackageMicrosoft.Office.Sway|
Remove-AppxPackage8. ToremovetheOneNoteapp,run:Get-AppxPackage
Microsoft.Office.OneNote|Remove-AppxPackage9. ToremovetheGetOfficeapp,run:Get-AppxPackage
Microsoft.MicrosoftOfficeHub|Remove-AppxPackage10. ToremovetheGetSkypeapp,run:Get-AppxPackage
Microsoft.SkypeApp|Remove-AppxPackage11. ToremovetheStickyNotesapp,run:Get-AppxPackage
Microsoft.MicrosoftStickyNotes|Remove-AppxPackagePowerShell(removefornewusers)1. OpenanelevatedPowerShellcommandprompt.2. ToremovetheWeatherapp,run:Get-AppxProvisionedPackage-Online|
Where-Object{$_.PackageName-Like"Microsoft.BingWeather"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
3. ToremovetheMoneyapp,runGet-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.BingFinance"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
4. ToremovetheSportsapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.BingSports"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
5. ToremovetheTwitterapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"*.Twitter"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
6. ToremovetheXboxapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.XboxApp"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
7. ToremovetheSwayapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.Office.Sway"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
8. ToremovetheOneNoteapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.Office.OneNote"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-
PackageName$_.PackageName}9. ToremovetheGetOfficeapp,run:Get-AppxProvisionedPackage-Online|
Where-Object{$_.PackageName-Like"Microsoft.MicrosoftOfficeHub"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
10. 9.ToremovetheGetSkypeapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.SkypeApp"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
11. ToremovetheStickyNotesapp,run:Get-AppxProvisionedPackage-Online|Where-Object{$_.PackageName-Like"Microsoft.MicrosoftStickyNotes"}|ForEach-Object{Remove-AppxProvisionedPackage-Online-PackageName$_.PackageName}
Windows10PrivacySettingsWindows10shipswithadedicatedprivacygroupintheSettingsapplication.Youcanopenitinthefollowingway:1. UsethekeyboardshortcutWindows-ItoopentheSettingsapplication.
YoumayusetheStartmenuinsteadasitlinkstoSettingsaswell.2. SelectPrivacyfromthelistofavailablegroups.
Notes
•Theseprivacysettingsapplyonlytoapps,butnottolegacydesktopprograms.Asaruleofthumb:appsaredownloadedfromWindowsStore,desktopprogramsarenot.Thisdoesnotapply100%buttothemajorityofcases.•Thebulkofsettingsenableyoutoallowordisallowaccesstocertaindatasets,calendar,contacts,orhardwaredevices,likethemicrophoneorcamera.
ThePrivacygroupofsettingsliststhefollowingpagesintheWindows10CreatorsUpdate:
•General–Listsimportantprivacysettings,andlinkstolookupinformationandmanageinformationthatisstoredonline.•Location–Managelocationbasedsettingssuchasenablinglocation-basedlook-ups,orclearingthelocationhistory.•Camera–Selectwhetherappsmayuseacameraconnectedtothedevice,andmanagethisonaper-appbasis.•Microphone–Selectwhetherappsmayusethemicrophone,andmanageappsthatareallowedtousethemicrophone.•Notifications–Selectwhetherapplicationsmayaccess
notifications,andmanagethepermissionforindividualapps.•Speech,inking,&typing–Enableordisablespeechservicesandtypingsuggestions,andmanagecloudinformation.•Accountinfo–Selectwhetherappsmayaccessyourname,pictureandotheraccountinformation,andmanagethisonaper-applicationbasis.•Contacts–Selectwhetherappsmayaccessyourcontacts,andmanageindividualapplicationrightsforthat.•Callhistory–Selectwhetherappsmayaccessyourcallhistory,andmanagetheseappsindividually.•Email–Selectwhetherappsmayaccessyouremail(includingsending),andmanageindividualapplicationrights.•Tasks–Selectwhetherappsmayaccesstasks,andmanagetheseapps.•Messaging–Selectwhetherappsmayreadandsendmessages(textorMMS),andmanagetheseapplicationsindividually.•Radios–Manageradiosupport,e.g.forBluetoothandselectwhetherappsareallowedtocontrolradiosonthesystem.•Otherdevices–Configureappsyncingwithyourotherdevice,andmanagethelistoftrusteddevices.•Feedback&diagnostics–SettheTelemetrydatalevel(BasicorFull),setfeedbackfrequency,andtogglethetailoredexperiencedoption.•Backgroundapps–Selectwhetherappsareallowedtoruninthebackground,andmanageindividualapppermissionsinthisregard.•Appdiagnostics–Selectwhetherappsareallowedtoaccessdiagnosticinformation.•Automaticfiledownloads–DetermineswhetherfilesyncservicessuchasOneDrivemaydownloadonline-onlyfilesautomaticallywhenrequestedbytheuser.
General
TheGeneralpageofthePrivacygroupliststhefollowingoptions:•LetappsuseadvertisingIDtomakeadsmoreinterestingtoyoubasedonyourappusage(turningthisoffwillresetyourID)–ThisdefineswhetherapplicationsmayaccesstheadvertisingIDthatidentifiesthedevicewhichinturnmeanstracking.
◦WindowsgeneratesauniqueadvertisingIDforeachuseronadevice,whichappdevelopersandadvertisingnetworkscanusetoprovidemorerelevantadvertisinginapps.WhentheadvertisingIDisenabled,appscanaccessanduseitinmuchthesamewaythatwebsitescanaccessanduseauniqueidentifierstoredinacookie.Thus,appdevelopers(andtheadvertisingnetworkstheyworkwith)canuseyouradvertisingIDtoprovidemorerelevantadvertisingandotherpersonalizedexperiencesacrosstheirapps.
•Letwebsitesprovidelocallyrelevantcontentbyaccessingmylanguagelist–Defineswhetherwebsitesthatyouopenonthedevicemayaccessthelistoflanguagesinstalledonthedevicetodisplaylocalcontentinsteadofgenericcontent.
◦Somewebsitesmayhavetheircontentavailableindifferentlanguages.Windowscanshareinformationaboutyourpreferredlanguagelistwithwebsitessothattheycanhavetheopportunitytorespectyourlanguagepreferenceswithoutyouhavingtoindependentlysetthemforeachsite.
•LetWindowstrackapplaunchestoimproveStartandsearchresults–Ifenabled,WindowstracksapplicationlaunchesandusestheinformationforStart’s(mostusedapps)andsearchresults.
◦WindowscanpersonalizeyourStartmenubasedontheappsthatyoulaunch.ThisallowsyoutoquicklyhaveaccesstoyourlistofMostusedappsbothintheStartmenuandwhenyousearchyourdevice.
•ShowmesuggestedcontentintheSettingsapplication–Windows10maydisplaysuggestions,readtipsandpromotions,intheSettingsapplicationwhennotturnedoff.
AdvertisingID
Note:TheadvertisingIDisresetwhenyouturnoffthefeatureintheUI.GroupPolicyoptions1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>System>
UserProfiles3. SelectTurnofftheadvertisingID.4. Setthepolicytoenabled.
Registryoptions1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo3. Right-clickonAdvertisingInfoandselectNew>Dword(32-bit)Value.4. NameitEnabled.5. Setitsvalueto0.
or,6. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo7. Right-clickonAdvertisingInfo,andselectNew>Dword(32-bit)Value.8. NameitDisabledByGroupPolicy9. Setitsvalueto1.
Letwebsitesprovidelocallyrelevantcontentbyaccessingmylanguagelist
1. OpentheWindowsRegistryEditor.2. GotoHKEY_CURRENT_USER\ControlPanel\International\UserProfile3. Right-clickonUserProfile,andselectNew>Dword(32-bit)Valuefrom
thecontextmenu.4. NameitHttpAcceptLanguageOptOut5. Setitsvalueto1.
LetWindowstrackapplaunchestoimproveStartandsearchresults
1. OpentheWindowsRegistryEditor.2. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced3. Right-clickonAdvanced,selectNew>Dword(32-bit)Value.4. NameitStart_TrackProgs5. Setitsvalueto0.
Location
ThefollowingoptionsareavailablewhenyouopentheLocationgroupofthePrivacySettingsapplication:
•Locationon/off–Thistoggleallowsyoutoenableordisablelocationfunctionalityonthedevice.Ifdisabled,noapplicationthatrunsonthedevicemaymakeuseofit.•Defaultlocation–YoumayaddadefaultlocationwhichWindows,appsandserviceswillmakeuseofitnolocationcannotbedetected.•Locationhistory–Windows10storesthelocationhistoryforalimitedperiodoftime(24hours)onthedevice.Youmayusethisoptiontoclearthelocationhistoryonthedevice.•Chooseappsthatcanuseyourpreciselocation–Selectindividualapplicationsthatareallowedtolookupyourlocation.•Geofencing–ListsapplicationsthatmakeuseofGeofencing.
◦Someappsusegeofencing,whichcanturnonoroffparticularservicesorshowyouinformationthatmightbeusefulwhenyou’reinanareadefined(or“fenced”)bytheapp
ToturnoffLocationforthisDevice
GroupPolicyIfyouenablethispolicysetting,thelocationfeatureisturnedoff,andallprogramsonthiscomputerarepreventedfromusinglocationinformationfromthelocationfeature.
1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>LocationandSensors3. SelectTurnoffLocation.4. Setthepolicytoenabled,todisablelocationonthedevice.
WindowsRegistryEditor1. OpentheRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.
4. NameitLetAppsAccessLocation1. Setthevalueto1toturnonapplicationlocationaccess,andusers
cannotchangeit.2. Setitsvalueto2toturnofflocationaccess,anddisallowusersto
changeit.MDMpolicyfromthePolicyCSP(System/AllowLocation)•0meansitisturnedoff,anduserscan’tturnitbackon.
•1meansitisturnedon,butusersmayturnitoff.•2meansitisturnedon,anduserscan’tturnitoff.
ToturnoffLocationforapps
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccesslocation.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
Ifyouchoosethe"ForceDeny"option,Windowsappsarenotallowedtoaccesslocationandemployeesinyourorganizationcannotchangeit.
1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetWindowsappsaccesslocation.4. Enablethepolicy.5. Setthe“defaultforallapps”boxtoForceDeny.
WindowsRegistry1. OpentheRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors3. Right-clickonLocationAndSensors,andselectNew>Dword(32-bit)
Value.4. NameitDisableLocation5. Setitsvalueto1.
RelatedPreferencesTurnofflocationThissettingdetermineswhetherthelocationfeatureisavailableonthisdevice.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>LocationandSensors>Turnofflocation•Enabled–Locationfeatureisturnedoff,andallprogramsonthecomputerarepreventedfromusingthelocationfeature.
•Disabled–Sameasnotconfigured;thelocationfeatureisenabled.WindowsRegistryKey:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\AppPrivacyName:LetAppsAccessLocationType:Dword
•2–TurnedoffTurnofflocationscriptingThisfeatureturnsoffscriptingforthelocationfeature(meanswhetherscriptsforthelocationfeaturemayrun).
Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>LocationandSensors>Turnofflocationscripting•Enabled–Thisturnslocationscriptingoffsothatitisnotavailable.
•Disabled–Sameasnotconfigured;locationscriptingisenabled.WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensorsName:DisableLocationScriptingType:Dword
•0–Thefeatureisenabled.•1–Thefeatureisdisabled.
Camera
TheCameraprivacygroupoffersthefollowingoptions:•Toggletheuseofcamerahardware(e.g.awebcam),byappsonoroff.
•Manageallapplicationsthatmayusethecamera,andallowordisallowusageindividually.
Generalinformationoncamerause:Windows10highlightstheuseofthecamerabyturningonthecameralightwheneveritisinuse.Ifthedevicedoesnothaveacameralight,anotificationisdisplayedinstead.Someexceptionsapplytothegeneralcameraprivacysettings.WindowsHello,Windows10’sbiometricauthenticationsystem,willmakeuseofthecameraevenifcamerauseisdisabledforapplicationsintheprivacysettings.Thesettingignoresdesktopprograms.OnlyWindowsStoreappsandappsthatshipwithWindows10bydefaultareaffectedbythesettings.
Letappsusemycamera
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessthecamera.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetWindowsappsaccessthecamera.4. Setthepolicytoenabled.5. Inthe“Defaultforallapps”box,selectoneofthefollowingvalues:1. Userisincontrolmeansthatusersmayallowordisallowaccesstothe
camerausingtheSettingsapplication.2. ForceAllowmeansthatappsmayaccessthecamera,andthatusers
cannotchangethis.3. ForceDenymeansthatappscannotaccessthecamera,andthatusers
cannotchangethis.WindowsRegistry1. OpentheRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessCamera.5. Setthevaluetooneofthefollowingsupportedintegers:1. Avalueof0meansthattheuserisincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.
MDMpolicyfromthePolicyCSP(Camera/AllowCamera)1. Valueof0meansappscannotusecamera.2. Valueof1meansappsmayusethecamera.
Microphone
TheMicrophoneprivacysettingspageoffersthefollowingoptions:•Togglemicrophoneusebyapplications.Ifturnedoff,applicationsmaynotusethemicrophoneforfunctionality.
•Selectpermissionsforapplicationsindividually.Asisthecasewiththecamerapreference,themicrophonepreferenceaffectsonlyWindowsApplicationsbutnotdesktopprograms.
Letappsusemymicrophone
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessthemicrophone.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetwindowsappsaccessthemicrophone4. Setthepolicytoenabled.5. Inthe“defaultforallapps”box,setoneofthefollowingvalues:1. Userisincontrolmeansthatusersmaychangetheprivacysettingusing
theSettingsapplication.2. Forceallowmeansthatappsmayaccessthemicrophone,andthatusers
cannotchangeit.3. Forcedenymeansthatappsmaynotaccessthemicrophone,andthat
userscannotchangethis.WindowsRegistry1. OpentheRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessMicrophone.5. Setittooneofthefollowingvalues:1. Avalueof0meansthatusersareincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessMicrophone)•Valueof0:userisincontrol.
•Valueof1:forceallow•Valueof2:forcedeny.
Notifications
TheNotificationspageprovidesyouwithtwooptions:•Enableordisablenotifications.
•Managenotificationsforapplicationsindividually.
Letappsaccessmynotifications
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessnotifications.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy.3. SelectLetWindowsappsaccessnotifications.4. Setthepolicytoenabled.5. Setthe“defaultforallapps”boxtooneofthefollowingvalues:1. Userisincontrolmeansthatuserscancontroltheaccessto
notificationsusingtheSettingsapplication.2. Forceallowmeansthatappsareallowedtoaccessnotifications,and
thatuserscannotchangethat.3. Forcedenymeansthatappsarenotallowedtoaccessnotifications,and
thatuserscannotchangethat.WindowsRegistry1. OpentheRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessNotifications.5. Setittooneofthefollowingvalues:1. Avalueof0meansthattheuserisincontrolofthefunctionality.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessNotifications)•Valueof0:userisincontrol.
•Valueof1:forceallow•Valueof2:forcedeny.
