Protect your privacy: Recommended Windows Privacy Settings

Specific Windows related privacy settings.

Since the launch of Microsoft Windows 10. Retroactive even since Windows 7 and 8, with an aftermarket update. There are questionable privacy concerns regarding Windows. As manufacturer Microsoft is actively deploying telemetry. In other words about telemetry: The company is gathering far-reaching personal data about you. And all about what you're doing on your computer. Basically there is only one solution. Protect your privacy and tweak your operating system, with several recommended Windows privacy settings. Your computer will act a lot more privacy friendly, after these adjustments.

First a little more about the background. The actual data collected about your computer usage. These data can tell something about a user. By linking this data to previously obtained data. Or in other words can be traced and could be linked back to a real person. By logging various computer-related activities of you. The collection of personal data is comprehensive. The Dutch government declared Office and Windows, most probably to be in violation of the European Union regulation; General Data Protection Regulation (Implementation date: 25 May 2018) (GDPR (article in Dutch)).

"The assessment, carried out by the Ministry of Justice and Security, revealed that data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that posed major risks to users’ privacy".

Table of Contents

Are Microsoft products GDPR compliant?

Microsoft indirectly confirms that Windows, nor Microsoft products like Office are GDPR compliant.

"To modify its products such that their use for the Dutch government within the context of the GDPR and other applicable laws and regulations".

After all why are you going to modify a product "within the context of the GDPR", that should already be GDPR compliant since 25 May of 2018? And to an adjacent probability is not GDPR compliant at this moment. If a large and powerful customer demands it, suddenly it can be done. While the (small)business and home users are left with a data hungry system that is inadequate and seemingly not compliant.

"On the basis of these findings, Strategic Vendor Management Microsoft, Google and AWS for the central Dutch government (SLM Rijk) entered into discussions with Microsoft. On 26 October 2018 agreement was reached on an improvement plan in which Microsoft undertook to dapt its products for use by the Dutch government in compliance with the GDPR and other applicable legislation. Microsoft has committed to submitting these changes for verification in April 2019".

Why is it suddenly possible In order to comply with the GDPR with a major player? Which is probably also agreed upon with other non Dutch governments and notable organizations. Why make a distinction? Probably because the average consumer and/or small business doesn't know about it. And therefore doesn't make a hassle about it. We as Androides like to receive the same bits as the Dutch government. Given the GDPR legislation, we are simply entitled to that as well. And as co-residents of the European Union, thus legal equals. So simple, send us the equivalent software. Period.

External analyses also confirm a unified conclusion on both Office and Windows. The operating system and office suite in its present form, cannot meet the set requirements of the GDPR. In addition, there is a plausible privacy risk, when using the software:

"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people. Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded".

"Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States. For example, Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling".

Also abroad by Dutch neighbor and fellow European Union member: Germany with its organization freely translated: The Federal Office for Information Security, in German: Bundesamt für Sicherheit in der Informationstechnik (BSI); Has similar doubts about whether Microsoft products comply with the GDRP.

"Germany’s Federal Office for Information Security has already expressed concern that Windows 10 and 11 operating systems collect telemetry data, including typing data and even speech-to-text".

Windows diagnostic data gives users a voice

Gross of the data is used to improve the user experience. Marketed in a tasty sauce as: 'Windows Diagnostic data gives users a voice'. Perhaps what they mean by "a voice" that you are the product? As the case may be, an advertising profile is created. By tailoring ads to the user's current location and habits. You could expect advertisements in Windows, Edge or third-party apps and services with access to your advertising ID. For example, if you often visit the website of the local fish and chips shop. You may be served ads from a competing fish and chips shop nearby.

And as your profile confirmed your fast food habits. Ads about weight loss, sport and exercise. Microsoft can also start developing an app. Having analyzed that competing app A or B from competitor A or B is being used a lot. Since the company can monitor application usage. To then promote its own app in the start menu. And analyse and combine data (current location, surfing, typing, voice, app usage etc.) obtained from multiple sources even one step further. To create the ultimate, all-encompassing user profile. As personal data is the new gold. 

Analysis of telemetric data

Analysis reveals that an unmodified Windows computer sends unprecedented amounts of data to Microsoft's telemetry servers. Including telemetric data servers from the Netherlands, the United States and Ireland. And according to the endpoints list below, depending on your location. Expanded with data servers from Australia, Japan and the United Kingdom. 

"On a Windows 10 without system hardening. In some cases, data was sent up to 15 times per hour! The unhardened Windows 11 system sent 448 data packets to Microsoft in one week".

Since European data is processed and stored outside the European Union, in the United States. In addition to the unsolicited and unclear collection of indirect personal data. Windows seems not to be GDPR compliant. Apparently already on two key elements.

On the way to a privacy friendly Windows

Setting up a privacy friendly Windows starts simple. Logging in as a user for the first time. The operating system asks a number of questions about privacy-related settings. We recommend answering these questions as follows: 

  • "Let Microsoft and apps use your location". Choose the option: No.

  • "Find my device". Choose the option: No.

  • "Send diagnostic data to Microsoft". Choose: Send Required diagnostic: and choose the minimum of data processing. We will return to this topic later.

  • "Improve inking & typing". Choose the option: No.