Speech,inking&typingSpeechservicesandtypingsuggestionscanbeturnedonoroffwhenyouopenthespeech,inking&typingpageoftheprivacyoptions.Whenswitchedon,itenablesyoutotalktoCortanaandotherStoreapplications.Yourtypinghistoryandhandwritingpatternsareusedtocreatealocaluserdictionary,andprovideyouwithbettersuggestionsMicrosoftwillusevoiceinputtoimprovecloud-basedspeechservicesWhenthesettingisoff,youcannottalktoCortana,andanyexistingtypingandinkinguserdictionaryiserased.Voicedatainthecloudisdisassociatedwiththedevice.Speechservicesthatdon’trelyonthecloudwillstillwork,andsowilltypingsuggestionsandhandwritingrecognitionthatusesthesystemdictionary.
Tousespeechrecognition,gettingtoknowyou(theprivacysettingunderSpeech,inking&typing)mustbeturnedonbecausespeechservicesexistbothinthecloudandonyourdevice.TheinfoMicrosoftcollectsfromtheseserviceshelpstoimprovethem.
Speechservicesthatdon’trelyonthecloudandonlyliveonyourdevice,likeNarratorandWindowsSpeechRecognition,willstillworkwhenthissettingisturnedoff,butMicrosoftwon’tcollect
anyspeechdata.
WhenyourDiagnosticandusagedatasetting(Settings>Privacy>Feedback&diagnostics)issettoFull,yourinkingandtypinginputdataissenttoMicrosoft,andweusethisdatainthe
aggregatetoimprovetheinkingandtypingplatformforallusers.LearnmoreaboutDiagnosticdatahere.Aspartofinkingandtypingonyourdevice,Windowscreatesauserdictionarythatstoresuniquewordslikenamesyouwrite,whichhelpsyoutype
andinkmoreaccurately.
Turnoffautomaticlearning
Automaticlearningenablesthecollectionandstorageoftextandinkwrittenbytheuserinordertohelpadapthandwritingrecognitiontothevocabularyandhandwritingstyleoftheuser.TextthatiscollectedincludesalloutgoingmessagesinWindowsMail,andMAPIenabledemailclients,aswellasURLsfromtheInternetExplorerbrowser
history.Theinformationthatisstoredincludeswordfrequencyandnewwordsnotalreadyknowntothehandwritingrecognitionengines(forexample,propernamesandacronyms).Deletingemailcontentorthebrowserhistorydoesnotdeletethestoredpersonalizationdata.InkenteredthroughInputPaneliscollectedandstored.GroupPolicy
Thispolicysettingturnsofftheautomaticlearningcomponentofhandwritingrecognitionpersonalization.
Ifyouenablethispolicysetting,automaticlearningstopsandanystoreddataisdeleted.UserscannotconfigurethissettinginControlPanel.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Control
Panel>RegionalandLanguageOptions>Handwritingpersonalization3. SelectTurnoffautomaticlearning.4. Setthepolicytoenabled.
RegistryEditor1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\Policies\Microsoft\InputPersonalization3. Right-clickonInputPersonalization,andselectNew>Dword(32-bit)
Value.4. NameitRestrictImplicitInkCollection.5. Setitsvalueto1.
or1. Goto
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings.2. Right-clickonSettings,andselectNew>Dword(32-bit)Value.3. NameitAcceptedPrivacyPolicy.
4. Setitsvalueto0.or1. Goto
HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore2. Right-clickonTrainedDataStore,andselectNew>Dword(32-bit)Value.3. NameitHarvestContacts4. Setitsvalueto0.
AllowInputPersonalization
GroupPolicyThispolicyturnsoftheautomaticlearningcomponentofinputpersonalization(thatincludesspeech,inkingandtyping).
Automaticlearningenablesthecollectionofspeechandhandwriting
patterns,typinghistory,contacts,andrecentcalendarinformation.ItisrequiredfortheuseofCortana.Someofthiscollectedinformationmaybestoredontheuser'sOneDrive,inthecaseofinkingandtyping;someoftheinformationwillbeuploadedtoMicrosofttopersonalizespeech.
Policy:ComputerConfiguration>AdministrativeTemplates>ControlPanel>RegionalandLanguageOptions>Allowinputpersonalization
•Enabled–Automaticlearningofspeech,inkingandtypingisenabled.SomeinformationmaybeuploadedtoMicrosoft,andsomemaybestoredonOneDrive.•Disabled–Thefeatureisturnedoff.Automaticlearningofspeech,typingandinkingisstopped.
WindowsRegistryKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalizationName:RestrictImplicitTextCollectionType:Dword
•1–Turnoffimplicittextcollection.•0–Default,textiscollected.
Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalizationName:RestrictImplicitInkCollectionType:Dword
•1–Turnoffimplicitinkcollection.•0–Default,inkdataiscollected.
Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStoreName:HarvestContactsType:Dword
•0–Thefeatureisturnedoff.•1–Default,thefeatureisenabled.
Turnoffupdatestospeechrecognitionandspeechsynthesis
Determineswhetherthedevicewillcheckforspeechrecognitionandspeechsynthesisupdates,anddownloadthemautomatically.GroupPolicy
Aspeechmodelcontainsdatausedbythespeechenginetoconvertaudiototext(orvice-versa).Themodelsareperiodicallyupdatedtoimproveaccuracyandperformance.Modelsarenon-executabledatafiles.
Ifenabled(default),thedevicewillperiodicallycheckforupdatedspeechmodelsandthendownloadthemfromaMicrosoftserviceusingtheBackgroundInternetTransferService(BITS).
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>Speech3. SelectAllowautomaticallyupdateofSpeechData4. Setthepolicytodisabled.
WindowsRegistry1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Preferences3. Right-clickonPreferences,andselectNew>Dword(32-bit)Value.4. NameitModelDownloadAllowed.5. Setthevalueto0.
MDMpolicyfromthePolicyCSP(Speech/AllowSpeechModelUpdate)
•Avalueof0meansnotallowed.•Avalueof1meansallowed.
Turnoffhandwritingpersonalizationdatasharing
ThehandwritingrecognitionpersonalizationtoolmaybeusedonWindowsTabletPCstoadapthandwritingrecognitiontotheuser’swritingstyle.WindowsTabletPCsmaysharehandwritingdataautomaticallywithMicrosoftto“improvehandwritingrecognitioninfutureversionsofWindows”.
GroupPolicyComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>Turnoffhandwritingpersonalizationdatasharing
Enabled:WhenthispolicyisenabledWindowsusersmaynotsharewritingsamplesfromthehandwritingrecognitionpersonalizationtoolwithMicrosoft.Disabled:SamplesaresharedautomaticallywithMicrosoftwhenthetoolisbeingused.NotConfigured:UsersarepromptedandmaydecidetosharethedatawithMicrosoft.
WindowsRegistryRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPCName:PreventHandwritingDataSharingType:Dword
Avalueof1preventshandwritingdatasharing.
Turnoffhandwritingrecognitionerrorreporting
Thehandwritingrecognitionerrorreportingtoolenablesuserstoreporterrors.Thetoolgenerateserrorreports,andtransmitsthemtoMicrosoft.MicrosoftusesthedatatoimprovehandwritingrecognitioninfutureversionsofWindows.GroupPolicy
ComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>Turnoffhandwritingrecognitionerrorreporting
Enabled:Whenthispolicyisenabled,usersmaynotstartthehandwritingrecognitionerrorreportingtoolorsenderrorreportstoMicrosoft.Disabled:Sameasnotconfigured.UsersmayusethehandwritingrecognitionerrorreportingtooltosenderrordatatoMicrosoft.
WindowsRegistryRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReportsName:PreventHandwritingErrorReportsType:Dword
Avalueof1preventsuseofthehandwritingerrorreportingtool,andthereportingoferrorstoMicrosoft.
AccountInfo
TheAccountinfopageprovidesyouwiththemeanstoenableordisablegeneralaccesstoyourname,pictureandotheraccountinformation.Youmayalsoallowordisallowaccessonaper-applicationbasisinstead.
Letappsaccessmyname,picture,andotheraccountinfo
GroupPolicy
ThispolicysettingspecifieswhetherWindowsappscanaccessaccountinformation.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
Ifyouchoosethe"ForceDeny"option,Windowsappsarenotallowedtoaccessaccountinformationandemployeesinyourorganizationcannotchangeit.
1. LoadtheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy.3. OpenLetWindowsappsaccessaccountinformation.4. Setthepolicytoenabled.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues:1. Userisincontrolmeansthatusersmayselecttoalloworblock
individualapps,ortheprivacyfeature,intheSettingsapplication.2. ForceAllowmeansthatWindowsappsmayuseaccountinformation,
andthatuserscannotchangethat.3. ForceDenymeansthatWindowsappsmaynotuseaccountinformation,
andthatuserscannotchangethat.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy.3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Valuefrom
themenu.4. NamethenewvalueLetAppsAccessAccountInfo5. Setitsvaluetooneofthefollowingsupportedvalues:1. Valueof0meansuserisincontrol.2. Valueof1meansforceallow.3. Valueof2meansforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessAccountInfo)
•Avalueof0meanstheuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.
Contacts
TheContactsprivacypageliststwomainoptionsrightnow:•Enableordisableaccesstocontactsbyapplications.
•Manageaccessrightstocontactsforindividualapplications.
Chooseappsthatcanaccesscontacts
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccesscontacts.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy.3. OpentheLetWindowsappsaccesscontactspolicy.4. Enablethepolicy.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues1. Userisincontrolgivesusersoptionstoallowordisallowappstoaccess
contacts.2. Forceallowmeansthatapplicationsmayaccesscontacts,andthatusers
cannotpreventthis.3. Forcedenymeansthatapplicationsmaynotaccesscontacts,andthat
userscannotallowthem.WindowsRegistry1. OpentheWindowsRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy3. IftheDwordvalueLetAppsAccessContactsdoesnotexist,right-clickon
AppPrivacy,andselectNew>Dword(32-bit)Valuefromthecontextmenu,andnameitaccordingly.
4. Setthepreferenceto2todisableaccesstocontacts.MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessContacts)
•Avalueof0meanstheuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.
Calendar
YoumayusetheCalendarpageoftheprivacysettingstoallowordisallowapplicationaccesstothecalendar.Youmayfurthermoreallowordisallowaccesstothecalendarforindividualapplications.
Letappsaccessthecalendar
GroupPolicy
ThispolicysettingspecifieswhetherWindowsappscanaccessthe
calendar.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. LoadtheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy.3. OpenLetWindowsappsaccessthecalendar4. Setthepolicytoenabled.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues:
4. Userisincontrolmeansthatusersmayalloworblockappstoaccessthecalendar.
5. Forceallowmeansthatappsmayaccesscalendardata,andthatuserscannotblockthis.
6. Forcedenymeansthatappsmaynotaccesscalendardata,andthatuserscannotblockthis.
WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy.3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Valuefrom
themenu.4. NamethenewvalueLetAppsAccessCalendar.5. Setitsvaluetooneofthefollowingvalues:1. Valueof0meansuserisincontrol.2. Valueof1meansforceallow.3. Valueof2meansforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessCalendar)
•Avalueof0meanstheuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.
CallHistory
TheCallHistory,justlikemostoftheotherprivacysettings,providesyouwithtwooptions:•AllowordisallowaccesstotheCallHistoryforallapplications.
•AllowordisallowindividualapplicationaccesstotheCallHistory.
Letappsaccessmycallhistory
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccesscallhistory.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. OpenLetWindowsappsaccesscallhistory.4. Setthepolicytoenabled.5. Setthe“defaultforallapps”settingtooneofthefollowingvalues:1. Userincontrolgivesuserscontroloverthecallhistory.Theymayallow
ordisallowappsaccesstothecallhistory.2. ForceAllowenablesaccesstotheCallHistoryautomatically.Users
maynotchangethis.3. ForceDenydisablesaccesstotheCallHistoryautomatically.Usersmay
notchangethis.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessCallHistory.5. Giveitoneofthefollowingvalues:1. Avalueof0meansusersareincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessCallHistory)
•Avalueof0meansuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.
TheEmailprivacysettingscanbeusedtoallowordisallowapplicationaccesstoemailsonagloballevel,andtoallowordisallowaccessforindividualapplications.Thetwobuilt-inapplicationsMailandCalendarareallowedtoaccessandsendemailregardlessofhowtheoptionsareconfigured.
Letappsaccessandsendemail
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanaccessemail.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetWindowsappsaccessemail4. Setthepolicytoenabled.5. SetthevalueofthepolicyunderDefaultforapps:1. UserisincontrolmeansthatuserscandecidewhetherWindowsapps
mayaccessemail.2. ForceAllowmeansthatWindowsappsareallowedtoaccessemail,and
userscannotchangeit.3. ForceDenymeansthatWindowsappsarenotallowedtoaccessemail,
andthatuserscannotchangeit.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NamethenewvalueLetAppsAccessEmail.1. Setitsvalueto0togiveuserscontroloverthefeature.2. Setitsvalueto1toforceallow.3. Setitsvalueto2toforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessEmail)1. 0–userisincontrol.2. 1–Forceallow3. 2–Forcedeny.
Tasks
YoumayusetheTasksprivacypagetoallowordisallowglobalaccesstotasks,ortoallowordisallowaccesstotasksforindividualapplications.Thetwobuilt-inapplicationsMailandCalendararewhitelisted.Theyhaveaccesstothetasksevenifyoudisabletasksglobally.GroupPolicy
ThispolicysettingspecifieswhetherWindowsappscanaccesstasks.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetWindowsappsaccessTasks4. Setthepolicytoenabled.5. Selectoneofthefollowingvaluesfor“defaultforallapps”.1. Userisincontrol–UsersmayenableordisableTasksaccessforallor
specificapps.2. ForceAllow–Tasksaccessisenabled,anduserscannotchangethat.3. ForceDeny–Tasksaccessisdisabled,anduserscannotchangethat.
5.3.
Messaging
YoumayusetheMessagingprivacyoptionstoturnonoroffapplicationreadandsendaccesstomessages(bothtextandMMS).Itisfurthermorepossibletoallowordisallowindividualapplicationstousemessaging.
Letappsreadorsendmessages(textorMMS)
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanreadorsendmessages(textorMMS).
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelecttheLetWindowsappsaccessmessagingpolicy.4. Setthepolicytoenabled.5. Setthedefaultforallappsvalueto1. Userisincontroltoallowuserstocontrolthefeature.2. ForceAllowtoenableappaccesstomessaging,andblockusersfrom
changingthis.3. ForceDenytodisallowappaccesstomessaging,andblockusersfrom
changingthis.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessMessaging1. Setitsvalueto0toputusersincontrol.2. Setitsvalueto1toforceallow.3. Setitsvalueto2toforcedeny.
MDMpolicyfromthePolicyCSP(Privacy/LetAppsAccessMessaging)1. Avalueof0meansuserisincontrol.2. Avalueof1meansforceallow3. Avalueof2meansforcedeny.
Radios
Someappsuseradios–likeBluetooth–inyourdevicetosendandreceivedata.Sometimes,appsneedtoturntheseradiosonandofftoworktheirmagic.YoumayusetheRadiossettingstoallowordisallowaccesstoRadiossuchasBluetoothglobally,orforindividualapplications.
LetWindowsappscontrolradios
GroupPolicyThispolicysettingspecifieswhetherWindowsappshaveaccesstocontrolradios.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetWindowsappscontrolradios.4. Setthepolicytoenabled.5. Setthedefaultforallappsvalueto1. Userisincontroltoletusersdecide.2. ForceAllowtoenableapplicationaccesstocontrolradios,andprevent
usersfromchangingthat.3. ForceDenytodisableapplicationaccesstocontrolradios,andprevent
usersfromchangingthat.WindowsRegistry1. OpentheRegistryEditor2. Goto
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy3. Right-clickonAppPrivacy,andselectNew>Dword(32-bit)Value.4. NameitLetAppsAccessRadios.1. Setitsvalueto0foruserisincontrol.2. Setitsvalueto1forforceallow.3. Setitsvalueto2forforcedeny.
MDMpolicyofthePolicyCSP(Privacy/LetAppsAccessRadios)1. Avalueof0meansthattheuserisincontrol.2. Avalueof1meansforceallow.3. Avalueof2meansforcedeny.
OtherDevices
Manageotherdevices,thosethatyousyncdatawith,orthatyouconnecttoyourWindowsmachineusingthissetting.OtherdevicesmaybeotherWindows10devicesbutalsotabletsorphones.Applicationsmayuseyourtrusteddevices,suchasyourXboxOne,TVs,orprojectors.Thefollowingoptionsareprovided:
•Enableordisablethesynchronizationofdatawithotherdevices.•Chooseappsthatcansyncwiththedeviceyouareusing.•LetapplicationsusesTrustedDevicessuchasmemorycards,Xboxandotherdevices.
Feedback&Diagnostics
TheWindows10CreatorsUpdatesupportstwodiagnosticsettings(downfromthreeinpreviousversionsofWindows.TheonlyexceptiontothatisthatEnterpriseeditionssupportturningoffdiagnosticscompletely.Basic–SeethisMicrosoftpageforafulllistofwhatiscollected:https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fieldsTheBasiclevelgathersalimitedsetofinformationthatiscriticalforunderstandingthedeviceanditsconfigurationincluding:basicdeviceinformation,quality-relatedinformation,appcompatibility,andMicrosoftStore.WhenthelevelissettoBasic,italsoincludestheSecuritylevelinformation.
TheBasiclevelhelpstoidentifyproblemsthatcanoccuronaparticulardevicehardwareorsoftwareconfiguration.Forexample,itcanhelpdetermineifcrashesaremorefrequentondeviceswithaspecificamountofmemoryorthatarerunningaparticulardriverversion.ThishelpsMicrosoftfixoperatingsystemorappproblems.
Full–includesallbasicleveldatasets,andadditionaldatasets.Youfindalistingofthosehere:https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data
Windowsshouldaskformyfeedback
GroupPolicyThispolicysettingallowsanorganizationtopreventitsdevicesfromshowingfeedbackquestionsfromMicrosoft.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>DataCollectionandPreviewBuilds3. SelectDonotshowfeedbacknotifications.1. EnablethispolicytoblockfeedbacknotificationsthroughtheWindows
Feedbackapplication.2. Disablethispolicy,ordon’tconfigureit,toallowfeedbacknotifications
throughtheWindowsFeedbackapplication.WindowsRegistry1. OpentheWindowsRegistryEditor.
2. GotoHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection
3. Right-clickonDataCollection,andselectNew>Dword(32-bit)Value.4. NameitDoNotShowFeedbackNotifications1. Avalueof1disablesfeedbacknotifications.2. Avalueof0allowsthem.
Alternatively1. GotoHKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\2. Right-clickonRules,andselectNew>Dword(32-bitvalue)3. NameitPeriodInNanoSeconds4. Setitsvalueaccordingtothetablebelow.5. GotoHKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\6. Right-clickonRules,andselectNew>Dword(32-bitvalue)7. NameitNumberOfSIUFInPeriod8. Setitsvalueaccordingtothetablebelow
Setting PeriodInNanoSecondsNumberOfSIUFInPeriod
Automatically DeletetheregistrysettingDeletetheregistrysetting
Never 0 0
Always 100000000 Deletetheregistrysetting
Onceaday 864000000000 1
Onceaweek 6048000000000 1
UseDiagnosticDataforTailoredExperiences
GroupPolicyThispolicysettingletsyoupreventWindowsfromusingdiagnosticdatatoprovidetailoredexperiencestotheuser.
1. OpentheGroupPolicyEditor2. GotoUserConfiguration>AdministrativeTemplates>Windows
Components>CloudContent3. SelectDonotusediagnosticdatafortailoredexperiences.
1. Setthispolicytoenabledifyoudon’twantWindowstousediagnosticdatafromthedevicetocustomizecontentshownonthelockscreen,andelsewhere.
2. Setthispolicytodisabled,toenablepersonalizedrecommendationsbasedontelemetrydata.
BackgroundApps
Applicationsmayruninthebackground,forinstancetoreceiveinformationfromtheInternetoranetwork,orsendnotifications.Ifyouturnoffthefeature,appsmaynotdosowhentheyarenotrunningonthe
system.Apositivesideeffectofturningthefunctionalityoffisthatyoumayconservepowerdependingonwhichappsareinstalledonthesystem,andhowtheyareused.TheSettingsapplicationprovidesyouwithtwooptions:
1. Turnofthefeatureforallapplications.2. Selecttheappsthatyouwanttobeabletoruninthebackground.
GroupPolicyThispolicysettingspecifieswhetherWindowsappscanruninthebackground.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthedefaultsetting.
1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>AppPrivacy3. SelectLetWindowsappsruninthebackground.4. Setthepolicytoenabled.5. Setoneofthefollowingoptionsunder“defaultforallapps”1. Userisincontroltoprovideuserswithoptionstoenableordisablethe
functionality.2. ForceAllowtoallowappstoruninthebackground;userscannot
changethepreference.3. ForceDenytodisallowappstoruninthebackground;userscannot
changethepreference.WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications3. Right-clickonBackgroundAccessApplications,andselectNew>Dword
(32-bit)Value.4. NameitGlobalUserDisabled.
1. Avalueof0meansthefeatureisturnedon.2. Avalueof1meansthefeatureisdisabled.
LetWindowsandyourappsuseyourmotiondataandcollectmotionhistory
Windowsapplicationsmayaccessmotiondataandcollectthemotionhistory.Thisrequiresspecialsensorsinthedevice.
ThispolicysettingspecifieswhetherWindowsappscanaccessmotiondata.
Youcanspecifyeitheradefaultsettingforallappsoraper-appsettingbyspecifyingaPackageFamilyName.YoucangetthePackageFamilyNameforanappbyusingtheGet-AppPackageWindowsPowerShellcmdlet.Aper-appsettingoverridesthe
defaultsetting.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>AppPrivacy>LetWindowsappsaccessmotion•Enabled–Defaultvalue.Windowsappsmayusemotiondataandcollectmotionhistory.SetDefaultforallappsvalue:◦Userisincontrol–UsersmayenableordisableMotionintheSettings.
◦Forceallow–Motionisenabled,andusersmaynotchangethat.◦Forcedeny–Motionisdisabled,andusersmaynotchangethateither.
•Disabled–Windowsapplicationsmaynotusemotiondataorcollectmotionhistory.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacyName:LetAppsAccessMotionType:Dword
•Avalueof0meansthattheuserisincontrol.•Avalueof1meansforceallow.•Avalueof2meansforcedeny.
WindowsFeatures
Accounts(Local,Microsoft)Windows10supportstwotypesofaccounts:localaccountsandMicrosoftaccounts.MicrosoftprioritizesMicrosoftaccountsonWindows10,butusersmayselecttocreatelocalaccountsinstead.Thechoicethatusersmakeduringinstallationorsetup,hasabigimpactonprivacyandfunctionality.
MicrosoftaccountvslocalaccountsAMicrosoftaccountisarelativelynewtop-levelaccountforMicrosoftsoftwareandserviceusers.ThebestwaytodescribeitisthatitisanonlineaccountforallthingsMicrosoft.InsteadofhavingtosignupfordifferentMicrosoftproductsandservicesindividually,youmayuseaMicrosoftaccountforthemajorityofthose.ManyWindowsusersmayhaveaccesstoaMicrosoftaccountalready.ThisisthecaseforinstancewhentheyuseoneofMicrosoft’semailservices,forinstanceOutlook.com.ItneedstobenotedthatMicrosoftaccountsdon’thaveasingledomaintheyareassociatedwith.Infact,itispossibletouseanyemailaddresstosetupaMicrosoftaccount.TheeasiestwaytodistinguishlocalfromMicrosoftaccountsisthatMicrosoftaccountsalwaysuseanemailaddressastheusername.TheuseofaMicrosoftaccountonWindows10comeswithcertainbenefits:
Datasynchronization–Someoperatingsystempreferences,customization,andsomedataissyncedautomaticallytoanydevicethatrunsWindows10providedthatyousigninwiththesameMicrosoftAccount.Thisincludesthethemeanddesktopwallpaper,InternetExplorersettings,theEdgebrowsinghistory,savedpasswords,andEaseofAccess.CheckouttheOneDrive/FileSynchronizationchapterforadditionalinformationonthat.Passwordresetandchange–SinceaMicrosoftaccountisanonlineaccount,youmaygoonlinetoresettheaccountpassword,orchangethepassword.
Directaccesstoappsandservices–OtherappsandservicesthatrunonaWindows10machinemaypickuptheMicrosoftaccountautomaticallysothatyoudon’tneedtocreateanaccount,orsignintoone.OneDrivemaysignyouintoyouronlinestorage,oryoumayseeyouremailsorcontactslisteddirectlyintheappsthatprovidetheinformation.Multi-deviceaccess–YoucansignintoanyWindows10deviceusingaMicrosoftaccount,whileyouwouldneedtocreatelocalaccountsonanydeviceyouwanttouseifyouuselocalaccounts.WindowsStore–WindowsStorerestrictsaccesstonon-Microsoftaccounts:Windows10Pro,EnterpriseandEducationeditionssupportthedownloadingoffreeappsandgamesfromthestore.AMicrosoftisrequiredonHomeeditions,andforanypurchasesmadeintheStore.
Thecorebenefitofusingalocalaccountisprivacy.MicrosoftaccountdataissubmittedtoMicrosoftbydefault,andstoredoncompanyservers.Microsoft’sprivacystatementconfirmsasmuch:Microsoftcollectsdatatooperateeffectivelyandprovideyouthebestexperienceswithourproducts.Youprovidesomeofthisdatadirectly,suchaswhenyoucreateaMicrosoftaccount,submitasearchquerytoBing,speakavoicecommandtoCortana,uploadadocumenttoOneDrive,purchaseanMSDNsubscription,signupforOffice365,orcontactusforsupport.[15]
PleasenotethatyoumaylimitthedatathatissharedwithMicrosoftbycustomizingWindows10settingsasdescribedinthisbook.Otherdifferencesexist:youcannotchangeaMicrosoftaccountpasswordonthelocalWindows10machine,asInternetaccessisrequiredforthat.Thesameisnottrueforchangingthepasswordofalocalaccount,asyoucandosodirectlyonthelocalmachine,evenwithoutInternetaccess.
WindowsSetupwithalocalaccountMicrosoftputsthefocusonMicrosoftaccountsduringsetup.Itdisplaysthe“signinwithMicrosoft”optionduringsetup,andgivescustomerstheoptiontosigninusinganexistingaccount,ortocreateanewaccount.Thelocalaccountoptionisstillthere,butitisnothighlightedasmuch.ThefollowingguidewalksyouthroughthestepsofsettingupalocalaccountonaWindows10machineduringsetup.Step1:SelectOfflineaccountonthe“SigninwithMicrosoft”pageduringsetup.
Step2:SelectNoorLateronthenextscreen.MicrosofttriesonemoretimeonthispagetogetyoutosignuporinusingaMicrosoftaccount.
Step3:Selectausernameforthelocalaccount,andclickontheNextbuttonafterwards.
Step4:Typeapassword,orleavethepasswordfieldempty,andclickonnext.That’sit;youhavecreatedalocalaccountduringsetupwhichyoucanusefromthatmomentontosignintothedevice.
ConvertaMicrosoftaccountlogintoalocalaccount(orviceversa)YouhavetwooptionswhenitcomestoswitchingfromalocalaccounttoaMicrosoftaccount,oraMicrosoftaccounttoalocalaccount.Conversionisusefulifyouhaveselectedeitheraccounttypeduringsetup,andwanttoswitchtotheother.Whileyoucancreateanewuseraccountonthedeviceandmakeitthepreferredaccounttype,youmayalsoconvertanexistingaccounttypeintotheother.Convertingoffersadvantagesoverthecreationofnewuseraccountsonthedevice.,Notethatconvertingtotheotheraccounttypedoesnotchangefilesorinstalledapplicationsonthedevice.Accessremains,andthatisthemaindifferencetocreatinganewuseraccountonthedeviceforuseasalocalorMicrosoftaccount.YoumaybeaskedtosignintoappsthatrequireaMicrosoftaccountwhenyouswitchtoalocalaccountthough.SwitchfromalocalaccounttoaMicrosoftaccount
StartbyopeningtheSettingsapplication.GotoAccounts>YourInfo.Thepageliststheaccounttype,e.g.localaccountasyouseeonthescreenshotabove,andalinkto“signinwithaMicrosoftaccountinstead”.AclickonthelinkstartstheconversionprocessfromusingalocalaccounttousingaMicrosoftaccount.YouareaskedtoauthenticatebyenteringtheMicrosoftaccountemailaddress,phonenumberassociatedwithaMicrosoftaccount,oraSkypeID.Onceyoucompletetheauthenticationprocess,youareaskedtoenterthepasswordofthelocalWindowsaccounttocompletetheprocess.ThenexttimeyousignintotheWindows10device,youareaskedtoentertheMicrosoftaccountpasswordandnotthelocalpassword.
SwitchfromaMicrosoftaccounttoalocalaccount
YoumayswitchfromaMicrosoftaccounttoalocalaccountaswell.TheprocessisnearlyidenticaltoswitchingfromalocalaccounttoaMicrosoftaccount.StartbyopeningtheSettingsapplication.GotoAccounts>YourInfo.Ifyouseeanemailaddresslistedonthepagethatopens,youaresignedinusingaMicrosoftaccount.Scrolldownuntilyoufindthe“signinwithalocalaccountinstead”link,andactivateit.FirstthingyouareaskedtodoisenterthecurrentMicrosoftaccountpassword.
Onceyouhavedonethat,youcreateanewlocalaccountbyselectingausername,passwordandpasswordhint.Notethattheusernameistheonlymandatoryfield.Whenyousigninthenexttime,youareaskedtoenterthelocalaccountpasswordforauthentication.