  • "Get tailored experiences with diagnostic data". Choose the option: No.

  • "Let apps use advertising ID". Choose the option: No.

  • "Le'ts customize your experience". Don't select any of the options: 'no items' and thereafter 'skip'.

These settings can be (re)adjusted later via the settings menu in the control panel.

Specific Windows related privacy settings

Unfortunately, after setting the available options, provided by the manufacturer in the previous paragraph. There are more than enough telemetry related servers that are accessed by Microsoft. Probably personal data will still be transmitted. Despite the fact that you 'refused' as many data settings as possible. In order to avoid data transfer of a personal nature.

There are two more specific options, to set Windows even more privacy friendly. Please take some time to set up the system manually- privacy friendly. Where you could set each individual policy yourself. Knowing what's happening (as far as possible). Or fully automatically, yet unattended (you don't know exactly what changes) with an app. The choice is up to you.

Manually setting up Windows-privacy friendly

If you want to know exactly on how, what and why you set something up in Windows. You can manually setting up Windows into a privacy friendly operating system. It takes a little more time. However the positive upside: You will know exactly what you have configured. We first describe the main changes with the most impact. Then according to some more optional modifications. The latter are to your own liking and taste. Of course in any situation. Back-up in advance. So you can return.

First, go through the steps in the paragraph: On the way to a privacy friendly Windows. After that block the following Telemetry endpoints. Use for example the option directly through the router (if applicable), or add the list to the adblock-list of Adguard or Pi-hole. Definitely not by customizing the host file of Windows. As a host file included with the endpoints-list is ignored by Windows. After successfully deploying the list.

Disable the Connected User Experiences and Telemetry service in services.msc, better known as DiagTrack-. This is one of the most important steps as it is, the mechanism which is responsible for collecting and transmitting the privacy related data. Hereinafter start a Windows PowerShell and execute:

Get-AutologgerConfig -Name "Diagtrack-Listener" | Set-AutologgerConfig -Start 0 -PassThru

Unfortunately the telemetry-collector named after: Diagtrack-Listener is not processed as a service, and can only be stopped and disabled via a PowerShell command or registry edit (the latter option is out of scope).

Finally we create a policy in which AllowTelemetry is disabled. Since not every Windows edition has a group policy editor, we run this command using PowerShell:

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\ -name AllowTelemetry -Value 0

Following are options that are personal. You can limit or even disable an unprecedented number of options and features. From no longer syncing with Windows time servers to disabling Cortana and search. From blocking the computer's location to disabling the camera for all and/or certain apps. Since this can change or limit the user experience, the choice is yours.

Walk trough the "Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services" manual and make your choice. The guide is suitable for both version- 10 as well as 11. It is mentioned by Microsoft that it is applied only on Enterprise, as well as the Server editions. In our experience however, it also applies to Pro. And to a slightly lesser extent, to the Home version. There are more than enough options to choose from.

Windows privacy friendly, with an all in one application

Although we recommend the manual option. You can also choose to set everything in an instant. However note, it is done without sight. So you don't know in the end if everything is adjusted adequately. After completing the section: 'On the way to a privacy friendly Windows'. You could use an all in one application like: O&O ShutUp10++ to easily and quickly setup Windows 10 and 11 to be privacy friendly. Back-up the computer beforehand: Security above all else. Download the O&O ShutUp tool and simply run it.

  • Choose Actions > Apply only recommended settings. And confirm with Ok

  • Close the app and restart Windows
    You are now ready very easily and quickly.

Don't push to hard is our recommendation. Enabling too many settings, (non recommended) can diminish the computing experience. You could test settings, one at a time. On a test computer first before implement it permanently. 

Some alternative tools with similar functionality, albeit not tested, nor comprehensively described are:

  • W10Privacy: "Privacy made ​​easy".
  • WPD: "Privacy dashboard for Windows".
  • Privatezilla: "To perform a quick privacy and security check".
  • "Enforce privacy & security on Windows and macOS".
  • WindowsSpyBlocker: "To block spying and tracking on Windows systems".

Try them out if O&O ShutUp nor the manual how to doesn't meet your expectations.

Next steps

After the transparent demand from the European union. And/If for some reason you don't trust the manual from Microsoft nor the all in one application. The German BSI has its own (article in German) manual. If you want to optimally secure Windows as well. The same BSI also has a Windows Hardening Guideline.

To conclude: Any application that is not used. And is still running in the background, could be a potential privacy risk. You may want to consider uninstalling unnecessary apps. Enroll in our free debloating course. If you want to learn how to debloat Windows.

As Windows does support Android smartphones with it's own Phone Link. If you are an Android smartphone user and Windows user simultaneously. You should read our ultimate guide to tweak Android privacy friendly. Thus, all computers, laptops, tablets and smartphones within your environment could be all privacy friendly. The ultimate digital-final solution.

Since we are on the privacy-tour of the no profile 'of us as users'; 'is not created by big tech'. You could try Mastodon, if you're a Twitter user. Where in addition to Windows, you set up social media at your user's best will.

In terms of privacy-friendly, things are only going to get 'poor' in the near European future. Are you a resident of the European Union? Among other things, with a European digital identity. Optimize your privacy while you still can!

Photo: Jaime Reimer, Pexels.