UseaMicrosoftaccountinselectapplicationsWindows10userswhosigninwithalocalaccountmaynoticethatsomefunctionalitythatapplicationsprovidemaybecomeunavailablebecauseofthat.ThisisthecaseusuallyforanyapplicationthatislinkedtoaMicrosoftAccount.OneDriveforinstancerequiresaMicrosoftaccount,andsodootherapplicationssuchasCalendarorMusic.Otherapplicationsmayfunctionpartiallyonly.WindowsStoreworkswithalocalaccountifyourunWindows10ProorEnterpriseforinstance,butonlytodownloadandinstallfreeapps.AruleofthumbisthatWindowsappswillnotifyyouwhentheyneedaccesstoaMicrosoftaccount.YoudoneedtobecarefulhoweverwhenyousignintoaMicrosoftaccountthisway.MicrosoftdisplaysanauthenticationprompttousetheMicrosoftaccountforthisparticularapplication.ThenextscreendisplaysanoptiontoswitchtoaMicrosoftaccountwhensigningin.Ifyouwanttokeeponusingyourlocalaccount,youneedtoclickonthelinkthatisdisplayedbeneaththepasswordfieldtousetheMicrosoftaccountonlyfortheselectedapplicationandnotWindowsingeneral.
ManagethedatathatMicrosoftassociateswithaMicrosoftaccountMicrosoftcreatedamanagementinterfaceforMicrosoftaccountontheofficialcompanywebsite.Itprovidesuserswithoptionstomanageuserinformation,privacy,andsecurityonline.Themainentrypointsare:
YourInfo:https://account.microsoft.com/profile/Privacy:https://account.microsoft.com/privacy/Security:https://account.microsoft.com/security
YourInfoYourInfolistsprofileandcontactinformation,andoptionstomodifythose.Youmayusethepagetomanageyoursign-inemailaddressesandphonenumbers,editpersonalorbillinginformation,andtochangetheaccountpicture.
PrivacyThePrivacytabontheMicrosoftaccountwebsitelistssomeofthedatathatMicrosoftcollectswhenyouuseWindows10orcompanyservices.BrowseUserswhosignintoWindows10,useCortana’sbrowsinghistoryfeature,anduseMicrosoftEdge,havetheirbrowsinghistorysenttoMicrosoftsothatMicrosoft,appsandWindowsfeaturesmayprovide“timelyandintelligentanswersandproactivepersonalizedsuggestions”.Tip:Windows10usersmaydisablethetransferalofthebrowsinghistorybyopeningCortana,selectingNotebook>Permissions,andsettingtheBrowsingHistoryoptiontooff.SearchBingusesauser’ssearchhistorytoimproveresults,personalizationandsuggestions.Cortanamayusethesearchhistoryaswelltoprovideservices.LocationMicrosoftservicessuchasMapsuselocationdatatoshowuserswheretheyare,andwhatisnearby.Itmayalsobeusedtoprovidedirections,andbyotherapplicationsthatshipwithWindows10toprovidecertainfunctionality.Cortana’sNotebookThedigitalagentCortanakeepstrackofinterestswhenitisactiveonaWindows10device.ThenotebooklistsinterestsassociatedwiththeMicrosoftaccountandsortedintocategoriessuchasNews,Shopping,orWeather.Tip:SelectNotebook>ConnectedServiceswhenCortanaisopentomanagethird-partyservicesthatCortanamayshareinformationwith.Thefollowingoptionsareprovidedatthetimeofwriting:
Managethebrowsinghistory.Microsoftdisplaysthemostrecentbrowsinghistorydata,andoptionstoclearit.Managethesearchhistory.Thislistsrecentsearches,andoptionstoclearthesearchhistory.Managethelocationhistory.Youmaylistthelocationhistory,andclearitonthepage.ManageCortanaNotebookdata.ListthedatathatCortanaassociateswith
yourinterests,anddeletethedata.
SecurityTheSecuritytablistsoptionstochangetheaccountpassword,updatesecurityinformation,andtoviewtherecentactivity.Youmaycheckandupdatesecurityinformationthere.ThisisimportantasMicrosoftwillusetheinformationyouprovideforaccountrecoveryoperations.The“reviewrecentactivity”optionliststhelastsign-instotheaccount,andfromwheretheyhappened.Usefultomakesureallarelegit.
CustomerExperienceProgramTurnoffWindowsCustomerExperienceImprovementProgram
Theprogramcollectsinformationaboutthehardwareconfiguration,andsoftwareandservicesuse,toidentifytrendsandusagepatterns.
Microsoftstatesthatitwon’tcollectpersonallyidentifiableinformationsuchasnamesoraddresses.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>TurnoffWindowsCustomerExperienceImprovementProgram•Enabled–Whenenabled,allusersareoptedoutoftheWindowsCustomerExperienceImprovementProgram.
•Disabled–AllusersareoptedintotheWindowsCustomerExperienceImprovementProgram.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\WindowsName:CEIPEnableType:Dword
•0–Thefeatureisdisabled.•1–Thefeatureisenabled.
AllowCorporateRedirectionofCustomerExperienceImprovementuploads
Thissettingallowsyoutochangetheresourcethecollecteddatagetsuploadedto.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>WindowsCustomerExperienceImprovementProgram>AllowCorporateRedirectionofCustomerExperienceImprovementuploads•Enabled–ThisredirectsallCustomerExperienceImprovementuploadstotheselectedaddress.
•Disabled–Uploadsarenotredirectedbygotothedefaultaddress.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClientName:CorporateSQMURLType:String
•Setnewresourceaddress,orredirecttolocalhost127.0.0.1
TurnofftheWindowsMessengerCustomerExperienceImprovementProgram
ThissettingdefineswhetherWindowsMessengercollectsanonymousinformationabouthowWindowsMessengerisusedonthesystem.Policy:ComputerConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>TurnofftheWindowsMessengerCustomerExperienceImprovementProgram•Enabled–WindowsMessengerdoesnotcollectusageinformationabouthowtheproductisused.
•Disabled–AnonymousWindowsMessengerusagedataiscollectedandsubmittedtoMicrosoftKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\ClientName:CEIP
Type:Dword•2–Anonymoususagedataisnotcollected.
TurnoffHelpExperienceImprovementProgram
ThispolicydetermineswhetherusersmayparticipateintheHelpExperienceImprovementprogram.TheprogramcollectsinformationonhowusersuseWindowsHelp.GroupPolicy:UserConfiguration>AdministrativeTemplates>System>InternetCommunicationManagement>InternetCommunicationsettings>TurnoffHelpExperienceImprovementProgram
Enabled–UserscannotparticipateintheHelpExperienceImprovementProgram.Disabled–Sameasnotconfigured.Userscanturnthefeatureon.
WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0Name:NoExplicitFeedback
Type:Dword0–ExplicitFeedbackisturnedoff.1–ExplicitFeedbackisturnedon.
Name:NoImplicitFeedbackType:Dword
0–ImplicitFeedbackisturnedoff.1–ImplicitFeedbackisturnedon.
WindowsMediaPlayerUsageTracking
WindowsMediaPlayerSettings:OpenWindowsMediaPlayer,andselectTools>Options>Privacy.Findthepreference“IwanttohelpmakeMicrosoftsoftwareandservicesevenbetterbysendingPlayerusagedatatoMicrosoft”andmakesureitisdisabled.
WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\PreferencesName:UsageTrackingType:Dword
•0–TheWindowMediaPlayerCustomerExperienceImprovement
Programisdisabled.•1–TheWindowMediaPlayerCustomerExperienceImprovementProgramisenabled.
TurnoffMicrosoftConsumerExperiences
MicrosoftConsumerExperienceswereaddedtoWindows10inversion1511.Thefeaturepowersseveralthingsonthedevice,includingwhichthird-partyapplicationsareshownonStartafterinstallationorupgradeofacomputersystem,andpersonalizedrecommendationsandnotifications.ThepolicyappliesonlytoEnterpriseandEducationversionsofWindows10.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnoffMicrosoftConsumerExperiences.
•Enabled:MicrosoftConsumerExperiencesisdisabledifyouenablethepolicy.Ifyoudisablethefeature,Windows10won’tpushthird-partyapplicationsuggestionsanymoreonthesystem.ItwillalsoblockrecommendationsandnotificationsthatMicrosoftConsumerExperiencespowersaswell.•Disabled:Sameasnotconfigured.MicrosoftConsumerExperiencesis
enabled.WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContentName:DisableWindowsConsumerFeaturesType:Dword
•0–Thefeatureisactiveonthesystem.•1–Thefeatureisdisabled.
FeedbackandHelpTurnoffActiveHelp
Thissettingdefineswhetherso-calledactivecontentlinksarerenderedintrustedassistancecontent.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>OnlineAssistance>TurnoffActiveHelp•Enabled–ActiveContentlinksarenotrenderedifyouenablethepolicysetting.Whilethetextisstilldisplayed,linksarenotdisplayed.
•Disabled–Defaultbehaviorapplies.WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0Name:NoActiveHelp
Type:Dword•1–ThisturnsofftheActiveHelpfeature.•0–Sameasnosetting.ActiveHelpisenabled.
InternetExplorerWindows10comeswithInternetExplorer11,butitisnolongerthedefaultwebbrowseronmachinesrunningtheoperatingsystem.
AllowMicrosoftservicestoprovideenhancedsuggestionsastheusertypesintheAddressbar
Microsoft’sInternetExplorermaydisplaysuggestionsbasedontheuser’sinput.EnhancedsuggestionsarereturnedwhenthekeystrokesaresenttoMicrosoft.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>AllowMicrosoftservicestoprovideenhancedsuggestionsastheusertypesintheAddressbar
Enabled–UserswillgetenhancedsuggestionswhentheytypeinInternetExplorer’saddressbar.ThismeansthatthekeystrokesaresenttoMicrosoft.Usersmaynotchangethesetting.Disabled–Enhancedsuggestionsareturnedoff.Usersmaynotchangethesetting.NotConfigured–Usersareallowedtochangethesetting.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MicrosoftName:AllowServicePoweredQSAType:Dword
0–EnhancedSuggestionsareturnedoffinInternetExplorer.1–EnhancedSuggestionsareenabledinthewebbrowser.
TurnonSuggestedSites
MicrosoftInternetExplorermaydisplaysitesuggestionsbasedontheuser’sbrowsinghistory.Ifthefeatureisturnedon,auser’sbrowsinghistoryissubmittedtoMicrosoft.InternetOptions:OpenMicrosoftInternetExplorer,andclickonMenu>InternetOptions.SwitchtotheAdvancedtabwhentheInternetOptionswindowopens,andcontrol“enablesuggestedsites”underBrowsingonthepage.
GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>TurnonSuggestedSites
Enabled–Thefeatureisenabled,andusersarenotpromptedtoenableSuggestedSites.ThebrowsinghistoryissenttoMicrosoft.Disabled–TheSuggestedSitesfeatureisturnedoff,andcannotbeturnedonbytheuser.Notconfigured–Theusermayturnthefeatureonoroff.
WindowsRegistry:Key:HKLM\Software\Policies\Microsoft\InternetExplorer\SuggestedSitesName:EnabledType:Dword
0–SuggestedSitesisdisabled.1–SuggestedSitesisenabled.
TurnoffURLSuggestions
Microsoft’sInternetExplorerdisplayssuggestionsbasedonwhattheusertypesinthebrowser’saddressbar.InternetExplorerusesalocallystoredlistfortheautocompletefeature.UserdataisnotsentovertheInternetwhenthefeatureisenabled.InternetOptions:OpenMicrosoftInternetExplorer,andclickonMenu>InternetOptions.SelectContent>Settings(nexttoAutoComplete).Remove“suggestingURLs”fromthelistofsourcesthatInternetExplorerusesforthefeature.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>InternetSettings>AutoComplete>TurnoffURL
SuggestionsEnabled–URLsuggestionsaredisabled.Userscannotenablethefeature.Disabled–URLsuggestionsareenabled,andusersmaynotturnthefeatureoff.NotConfigured–Usersmayenableordisablethefeature.
WindowsRegistryKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteName:AppendCompletionType:StringValue
yes–InternetExplorertriestomatchwhattheusertypeswiththelocallystoredautocompletelisting.no–URLsuggestionsaredisabledinInternetExplorer.
TurnoffWindowsSearchAutoComplete
ThisdetermineswhetherWindowsSearchmayprovideautocompleteresultswhenuserstypeintheInternetExploreraddressbar.InternetOptions:OpenMicrosoftInternetExplorer,andclickonMenu>InternetOptions.SelectContent>Settings(nexttoAutoComplete).Remove“UseWindowsSearchforbetterresults”fromthelistofsourcesthatInternetExplorerusesforthefeature.
GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>InternetExplorer>InternetSettings>AutoComplete>TurnoffWindowsSearchAutoComplete
Enabled–Ifyouenablethispolicy,InternetExplorerwon’tuseWindowsSearchforprovidingresultsintheaddressbar.Userswon’tbeabletochangethesetting.Disabled–InternetExplorerusesWindowsSearchtoprovideresultsinthebrowser’saddressbar.Usersmaynotchangethesetting.NotConfigured–Usersmayturnthefeatureonoroff.Thefeatureisenabledbydefault.
WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\WindowsSearch\Name:AutoCompleteGroupsType:Dword
0–DisabletheuseofWindowsSearchforAutoCompletefunctionality.
MicrosoftEdgeMicrosoftEdgeisthedefaultsystembrowserofWindows10.ItisnottheonlybrowserthatshipswithWindows10,asInternetExplorer11isavailableaswell.ThemainreasonwhyMicrosoftmadethedecisiontoincludeEdgeandIEinWindows10isbackwardscompatibility.MicrosoftEdgewasdesignedtobealightweightbrowserthatsupportsmajorwebstandards.ItcomeswithoutfeaturessuchasupportforActiveXorBrowserHelperObjectswhichInternetExplorercontinuestosupport.
AllowAddressbardrop-downlistsuggestions
MicrosoftEdgemaydisplaysuggestionsintheAddressbardrop-downmenuwhenusersstarttotype.Thisparticularsettingdisablesthewholedrop-downmenu.Ifyoudon’twantsearchresultsdisplayedonly,youmayleavethissettingaloneandconfigure“ConfiguresearchsuggestionsinAddressbarinstead”.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>AllowAddressbardrop-downlistsuggestions
Enabled–Sameasnotconfigured.Addressbardrop-downfunctionalityisenabledinMicrosoftEdge.MicrosoftEdgemayconnecttoMicrosoft
servicesforthefunctionalityifthesettingisenabled.Disabled–Drop-downsuggestionsaredisabled.Settingthispolicytodisabled,disables“showsearchandsitesuggestionsasItype”aswell.
AllowMicrosoftCompatibilityList
MicrosoftmaintainsalistofsiteswithknowncompatibilityissuesinMicrosoftEdge.EdgepromptsuserstoopensitesthatareonthelistinInternetExplorerinstead.Thisisdonesothatthesesites,usuallysitesoptimizedforaparticularversionofInternetExplorer,correctly.TheMicrosoftCompatibilityListisenabledbydefaultandWindows10willcheckforupdatesofthelistfrequently.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>AllowMicrosoftCompatibilityList
Enabled–Sameasnotconfigured.MicrosoftEdgedownloadsanupdatedcompatibilitylistperiodically.Disabled–TheMicrosoftCompatibilityListisnotused.
AllowwebcontentonNewTabpage
ThepolicyletsyouconfigurethecontentoftheNewTabpageinMicrosoftEdge.MicrosoftEdgedisplaystopsitesandcontentsuchasnewsthatitpullsfromtheInternetontheNewTabpagebydefault.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>AllowwebcontentonNewTabpage
Enabled–MicrosoftEdgedisplaysthedefaultNewTabpageofthewebbrowser.Disabled–MicrosoftEdgedisplaysablankNewTabpagewithoutanycontent.Notconfigured–UsersmaychoosewhatappearsontheNewTabpage.
ConfigureCookies
EdgeusersmayconfigurehowcookiesarehandledbythebrowserdirectlyinEdge.Apolicyisavailabletoconfigurecookiebehaviorforallusersofamachine.MicrosoftEdgeSettings:
OpenMicrosoftEdge.SelectMenu(thethreedots),andSettingsfromthemenu.Scrolldownandclickon“viewadvancedsettings”.Locatethecookiessectionbyscrollingdown.Youhavethreeoptionswhenitcomestoconfiguringthebehavior:
BlockallcookiesBlockonlythird-partycookiesDon’tblockcookies(default)
GroupPolicy:
ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>Configurecookies
Enabled–Whenyouenablethissetting,youmayusethepolicytoconfigurethecookiebehavioroftheEdgewebbrowser.Youmaysetittothefollowing:
Allowallcookies–ThisisthedefaultbehaviorofMicrosoftEdge.Allcookiesareallowed.Blockallcookies–YoumayblockanycookiefrombeingsetinEdge.
Blockonly3rd-partycookies–Thisallowsfirst-partycookies,butblocksallthird-partycookiesinthebrowser.
Disabled–Sameasnotconfigured.Allcookiesareallowed.
ConfigureDoNotTrack
MicrosoftEdgedoesnotsendDoNotTrackrequestsbydefault.ThissettingletsyouenableDoNotTrackinMicrosoftEdge,orgiveusersthechoicetodoso.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>ConfigureDoNotTrack
Enabled–DoNotTrackisenabled,andEdgesendstheheaderinformationwhenitconnectstowebsites.Disabled–DoNotTrackisdisabled.Notconfigured–UsersmayenableordisableDoNotTrack.
ConfiguresearchsuggestionsinAddressbar
MicrosoftEdgedisplayssearchsuggestionsasyoutypeinthebrowser’saddressbar.TheinformationthatyouenterissenttoBingifthefeatureisenabled.MicrosoftEdgeSettings:
OpenMicrosoftEdge.SelectMenu(thethreedots),andSettingsfromthemenu.Scrolldownandclickon“viewadvancedsettings”.Toggle“ShowsearchandsitesuggestionsasItype”tooff.
GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>ConfiguresearchsuggestionsinAddressbar
Enabled–SearchsuggestionsaredisplayedwhenyoutypeintheMicrosoftEdgeaddressbarDisabled–Searchsuggestionfunctionalityisdisabled.NotConfigured–UsersmayenableordisablethefeatureinMicrosoftEdge’ssettings.
WindowsRegistry:
PreventMicrosoftEdgefromgatheringLiveTileinformation
MicrosoftEdgemaycontactieonline.microsoft.comtogatherLiveTilemetadatato“provideabetterexperience”whilepinningaLiveTiletotheStartmenu.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>PreventMicrosoftEdgefromgatheringLiveTileinformation
Enabled–Ifyouenablethepolicy,MicrosoftEdgewon’tcontactieonline.microsoft.comtogatherLiveTiledata.
Disabled–Sameasnotconfigure.MicrosoftwillgatherLiveTilemetadata.
PreventtheFirstRunwebpagefromopeningonMicrosoftEdge
MicrosoftEdgedisplaysaFirstRunwebpagewhenauserstartsthewebbrowserforthefirsttime.Thebrowser’sFirstRunpageofferstipsandhighlightschangestoimproveauser’sexperience.Thispageisshownonfirstrunafteranewinstallation,butalsowhenanewfeatureupdateisinstalled.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>PreventtheFirstRunwebpagefromopeningonMicrosoft
EdgeEnabled–-TheFirstRunpageisnotdisplayedwhenusersopenMicrosoftEdgeforthefirsttime.Disabled–Sameasnotconfigured.TheFirstRunpageisshown.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\MainName:PreventFirstRunPageType:Dword
0–TheFirstRunpageisshowninMicrosoftEdge.1–TheFirstRunpageisblockedinMicrosoftEdge.
PreventusingLocalhostIPaddressforWebRTC
WebRTCmayrevealthelocahostIPaddressofadevicethatMicrosoftEdgerunsonwhenmakingcallsusingtheWebRTCprotocol.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>PreventusingLocalhostIPaddressforWebRTC
Enabled–theLocalhostIPaddressisnotrevealedwhenusersaremakingcallsusingtheWebRTCprotocol.
Disabled–Sameasnotconfigured.LocalhostIPaddressesareshownwhenmakingcallsusingtheWebRTCprotocol.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\MainName:HideLocalHostIPType:Dword
0–LocalhostIPaddressesareshownwhenmakingWebRTCcalls.1–LocalhostIPaddressesarenotshownwhenmakingWebRTCcalls.
OneDrive/FileSynchronizationPreventtheusageofOneDriveforfilestorage
YoumayusethispreferencetodisableOneDriveontheWindows10machine.Pleasenotethatthisimpactsseveralareasoftheoperatingsystem:•OneDrivefilesarenotsynchronized.
•Theautomaticuploadingofphotosandvideosfromthecamerarollfolderisdisabled.•OneDriveisnotlistedinFileExplorer.
•OneDrivecannotbeaccessedfromtheOneDriveapporfilepicker.•WindowsStoreappscannotaccessOneDrive.
GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>OneDrive>PreventtheusageofOneDriveforfilestorage•Enable–ThisdisablesOneDriveontheWindows10device.
•Disable–Default,sameasnotconfigured.OneDriveisenabled.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDriveName:DisableFileSyncNGSCType:Dword
•Avalueof0meansOneDriveisenabled.•Avalueof1meansOnedriveisdisabled.
DonotSync
Controlwhethersettingsaresyncedonthedevice,andwhetherusersmaycontrolthepreferenceintheSettingsapplication.Windows10maysynchronizethefollowingsettingsordata:•Theme•InternetExplorersettings•Passwords•Languagepreferences•Easeofaccessed•OtherWindowssettingsGroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsync•Enabled–Syncyoursettingsisturnedoffon
thedevice,andnodatathatislistedunder“syncyoursettings”issynchronized.Youmayset“allowuserstoturnsyncingon,toallowuserstooverridethedefault.
•Disabled–Syncyoursettingisonbydefault,andusersmaycontrolit.WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableSettingSyncType:Dword
•1–SyncyourSettingsisenabled.•2–SyncyourSettingsisdisabled.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableSettingSyncUserOverrideType:Dword
•1–UsersmaynotoverridethedefaultvalueofSyncyoursettings.
DonotSyncApplicationSettings
ThispolicymaypreventthesynchronizationofapplicationsettingsfromonePCtoanother.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncappsettings•Enabled–Thispreventsthesynchronizationofapplicationsettings.Youmaysetthe“allowuserstoturnappsettingssyncon”togiveusersanoptiontoturnthefunctionalitybackon.
•Disabled–Appsyncingisonbydefault,andusersmaycontrolthepreferenceintheSettingsapplication.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncValue:DisableAppSyncSettingSyncType:Dword
•1–Theapplicationsyncsettingisenabled.•2–Thesynchronizationofindividualapplicationsettingsisdisabled.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableAppSyncSettingSyncUserOverrideType:Dword
•1–Usersmaynotoverridetheapplicationsyncsetting
Donotsyncpasswords
Thissettingcontrolswhetherpasswordsaresyncedaspartofthe“syncyoursettings”functionalityoftheWindows10operatingsystem.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncpasswords•Enabled–Passwordswon’tbesyncedbydefaultifthepolicyisenabled.Administratorsmaycheck“allowuserstoturnpasswordssyncingon”togiveuserstheoptiontoturnthefeatureonintheSettingsapplication.
•Disabled–Passwordsyncingisenabled.UsersmayturnitoffintheSettingsapplication.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableCredentialsSettingSyncType:Dword
•1–Passwordsyncingisenabled.•2–Passwordsyncingisdisabled.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableCredentialsSettingSyncUserOverrideType:Dword
•1–UsersmaynotenablepasswordsyncingintheSettingsapplication.
Donotsyncdesktoppersonalization
ThispolicydetermineswhetherapersonalizeddesktopissynchronizedoriftheoptionisconfigurableintheSettingsapplication.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncdesktoppersonalization•Enabled–Desktoppersonalizationsyncingisturnedoff.Administratorsmayenable“allowuserstoturndesktoppersonalizationsyncingon”,togiveuserscontroloverthesyncfeatureintheSettingsapplication.
•Disabled–Desktoppersonalizationissynced.UsersmayturnoffthesyncingintheSettingsapplication.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableDesktopThemeSettingSyncType:Dword
•1–Desktoppersonalziationsyncingisenabled.•2–Desktoppersonalizationsyncingisdisabled.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableDesktopThemeSettingSyncUserOverrideType:Dword
•1–UsersmaynotchangethesyncsettingintheWindows10Settingsapplication.
Donotsyncpersonalize
Windows10maysyncpersonalizedpreferences,sothatthesebecomeavailableonallWindows10devicestheusersignsinwithaMicrosoftaccount.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncpersonalize•Enabled–Whenthepolicyisenabled,“personalize”groupdatawillnotbesynced.Administratorsmayenable“allowuserstoturn“personalize”syncingon,toprovideuserswithoptionstoturnthefeatureonmanually.
•Disabled–Sameasnotconfigured.The“personalize”groupissyncedbydefault,andtheusermaydisablethefeatureintheSettingsinterface.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisablePersonalizationSettingSyncType:Dword
•1–The“personalize”groupissynced.•2–The“personalize”groupisnotsynced.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisablePersonalizationSettingSyncUserOverrideType:Dword
•1–UsersmaynotchangethepersonalizesyncsettingintheWindows10Settingsapplication.
Donotsyncstartsettings
Windows10maysyncthestartlayoutsothatitisavailableonallWindows10machinesausersignsinusingaMicrosoftaccount.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncstartsettings•Enabled–The“startlayout”groupisnotsynced.Administratorsmayenablethe“allowuserstoturn“startlayout”syncingon,toprovideuserswithoptionstoenablethesyncfeature.
•Disabled–Sameasnotconfigured.“Startlayout”syncingisenabledbydefault.UsersmaydisablethesyncingintheSettingsUI.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableStartLayoutSettingSyncType:Dword
•1–The“startlayout”groupissynced.•2–ThelayoutofStartisnotsynced.
Key:DisableStartLayoutSettingSyncName:DisableStartLayoutSettingSyncUserOverrideType:Dword
•1–Usersarenotallowedtoselectwhethertheywantthe“startlayout”tosyncornot.
Donotsyncbrowsersettings
Thispolicymaybeusedtopreventbrowsersettingssuchasthebrowsinghistoryorfavoritesfrombeingsynced.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsyncbrowsersettings•Enabled–The“browser”groupanditsdatawon’tbesynced.Administratorsmayenable“Allowuserstoturn“browser”syncingon,toprovideuserswithanoptiontoenablethesyncoptionintheSettingsapplication.
•Disabled–Sameasnotconfigured.Browserdataissyncedbydefault.UsersmaydisablethesyncingintheSettingsapplication.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWebBrowserSettingSyncType:DWORD
•1–Webbrowsersyncingisenabled.•2–Webbrowsersyncingisdisabled.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWebBrowserSettingSyncUserOverrideType:DWORD
•1–Usersarenotallowedtooverridethewebbrowsersyncsetting.
DonotsyncotherWindowssettings
ThispolicymaybeusedtopreventthatotherWindowssettingsaresynced.Itisunclearwhat“otherWindowssettings”includeswhenitcomestosynchronization.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>DonotsyncotherWindowssettings.
•Enabled–Thesynchronizationof“otherWindowssettings”isdisabled.Administratorsmaycheck“AllowuserstoturnotherWindowssettings
syncingon”togiveusersanoptiontoenablethesyncingintheSettingsapplication.•Disabled–Sameasnotconfigured.Windows10willsync“otherWindowssettings”bydefault.UsersmayturnoffthefeatureintheSettingsUI.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWindowsSettingSyncType:DWORD
•1–Thedefaultvalue.“OtherWindowssettings”aresynced.•2–Thesyncingof“OtherWindowssettings”isdisabled.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableWindowsSettingSyncUserOverrideType:DWORD
•1–Usersmaynotoverridethe“OtherWindowssyncing”settingintheSettingsUI.
Donotsynconmeteredconnections
ThispolicydefineswhethersynchronizationofdataisenabledwhenthePCisonameteredInternetconnection.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Syncyoursettings>Donotsynconmeteredconnections
Enabled–SyncingisturnedoffwhenthePCisconnectedusingameteredconnection.Disabled–Sameasnotconfigured.Syncingonmeteredconnectionsis
enabledbydefault,butcanbeturnedoffbytheuser.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSyncName:DisableSyncOnPaidNetworkType:Dword
1–SyncingisdisabledwhenthePCisonameteredInternetconnection.
SmartScreenConfigureWindowsDefenderSmartScreen(Edge)
ThispolicydefineswhetherWindowsDefenderSmartScreenisenabledwhenMicrosoftEdgeisusedasthesystembrowser.SmartScreenprovidesdefenseagainstmalware,phishingandotherthreatsthatoriginateontheInternet.GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>
MicrosoftEdge>ConfigureWindowsDefenderSmartScreenFilterWindowsServerGroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>MicrosoftEdge>ConfigureSmartScreenFilter
Enabled–WindowsDefenderSmartScreenisturnedon,anduserscannotturnitoff.Disabled–WindowsDefenderSmartScreenisturnedoff,anduserscannotturniton.NotConfigured–EmployeesmayenableordisableWindowsDefenderSmartScreen.
WindowsRegistryKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost.Name:EnableWebContentEvaluationType:Dword
0–WindowsDefenderSmartScreenisdisabled.1–WindowsDefenderSmartScreenisenabled.
Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SystemName:EnableSmartScreenType:Dword
0–WindowsDefenderSmartScreenisdisabled.1–WindowsDefenderSmartScreenisenabled.
ConfigureWindowsDefenderSmartScreen
ThispolicydefineswhetherWindowsDefenderSmartScreenisenabledontheWindowsPC.ThefeatureprotectsthePCagainstprogramsdownloadedfromtheInternetthatarenotrecognizedbyWindowsDefender.InformationonthefilesandprogramsthatarerunonthePCaresenttoMicrosoftwhenthefeatureisenabled.
GroupPolicyComputerConfiguration>AdministrativeTemplates>WindowsComponents>FileExplorer>ConfigureWindowsDefenderSmartScreen
Enabled–Whenyouenablethepolicy,youmaysetitto“warnandpreventbypass”,or“warn”.Thefirstpickprovidesuserswiththemeanstorunthefilebybypassingthewarning,thesecondwon’tallowuserstodothat.Disabled–WindowsDefenderSmartScreenwillbeturnedoff.NotConfigured–SmartScreenisenabled,butusersmaychangethesetting.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerName:SmartScreenEnabledType:Stringvalue
Off–ThisdisablesSmartScreenFilter.RequireAdmin–AdministratorapprovalrequiredbeforeanunrecognizedInternetprogramisrun.Prompt–DisplayawarningbeforerunninganunrecognizedInternetprogram,butdon’trequireAdminapprovaltorunit.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ExplorerName:SmartScreenEnabledType:Stringvalue
Off–ThisdisablesSmartScreenFilter.RequireAdmin–AdministratorapprovalrequiredbeforeanunrecognizedInternetprogramisrun.Prompt–DisplayawarningbeforerunninganunrecognizedInternetprogram,butdon’trequireAdminapprovaltorunit.
WindowsErrorReportingWindowsErrorReportingallowsMicrosofttogaininformationaboutWindowssystem,featureandapplicationerrors.Itfurthermoreprovidesusersandadministratorswithoptionstoreceiveinformationaboutpotentialsolutionsforencounteredissues.DisableWindowsErrorReporting
ThepolicyturnstheWindowsErrorReportingfeatureoff.ThishastheeffectthatreportsarenotcollectedorsenttoMicrosoftorinternalserverswhen
softwarefailsorstopsworking.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsErrorReporting>DisableWindowsErrorReporting
Enabled–Ifyouenablethispolicy,WindowsErrorReportingisdisabled.SolutioninformationunderSecurityandMaintenanceisnotavailableanymorewhenyoudisableerrorreporting.Disabled–Sameasnotconfigured.WindowsErrorReportingisenabled.Notethatthismaybeoverriddenby“TurnoffWindowsErrorReporting”policysettinginComputerConfiguration/AdministrativeTemplates/System/InternetCommunicationManagement/InternetCommunication
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsErrorReportingName:DisabledType:Dword
0–WindowsErrorReportingisenabled.1–WindowsErrorReportingisdisabled.
Donotsendadditionaldata
Thisdefineswhetheradditionaldatain“supportoferrorreports”canbesenttoMicrosoftautomatically.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsErrorReporting>DisableWindowsErrorReporting
Enabled–AnyadditionaldatarequestsfromMicrosoftinresponsetoWindowsErrorReportingaredeclinedautomaticallywithoutuser
notification.Disabled–Sameasnotconfigured.Thefeatureisenabled.NotethatconsentpolicysettingsinComputerConfiguration/AdministrativeTemplates/WindowsComponents/WindowsErrorReporting/Consenttakeprecedence.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsErrorReportingName:DontSendAdditionalDataType:Dword
0–Sendadditionaldata1–Donotsendadditionaldata.
WindowsMediaPlayerWindowsMediaPlayerisalong-standingmediaplayerthatshipswithWindows10.Itplaysaudioandvideofiles,andsupportsavarietyoffeaturessuchasInternetstreamingorlookingupinformationonlineformediathatisplayedusingit.PreventMusicfileMediaInformationRetrieval
WindowsMediaPlayermaydownloadmediainformationfromtheInternetformusicfilesthatareplayedintheapplicationtodisplaytheinformationinits
interface.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaPlayer>PreventMusicFileMediaInformationRetrieval•Enabled–WindowsMediaPlayerispreventedfromretrievingmediainformationformusicfiles.Additionally,UpdateMyMusicfilesisnotavailableintheplayer.
•Disabled–Thedefaultsetting.WindowsMediaPlayerretrievesmusicinformationfromtheInternet,andusersmayusetheupdatemymusicfilesoptionaswell.
WindowsRegistry:Key:HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsMediaPlayerName:PreventMusicFileMetadataRetrievalType:Dword
•0–Thedefaultvalue.WindowsMediaPlayermayretrievemusicinformationautomaticallyfromtheInternet.•1–Avalueof1disablesthefeature.
PreventCDandDVDMediaInformationRetrieval
WindowsMediaPlayermaylookupinformationonCDsorDVDsthatareloadedwhileitisrunningbyqueryingInternetservers.Informationthatitretrievesarethendisplayedinthemediaplayer.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaPlayer>PreventCDandDVDMediaInformationRetrieval•Enabled–WindowsMediaPlayerisblockedfromretrievingCDorDVDmedia
informationfromtheInternet.TheRetrieveMediaoptionisnotavailable.•Disabled–Thedefaultsetting.WindowsMediaPlayermayretrievemediainformationforCDsorDVDs.TheRetrieveMediacheckboxisavailable.
WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayerName:PreventCDDVDMetadataRetrievalType:Dword
•0–Thedefaultvalue.WindowsMediaPlayermaylookupCDorDVDmetadata.•1–ThispreventsWindowsMediaPlayerfromdoingso.
PreventRadioStationPresetRetrieval
WindowsMediaPlayermayretrieveRadioStationpresetsfromtheInternet.GroupPolicy:UserConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaPlayer>PreventRadioStationPresetRetrieval•Enabled–WindowsMediaPlayerisblockedfromretrievingRadioStationpresetsautomaticallyfromtheInternet,anddisplayingtheminthelibrary.Presetsthatexistedbeforethepolicyissettoenabledarenotupdated,andpresetsauser
addsarenotdisplayed.•Disabled–Thedefaultsetting.WindowsMediaPlayerretrievesandupdatesRadioStationpresets.
WindowsRegistry:Key:HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayerName:PreventRadioPresetsRetrievalType:Dword
•0–Thedefaultvalue.WindowsMediaPlayermayretrieveRadioStationpresets.•1–ThispreventsWindowsMediaPlayerfromdoingso.
PreventWindowsMediaDRMInternetAccess
WindowsMediaPlayermayacquirelicensesforsecurecontent,upgradeWindowsMediaDRMsecuritycomponents,orrestorebackedupcontentlicensesautomatically.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>WindowsMediaDigitalRightsManagement>PreventWindowsMediaDRMInternetAccess•Enabled–WindowsMediaPlayerisblockedfromacquiring
DRMlicensesorperformingotherDRMrelatedoperations.Thiswon’taffectmediawithDRMthatisalreadyonthelocalcomputerandalreadylicensed.
•Disabled–Thedefaultvalue.WindowsMediaPlayermayobtaindigitallicenses,andperformotherDRMtasks.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRMName:DisableOnlineType:Dword
•0–Thedefaultvalue.MediaPlayermayconnecttotheInternetforDRMlicenseretrievalsandupdatesofDRMfunctionality.•1–WindowsMediaPlayerisblockedandcannotretrievedigitallicensesonlineanymore.
WindowsUpdateWindowsUpdateisanessentialcomponentoftheWindows10operatingsystem.Itisabuilt-inupdatingsystemthatchecks,downloads,andinstallsupdatesautomaticallyoronuserrequestdependingonhowitisconfigured.Thedefaultconfigurationissettoautomatic.ThismeansthatWindowsUpdatewillqueryMicrosoftserversautomaticallyinintervalsforupdates(thedefaultisonceperhouronWindows10Pro).AllupdatesreceivearatingbyMicrosoftthatisanindicatoroftheirimportance.WindowsUpdateonWindows10isconfiguredtodownloadandinstallcriticalandimportantupdatesautomaticallybydefault.Optionalupdates,andthosethatrequireuserinput,forinstancebyacceptingterms,arenotdownloadedandinstalledautomatically.WindowsUpdateisagoodfeatureforthemostpart.ItensuresthatWindowsdevicesreceivethelatestsecuritypatchesandupdates,sothattheyareprotectedagainstattacksthattargetknownvulnerabilities.MicrosoftchangedhowupdatesaredeliveredonWindows10however.Itintroducedcumulativeupdatesinsteadofindividualupdatesforeachpatchthatitreleases.Thismeansthatitisnolongerpossibletodecideonaper-updatebasisiftheupdateshouldbeinstalledonamachineornot;itisallornothingonWindows10.TheonlyoptionsthatWindows10administratorsandusershaveistodecidewhentheywanttoinstallupdates.PatchesmayresetprivacysettingsorintroducenewprivacyrelatedfeaturestoWindows10.UnlikeonWindows7orWindows8,Microsoftdoesnotreleaseasecurity-onlyupdateforWindows10oneachPatchTuesday.Thismeansthatyouendupwithanallornothingapproachthatisbadfromauser’spointofview.
WindowsUpdateSuggestionsIrecommendthefollowingwhenitcomestoWindowsUpdate:1. AlwayscreateabackuppriortoinstallingWindowsupdates.Thisensures
thatyoucangobacktoapreviousversionofWindowsiftheinstallation
goeswrong,iftheupdatecausesissuesonthesystem,orifchangesaremadethatyouwantreversed.
2. Checkthechangelogsforupdates,andreadsitesthatwriteaboutnewupdatesthatarereleasedforWindows10.Thisprovidesyouwithinformationontheupdates,andalsousercommentsonsitesthatallowthemsothatyoumayknowinadvanceifanupdateisbrokenforinstance.
3. Securitypatchesareimportant.Generallyspeaking,itisrecommendedtoinstallthoseontheWindows10machineassoonaspossible.
4. VerifythatsettingshavenotchangedafteranupdatehasbeeninstalledonaWindows10machine.
WindowsUpdateDownloadandUploadsources
Windows10mayuseothersourcesthanMicrosoftserverstodownloadupdatestoalocalmachine.ThesesourcesmaybeonthesameLAN,adomain,orevenontheInternet.BandwidthofthelocalsystemmaybeusedthereforetodistributepartsofWindowsupdatestothird-partyInternetuserswhorunWindows10aswell.Thebestsettingdependslargelyontheenvironmentyouusethecomputerin.Ifyouuseasinglecomputer,youmaynotwanttoenablenetworkorInternetupdating.ThereasonwhyIrecommendthatisthatitmaysaveyouquiteabitofbandwidth,andensuresthatyourPC’sbandwidthisnotusedtotransferupdatestothird-partysystemsontheInternetthatyoudon’tknowanythingabout.IfthedeviceisinalocalareanetworkwithotherWindows10devices,itmaymakesensetoenabledirectandLanpeering,asbandwidthmaybesavedasaconsequence.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>DeliveryOptimization>DownloadMode•HTTPOnly–NoPeering.
•LAN–HTTPandpeeringbehindthesameNAT.•Group–HTTPandpeeringonthesamedomainorinthesameActiveDirectorySite(crossNAT)•Internet–HTTPandInternetpeering.•Simple–NopeeringanddoesnottrytocontacttheDeliveryOptimizationService.•Bypass–DonotuseDeliveryOptimization,anduseBITSinstead.
WindowsRegistry:Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimizationName:DODownloadModeType:Dword
•0–Featureisdisabled.•1–AcceptonlypeersonthesameNAT.•2–Acceptlocalnetwork/privatepeering(samedomain).•3–InternetPeering.•99–SimpleDownloadMode.
•100–BypassMode.MicrosoftintroducedanewfeatureintheFallCreatorsUpdateforWindows10thatgivesuserssomecontroloverthedownloadanduploadlimits.ThesehavebeenavailableasGroupPolicyoptionsinpreviousversionsalready,buttheyarelistedintheSettingsUIaswellnow.Settings:Settingsapplication>Update&Security>WindowsUpdate>AdvancedOptions>DeliveryOptimization>AdvancedOptions.Windowsoptimizesbandwidthdynamicallybydefault.Theseoptionsprovideuserswithsettingstolimitthefeatureinthefollowingways:
Limitdownloadbandwidth.Limituploadbandwidth.Setmonthlyuploadlimit.
GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>DeliveryOptimization
MaximumDownloadBandwidth(percentage)MaximumDownloadBandwidth(KB/s)MaxUploadbandwidth(inKB/s)MonthlyUploadDataCap(inGB)
ConfigureAutomaticUpdates
ThispolicyprovidesyouwithoptionstochangethedefaultupdatingbehaviorofWindowsUpdate.Youcanuseittoconfigureautomaticupdatingandscheduledupdating.GroupPolicy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>WindowsUpdate>ConfigureAutomaticUpdates
Enabled–Whenyouenablethepolicy,youneedtoselectoneoutoffouroptionsthatdefinethePCsautomaticupdatingbehavior.
NotifyfordownloadandautoinstallAutodownloadandnotifyforinstall(default)Autodownloadandscheduletheinstall
InstallduringautomaticmaintenanceScheduledinstalldayandtimeInstallupdatesforotherMicrosoftproducts
Allowlocaladmintochoosesetting.Disabled–Ifthispolicyisdisabled,updatesmustbedownloadedandinstalledmanuallyusingWindowsUpdate.
Wi-Fi
MicrosoftWindows10supportedafeaturecalledWi-FiSenseupuntilrecently.ThisfeaturewasdesignedtoimprovethesharingofWi-Fipasswordswithothers.Insteadofhavingtohandoutpasswordsdirectlytootherusers,Wi-FiSensecouldbeusedtosharethepasswordsdirectlywiththedevice.Thebenefitwasthattheuserwhousedthedevicedidnotknowwhatthe
passwordwas.MicrosoftremovedtheWi-FiSensefeature,anditisnolongeravailableinitsform.YoudofindotherWi-Firelatedsettingshoweverthatyoumaywanttocontrol.ThepolicydetermineswhetherWi-Fifeaturesareenabled,andifusersofthedevicemaycontrolthefunctionality.Settingsapplication:Settings>Network&Internet>Wi-FiWhenyouopenthesettingspage,yougetthefollowingoptionswhichyoumaywanttotoggletooffifyoudon’tplanonusingthem.
FindpaidplansforsuggestedopenhotspotsnearmeConnecttosuggestedopenhotspotsHotspot2.0–LetmeuseOnlineSign-Uptogetconnected
GroupPolicy:ComputerConfiguration>AdministrativeTemplates>Network>WLANService>WLANSettings>AllowWindowstoautomaticallyconnecttosuggestedopenhotspots,tonetworkssharedbycontacts,andtohotspotsofferingpaidservices.
Enabled–Sameasnotconfigured.Windowsusersmaychoosetoenableordisable“connecttosuggestedopenhotspots”and“connecttonetworkssharedbymycontacts”usingtheSettingsapplication.Disabled–Wi-FiSenseisturnedoff,anduserscannotturnitbackon.
WindowsRegistryKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\Name:AutoConnectAllowedOEMType:Dword
0–Avalueof0disablesWi-FiSense.
MiscDisableApplicationTelemetry
TheApplicationCompatibilityEnginecheckswhetheranapplicationthatisrunonthesystemisfoundinthecompatibilitydatabase.Ifthatisthecase,itofferssolutionsandcompatibilityfixes,oranApplicationHelpmessageiftheproblemisknown.
Note:WindowsResourceProtectionandUserAccountControlrelyontheApplicationCompatibilityEnginetoprovidesolutionsforknowncompatibilityissues.Ifyouturnoffthefeature,thesemitigationsarenotapplied,andinstallationorthestartofprogramswithknowncompatibilityissuesmayfail.Systemsmaycachethevalueofthissettingforperformancepurposes.Youmayneedtorestartthesystembeforethechangetakeseffect.Microsoftnotesthatdisablingtheengineisusefulinhighloadenvironments,forinstanceinserverenvironmentswhereapplicationsmaybeloadedseveralhundredtimespersecond.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>ApplicationCompatibility>TurnoffApplicationCompatibilityEngine•Enabled:WhenyouturnofftheApplicationCompatibilityEngine,youwillimprovesystemperformance.Itmayhoweverresultinissuessuchasdegradingthecompatibilityoflegacyapplications.Itmayalsoblockincompatibleprogramsfrominstallingatall,ormayresultincrashesorbluescreens.
•Disabled:Sameasnotconfigured.TheApplicationCompatibilityEngineruns.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompatName:AITEnableValue:
•0–DisablestheApplicationCompatibilityEngine.•1–SameasiftheDworddoesnotexist.ApplicationCompatibilityEngineisenabled.
DisableInventoryCollector
TheInventoryCollectorcollectsapplication,file,device,anddriverinventorydataonasystemrunningWindows10,andsendstheinformationtoMicrosoft.Microsoftstatesinthepolicydescriptionthatitusestheinformationtoassistinthediagnosisofcompatibilityproblems.Note:ThepolicyhasnoeffectiftheCustomerExperienceImprovementProgramisdisabled.TheInventoryCollectorisdisabledthenaswell
automatically.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>ApplicationCompatibility>TurnoffInventoryCollector•Enabled:Ifyouenablethepolicy,theInventoryCollectoristurnedoff,anddataisnolongersenttoMicrosoft.ThisdisablesthecollectionofinstallationdatathroughtheProgramCompatibilityAssistantaswell.
•Disabled:Sameasnotconfigured.InventoryCollectorworksnormally.Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompatName:DisableInventoryValues:
•0–SameasiftheDworddoesnotexit.InventoryCollectorworksnormally.•1–DisabletheInventoryCollector.
Turnoffdownloadingofgameinformation
WindowsmaylookupinformationaboutgamesonlinetoretrievegameboxartandratingsusingWindowsMetadataServices.Thisispartoftheoperatingsystem’sGameExplorerfeature.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>GameExplorer>Turnoffdownloadingofgameinformation•Enabled–Thisblocksthedownloadingofgameboxartandratingsbyquerying
WindowsMetadataServices.•Disabled–Sameasnotconfigured.WindowsMetadataServicesareusedtodownloadgameboxartandratings.
Key:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameUXName:DownloadGameInfoType:Dword
•0–Thefeatureisturnedoff,GameBoxArtandratingsarenotdownloaded.•1–Thefeatureisenabled.
TurnoffautomaticdownloadandupdateofMapdatabase
Windows10maydownloadandupdatethemapdatabaseautomatically.Thefeatureiscontrolledbythesesettings.Policy:ComputerConfiguration>AdministrativeTemplates>WindowsComponents>Maps>TurnoffautomaticdownloadandupdateofMapdatabase•Enabled–Whenthesettingisenabled,theautomaticdownloadingandupdatingofmapdataisdisabled.
•Disabled–Sameasnotconfigured.ThismeansMapdataisautomaticallydownloadandupdated.
WindowsServicesServicesareacorepartoftheWindowsoperatingsystem.Changingtheirstate,ordisablingservicesaltogethermayresultinfunctionalityorstabilityissuesonthesystem.Generallyspeaking,itissuggestedtoleavethemajorityofservicesalonewiththeexceptionofConnectedUserExperiencesandTelemetry,andDmwappushservice.Thischapterlooksatsomeservicesthathaveprivacyimplicationsandexplainswhattheydowhentheyrun.ConnectedUserExperiencesandTelemetryThisisthemainTelemetryserviceonWindows10machines.Itmanagesthe“eventdrivencollectionandtransmissionofdiagnosticandusageinformation”.DmwappushserviceTheWAPPushMessageRoutingService.UsedtotransferdatatoMicrosoftservers.Notalotofinformationonthisservice.ConnectedDevicesPlatformServiceCDPUserSvc_xxxxxThisserviceisusedforConnectedDevicesPlatformscenarios.Notalotofinformationonthisserviceeither.MaynotwanttodisableifyouuseBluetoothorwirelessonthedesktop.Youmaydisabletheservicetoseewhathappensthough.Ifyourunintoconnectivityissueswithdevices,youneedtoenableitagain.
WindowsTasksWindows10shipswithanumberofscheduledtasksthatarerunregularly.SomeofthesetasksareusedtocollectTelemetrydata,andtransferthedatatoMicrosoft.ThefollowinglistfocusesontasksthatcollectTelemetrydata.TaskScheduler>TaskSchedulerLibrary>Windows>ApplicationExperience>MicrosoftCompatibilityAppraiserCollectsprogramtelemetryinformationifopted-intotheMicrosoftCustomerExperienceImprovementProgram.TaskScheduler>TaskSchedulerLibrary>Windows>ApplicationExperience>ProgramDataUpdaterTaskScheduler>TaskSchedulerLibrary>Windows>Autochk>ProxyThistaskcollectsanduploadsautochkSQMdataifopted-intotheMicrosoftCustomerExperienceImprovementprogram.TaskScheduler>TaskSchedulerLibrary>Windows>CustomerExperienceImprovementProgram>ConsolidatorIftheuserhasconsentedtoparticipateintheWindowsCustomerExperienceImprovementProgram,thisjobcollectsandsendsusagedatatoMicrosoftTaskScheduler>TaskSchedulerLibrary>Windows>CustomerExperienceImprovementProgram>KernelCeipTaskTheKernelCeip(CustomerExperienceImprovementProgram)taskcollectsadditionalinformationaboutthesystemandsendsthisdatatoMicrosoft.IftheuserhasnotconsentedtoparticipateinWindowsCEIP,thistaskdoesnothing.TaskScheduler>TaskSchedulerLibrary>Windows>CustomerExperienceImprovementProgram>USBCeipTheUSBCEIP(CustomerExperienceImprovementProgram)taskcollectsUniversalSerialBusrelatedstatisticsandinformationaboutyourmachineandsendsitottheWindowsDeviceConnectivityengineeringgroupatMicrosoft.
Theinformationreceivedisusedtohelpimprovethereliability,stability,andoverallfunctionalityofUSBinWindows.IftheuserhasnotconsentedtoparticipateinWindowsCEIP,thistaskdoesnothing.
TaskScheduler>TaskSchedulerLibrary>Windows>DiskDiagnostic>Microsoft-Windows-DiskDiagnosticDataCollectorTheWindowsDiskDiagnostictaskreportsgeneraldiskandsysteminformationtoMicrosoftforusersparticipatingintheCustomerExperienceProgram.TaskScheduler>TaskSchedulerLibrary>Windows>DiskFootprint>DiagnosticsDiskFootprintcollectsdriveusagestatistics,andsubmitsthemto
MicrosoftiftheuserconsentedtoparticipateinWindowsCEIP.TaskScheduler>TaskSchedulerLibrary>Microsoft>Office>OfficeTelemetryAgentFallBack2016
ThistaskinitiatesthebackgroundtaskforOfficeTelemetryAgent,whichscansanduploadsusageanderrorinformationforOfficesolutions.
TaskScheduler>TaskSchedulerLibrary>Microsoft>Office>OfficeTelemetryAgentLogOn2016
ThistaskinitiatesthebackgroundtaskforOfficeTelemetryAgent,whichscansanduploadsusageanderrorinformationforOfficesolutionswhenauserlogsontothecomputer.
OfficeTelemetryOfficeTelemetryisacompatibilitymonitoringframeworkthatMicrosoftintroducedinOffice2013andOffice365ProPlusthatreplacedtheOfficeMigrationPlanningManager,OfficeCodeCompatibilityInspector,andOfficeEnvironmentAssessmentToolofOffice2010.MicrosoftdescribeshowOfficeTelemetryworksinOffice2013inthefollowingway:OfficeTelemetryinOffice2013worksasfollows:WhenanOfficedocumentorsolutionisloaded,used,closed,orraisesanerrorincertainOffice2013applications,theapplicationaddsarecordabouttheeventtoalocaldatastore.Eachrecordincludesadescriptionoftheproblemandalinktomoreinformation.Inventoryandusagedataisalsotracked.MicrosoftdistinguishesbetweenOfficeTelemetrytoolsandcomponents.TheTelemetryDashboardandtheTelemetryLogaretools,whileTelemetrylogging,theTelemetryagent,orGroupPolicysettingsareconsideredTelemetrycomponents.TurnonTelemetrydatacollectionThissettingallowsyoutoenableordisablethedatacollectioninOfficeusedbytheTelemetryDashboardandtheTelemetrylog.Note:YouneedtoaddtheOfficeAdministrativeTemplateFilestotheGroupPolicytomakethechangeintheGroupPolicyEditor.Youfindlinkstothetemplatefilesunder“TelemetryandPrivacy”intheresourcesectionattheendofthisbook.GroupPolicy:UserConfiguration>AdministrativeTemplates>MicrosoftOffice2016>TelemetryDashboard>TurnonTelemetrydatacollection
Enabled–OfficeTelemetryAgentandOfficeapplicationswillcollecttelemetrydata.ThisincludesOfficeapplicationusage,alistofrecentOfficedocumentsincludingfilenames,solutionsusage,compatibilityissues,andcriticalerrors.Disabled–Sameasnotconfigured.OfficeTelemetryAgentandOfficeapplicationsdonotgenerateorcollecttelemetrydata.
WindowsRegistry:Key:HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osmName:
EnableloggingType:Dword
0–Loggingisdisabled.1–Loggingisenabled.
AnnoyancesRemoveAds/SuggestionsTurnoffallWindowsSpotlightfeatures
WindowsSpotlightisanewfeatureofWindows10.Whenenabled,itwilldownloadphotosandimagesfromBingtodisplaythemonthelockscreenoftheWindows10device.WindowsSpotlightmaydisplayadvertisementonthelockscreen,andalsoothercontentsuchassuggestionsortips.ThisparticularoptiondisablesWindowsSpotlightcompletely.
Windows10Settings:OpentheSettingsapplicationandgotoPersonalization>LockScreen.Locatethe“Background”itemonthepageandusethemenutoswitchfromWindowsSpotlighttoadifferentlockscreenbackground.GroupPolicy:(Enterpriseonly)UserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnoffallWindowsSpotlightfeatures
Enabled–WindowsSpotlightandallrelatedfeaturessuchasWindowstipsonthelockscreenareturnedoff.Disabled–Sameasnotconfigured.WindowsSpotlightisenabled.
Donotsuggestthird-partycontentinWindowsSpotlight
WindowsSpotlight,afeatureofWindows10thatdisplaysdifferentwallpapersonthelockscreenoftheoperatingsystem,maysuggestappsandcontentfromthird-partysoftwarepublishersandMicrosoftappsandcontent.GroupPolicy1. OpentheGroupPolicyEditor.2. GotoUserConfiguration>AdministrativeTemplates>Windows
Components>CloudContent3. SelectDonotsuggestthird-partycontentinWindowsspotlight.1. Setthispolicytoenabled,todisallowsuggestingthird-partycontenton
thelockscreen.2. Setthispolicytodisabled,toallowsuggestions.
WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManage3. Right-clickonContentDeliveryManage,andselectNew>Dword(32-bit)
Value.4. NameitRotatingLockScreenEnabled.1. Avalueof0disablesfunfacts,tips,tricksandmoreonthelockscreen.2. Avalueof1enablesthefeature.
5. Right-clickonContentDeliveryManage,andselectNew>Dword(32-bit)Value.
6. NameitRotatingLockScreenOverlayEnabled1. Avalueof0meansdisable.2. Avalueof1meansenable.
RelatedEnterprisepoliciesUserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>ConfigureWindowsSpotlightonLockScreen
Ifyousetthistodisabled,WindowsSpotlightisturnedoffanduserswon’tbeabletoselectitasthelockscreenbackground.
UserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnofftheWindowsSpotlightonActionCenter
Ifyouenablethispolicy,WindowsSpotlightnotificationsarenolongershownonActionCenter.
UserConfiguration>AdministrativeTemplates>WindowsComponents>CloudContent>TurnofftheWindowsWelcomeExperience
Ifyouenablethepolicy,TheWindowsWelcomeExperiencewillnolongerdisplaywhenthereareupdatesandchangestoWindowsanditsapps.
ShowoccasionalsuggestionsintheStartMenu
Windows10maydisplaysuggestionsintheStartMenu,usuallyforapplicationsthatareinstalled(Edge)ornotinstalled.GroupPolicyThispolicysettingturnsoffexperiencesthathelpconsumersmakethemostoftheirdevicesandMicrosoftaccount.
Note:OnlyappliestoEnterpriseandEducationSKUs.UsetheRegistrymethodbelowinsteadifyourunHomeorPro.1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>CloudContent.3. SelectTurnoffMicrosoftConsumerExperience.1. Setthepolicytoenabledtoturnoffpersonalizedrecommendationsfrom
Microsoft,andnotificationsabouttheMicrosoftAccount.2. Setthepolicytodisabled,toallowrecommendationsandnotifications.
WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager3. Right-clickonContentDeliveryManager,andselectNew>Dword(32-bit)
Value.4. NameitSystemPaneSuggestionsEnabled.1. Setitsvalueto0todisablesuggestionsintheStartMenu.2. Setitsvalueto1toenablesuggestions.
WindowsTipsandFeedback
Windows10maydisplaycontextualpopupsthatexplainhowtouseWindowsifthefeatureisenabledonthedevice.Microsoftusesdiagnosticandusagedatatodeterminewhichtipsorsuggestionstoshowtousers.GroupPolicy
ThispolicysettingpreventsWindowstipsfrombeingshowntousers.
Note:OnlyappliestoEnterpriseandEducationSKUs.UsetheRegistrymethodbelowinsteadifyourunHomeorPro.1. OpentheGroupPolicyEditor.2. GotoComputerConfiguration>AdministrativeTemplates>Windows
Components>CloudContent.3. SelectDonotshowWindowstips.1. Setthispolicytoenabled,todisablecontextualpopupsontheWindows
desktopthatshowtips.2. Setthispolicytodisabled,toallowfortipstobedisplayed.
WindowsRegistry1. OpentheWindowsRegistryEditor.2. Goto
HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\ContentDeliveryManager3. Right-clickonContentDeliveryManager,andselectNew>Dword(32-bit)
Value.4. NameitSoftLandingEnabled1. Setitsvalueto0todisablethefeature.2. Setitsvalueto1toenablethefeature.
SyncProviderNotificationsinFileExplorer
Windows10maydisplaynotificationsinFileExplorer,thedefaultfilebrowseroftheWindows10operatingsystem.FolderOptionsYoumaydisableSyncProviderNotificationsintheFolderOptionswindow.1. OpenFileExplorer.2. SelectView>Options.3. SelectViewwhentheFolderOptionswindowopens.4. Locate“Showsyncprovidernotifications”onthepage,andremovethe
checkmarkfromthepreference.5. ClickonApply.6. ClickonOK.
WindowsRegistryKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvanceName:ShowSyncProviderNotificationsType:Dword
0–ThenotificationsarenotshowninFileExplorer.1–ThenotificationsareenabledandshowninFileExplorer.
SoftwareSoftwaremayassistyouinmanagingWindows10operatingsystems.ThisbooklooksatprivacysoftwareforWindows10,andotherrecommendedsoftwarethatmayhelpyouwhenyoustarttomakeprivacyrelatedchangestotheoperatingsystem.Windows10PrivacySoftwareThereleaseofWindows10andtheprivacycontroversythatsurroundeditpavedthewayformorethanadozensoftwareprogramsthatweredesignedtoimproveprivacyonWindows10machinesinaneasierenvironment.Themainadvantagethattheseprogramsofferisthattheybundlemostoftheprivacyrelatedtweakssothatyoucanadjustthemaccordingtoyourneedsfromasingleinterface.You’djugglebetweenGroupPolicyentries,theWindowsSettingsapplication,theWindowsRegistryEditor,Services,Tasksandeventhecommandline/PowerShellotherwise.Thischapterlistssomeofthesetools,especiallytheonesthatareupdatedregularlytoreflectchangesthatMicrosoftmakestoWindows10withnewfeaturereleases.Note:Irecommendthatyoucreateabackupofthesystembeforeyourunthesetools.YoucanuseafreebackupsoftwarelikeVeeamAgentforWindowsforthat.Checkoutthe“otherrecommendedsoftware”listingbelowforinformationonit.MostprogramsbelowsupportthecreationofSystemRestorepoints.Whilethatissufficientmostofthetime,itisbettertobesafethansorrywhenitcomestothis.
W10PrivacyHomepage:https://www.winprivacy.de/english-home/
W10Privacyisaportableprogramthatyoucanrunfromanylocation.Itisrecommendedtorunitwithelevatedrights–right-clickandselectrunasadministrator–assomefunctionalitysuchasthecreationofaSystemRestorepointonstartisnotsupportedotherwise.
Theapplicationusestabstogroupthetweaksthatitcomeswithandmakeorientationabiteasier.Itcolorcodestweaksontopofthatwhichhelpsdistinguishbetweensafetweaksandtweaksthatmayorwillimpactfunctionalityofthesystem.Youmayusetheprogramexclusivelyformakingchangestoprivacysettings,forinstancetoblockapplicationaccesstofeaturesordisablewebsearch.TheprogramchecksallsettingsonStartandchecksanythatarealreadyappliedonthesystem.Thishelpsyoufindsettingsthatmayrequireattention.TheTweaksontheirownareverypowerful,butitdoesnotendthere.TheappsupportstheblockingofMicrosoftserversinthehostsfiletoblockconnections,offersoptionstodealwithtasksandservicesthatareprivacyrelated,andevenprovidesyouwithoptionstouninstallapplications.
ShutUp10Homepage:https://www.oo-software.com/en/shutup10
O&OShutUp10isaportableprogramthatyoucanrunfromanylocation.Itlistsalltweaksonasinglepageandnotintabs.Alltweaksaretoggledusingasliderthatisdisplayedinfrontofthem.Aratingisdisplayednexttoeachtweakthatindicateswhetheritissafetomakeunderanycircumstances,somethingthatcouldbecomeproblematic,ornotrecommended.
Youmayusetheactionsmenutoapplyallrecommendedtweaksatonce,orgothroughthelistingoftweaksmanuallytoadjustthemasyouseefit.ShutUp10promptsyouwitharequesttocreateasystemrestorepointwheneveryoumakechangestotheconfiguration.Theprogramfeaturestweaksonly,anddoesnotshipwithoptionstohandleServices,Tasks,orblockMicrosoftserversusingthehostfile.
WindowsPrivacyDashboardHomepage:https://getwpd.com/
WindowsPrivacyDashboardisanotherportableprogramforWindows10thatprovidesyouwithoptionstomanageprivacyrelatedpreferencesonWindows10machines.Theapplicationdisplaysthefourgroupsprivacy,firewall,appsandtweakeronstart.Privacyisthemainentrypointwhenitcomestomanagingprivacyusingtheprogram.Itisdividedintolocalgrouppolicy,servicesandscheduleroptions.Whilemostoptionsareclear–AllowCortanaenablesordisablesthedigitalassistantforinstance–somearenot.That’swherethequestionmarkiconisputtouse.Simplyclickonthequestionmarkicontodisplayadetaileddescriptionoftheselectedentry.
Tweakerlistsadditionalprivacyrelatedoptions,mostlywhatappsandmaynotinteractwithoruseonthedevice.AppslistallsystemappsthataredistributedwithWindows10,andoptionstoremoveanyofthosefromtheWindows10machine.FirewallfinallyprovidesyouwithoptionstoblockTelemetry,third-partyappsandWindowsUpdateconnections.
Resources
WindowsExperienceBlogOurcontinuingcommitmenttoyourprivacywithWindows10:https://blogs.windows.com/windowsexperience/2017/01/10/continuing-commitment-privacy-windows-10/PrivacyandWindows10byTerryMyerson,ExecutiveVicePresident,WindowsandDevicesGroup:https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/PrivacyenhancementscomingtotheWindows10FallCreatorsUpdate:https://blogs.windows.com/windowsexperience/2017/09/13/privacy-enhancements-coming-to-the-windows-10-fall-creators-updateWindows10privacyjourneycontinues:moretransparencyandcontrolsforyou:https://blogs.windows.com/windowsexperience/2017/04/05/windows-10-privacy-journey-continues-more-transparency-and-controls-for-you/YourfeedbackishelpingshapeWindowsprivacy:https://blogs.windows.com/windowsexperience/2017/08/07/feedback-helping-shape-windows-privacy/
GeneralPagesofInterestMicrosoftAccountPasswordReset:https://account.live.com/password/resetMicrosoftAdsOpt-out:http://choice.microsoft.com/en-US/opt-outMicrosoftPrivacyStatement:https://privacy.microsoft.com/en-us/privacystatementMicrosoftServicesAgreement:https://www.microsoft.com/en/servicesagreement/MicrosoftYourPrivacy:https://account.microsoft.com/privacyPolicyCSP:https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-providerPrivacyatMicrosoft:https://privacy.microsoft.com/en-US/
MicrosoftOfficeManageprivacysettingsinTelemetryDashboard(Office2013):https://technet.microsoft.com/en-us/library/jj591589.aspx?f=255&MSPPError=-2147217396Office2013AdministrativeTemplateFilesandOfficeCustomizationTool:https://www.microsoft.com/en-us/download/details.aspx?id=35554Office2016AdministrativeTemplateFilesandOfficeCustomizationTool:https://www.microsoft.com/en-us/download/details.aspx?id=49030OverviewofOfficeTelemetry(Office2013,Office365ProPlus):https://technet.microsoft.com/en-us/library/jj863580.aspx?f=255&MSPPError=-2147217396
TelemetryandPrivacyConfigureWindowstelemetryinyourorganization:https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organizationDeployWindowsMaliciousSoftwareRemovalToolinanenterpriseenvironment:https://support.microsoft.com/en-us/help/891716/deploy-windows-malicious-software-removal-tool-in-an-enterprise-environmentDiagnostics,feedbackandprivacyinWindows10:https://privacy.microsoft.com/en-us/windows-10-feedback-diagnostics-and-privacyHowtodisabletelemetryforServiceManagementAutomation,ServiceProviderFoundation,andServiceManagerSelf-ServePortal:https://support.microsoft.com/en-us/help/3096505/how-to-disable-telemetry-for-service-management-automation,-service-provider-foundation,-and-service-manager-self-serve-portalManageconnectionsfromWindowsoperatingsystemcomponentstoMicrosoftservices:https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-servicesManagePrivacy:WindowsErrorReportingandResultingInternetCommunication:https://technet.microsoft.com/en-us/library/jj618323(v=ws.11).aspxMicrosoftTrustCenter–Windowstelemetryprivacy:https://www.microsoft.com/en-us/trustcenter/privacy/windows-telemetry-privacy-and-trust.aspxWindowsErrorReportingSettings:https://msdn.microsoft.com/en-us/library/windows/desktop/bb513638%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Third-partyResourcesAskWoody:https://www.askwoody.com/Born’sTechandWindowsWorld:http://borncity.com/win/ComparisonofWindows10Privacytools:https://www.ghacks.net/2015/08/14/comparison-of-windows-10-privacy-tools/GhacksTechnologyNews:https://www.ghacks.net/WithWindows10,MicrosoftBlatantlyDisregardsUserChoiceandPrivacy:ADeepDive:https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive
PrivacySettingsandFeaturesConnectingtoopenWi-FihotspotsinWindows10:https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-hotspotsGeneralprivacysettingsinWindows10:https://privacy.microsoft.com/en-us/general-privacy-settings-in-windows-10MicrosoftEdge,browsingdata,andprivacy:https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacyOptoutoflocationservices:https://support.microsoft.com/en-us/help/20039/opt-out-of-location-servicesSpeech,inking,typing,andprivacyhttps://privacy.microsoft.com/en-us/windows-10-speech-inking-typing-and-privacy-faqWindows10Camera,MicrophoneandPrivacy:https://privacy.microsoft.com/en-US/windows-10-camera-and-privacyWindows10LocationServiceandprivacy:https://privacy.microsoft.com/en-us/windows-10-location-and-privacyWindows10privacysettingsthatappsuse:https://privacy.microsoft.com/en-us/windows-10-privacy-settings-that-apps-useWindows10UpdateDeliveryOptimization:https://privacy.microsoft.com/en-US/windows-10-windows-update-delivery-optimization
WhitepapersandDocsAvailablepoliciesforMicrosoftEdge:https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policiesGroupPoliciesthatapplyonlytoWindows10EnterpriseandWindows10Education:https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editionsTheBonesoftheSystem:ACaseStudyofLoggingandTelemetryatMicrosoft:https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/ICSE-logging-submisson.pdfWindowsServer2016andSystemCenter2016Telemetry:https://aka.ms/winservtelemetryWindows10,version1703basiclevelWindowsdiagnosticeventsandfields:https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fieldsWindows10,version1703DiagnosticData:https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data
Index
3DBuilder,42Account,31,140,172advertising,9,17,19,108,110advertisingID,17Alarms,42AllowTelemetry,63Annoyances,272apps,42,121,168automaticlearning,130Basic,9,54,57,62Calendar,23,34,146CallHistory,149Camera,23,25,120CDPUserSvc_xxxxx,268CertificateTrustLists,65Clock,42Collector,263Compatibilitydata,57Connected,25,42ConnectedUserExperience,50,52,55,57,268Contacts,32,143Cookies,207Cortana,7,17,23,30,50,59,67,68,70,80,181CustomerExperienceProgram,182Datasynchronization,172Date,81devices,40,162diagnosticdata,17,166diagnostics,44Diagnostics,16,41,163DiagTrack,52DisableRootAutoUpdate,66Dmwappushservice,268DoNotTrack,209
DRM,251Edge,18,24,25,27,43,95,203,213Email,32,36,152Enhanced,54,59errorreporting,60ErrorReporting,241Feedback,41,163,193,278Feedback&Diagnostics,62FeedbackHub,25,27,42FileExplorer,280FontStreaming,85Full,54,60,62Gamebar,28General,108Geofencing,24GetOffice,42GrooveMusic,42GroupPolicyEditor,48handwriting,136,138Help,193HelpExperienceImprovementProgram,188History,35Hyper-V,59IMEInumber,57inking,30,60,129InsiderPreviewBuilds,87InternetExplorer,57,89,194LiveTiles,91localaccount,12localaccounts,12Location,15,23,114,181Mail,23,93Maps,23,25,32,43,100,267Media,247Messaging,24,27,35,38,43,156Messenger,64Metadata,83Microphone,27,123MicrosoftAccount,12,13,27,94,172
MicrosoftConsumerExperiences,191MicrosoftSolitaireCollection,43Minecraft,43motiondata,170Movies&TV,43MSRT,55Network,98News,24,43Notifications,29,126Office365,18OfficeTelemetry,271OneDrive,13,18,102,217OneNote,25,27,43PaidWi-Fi&Cellular,43Paint3D,43People,34,35,36,38,43personalization,136,225Personalization,132Personalizationdata,9Photos,43PowerShell,48Preinstalled,104privacy,9Privacy,7,21,62,106,180PrivacyDashboard,9PrivacySoftware,282Radios,39,159RegistryEditor,48Search,67,70,71,72,74,76,78,80,181,201Security,51,54,55,181Services,268Settings,43,48,272Setup,11ShutUp10,285Skype,25,27,32,38Speech,30,129Start,109StartMenu,276StickyNotes,43
Store,26,28,43,58,59,173suggestions,195,197,199,204,210,276SurfaceHub,59sync,219,221,227,229,231,233,235Synchronization,217SystemCenter2016,63TakeaTest,28Tasks,37,155,269Telemetry,9,19,41,46,49,50,51,52,57,61,62,64,261,271TerryMyerson,9TheFallCreatorsUpdate,11Time,81Tips,43,278track,113Twitter,24,26,28,32,43typing,30,60,129updates,134,257VoiceRecorder,28,32,43W10Privacy,283Weather,23,24,43WebRTC,215Wi-Fi,259Windows,34,39Windows10CreatorsUpdate,7Windows10Editions,46Windows10Education,46Windows10Enterprise,46,54Windows10Home,46Windows10Mobile,46Windows10Pro,46Windows10S,46Windows10Server,54WindowsasaService,49WindowsDefender,43,55,237,239WindowsMediaPlayer,190,245WindowsMessenger,186WindowsPrivacyDashboard,287WindowsRegistry,54WindowsSpotlight,274
WindowsUpdate,253,254Xbox,28,33,43
[1]https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive[2]https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fields[3]https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data[4]https://www.ghacks.net/2015/08/14/comparison-of-windows-10-privacy-tools/[5]https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10/[6]https://blogs.windows.com/windowsexperience/2017/01/10/continuing-commitment-privacy-windows-10/[7]https://account.microsoft.com/privacy[8]https://blogs.windows.com/windowsexperience/2017/04/05/windows-10-privacy-journey-continues-more-transparency-and-controls-for-you/[9]https://blogs.windows.com/windowsexperience/2017/09/13/privacy-enhancements-coming-to-the-windows-10-fall-creators-update/[10]https://account.microsoft.com/privacy[11]https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization[12]https://www.microsoft.com/en-us/trustcenter/Privacy/windows-telemetry-privacy-and-trust.aspx[13]https://www.microsoft.com/en-us/trustcenter/Privacy/windows-telemetry-privacy-and-trust.aspx[14]https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization[15]https://privacy.microsoft.com/en-us/privacystatement