Windows 10 Privacy

This Windows 10 privacy guide is a work in progress. We will add new information and make adjustments once they become available.

When it comes to Windows 10 and privacy, there are lots of things that you need to consider. Probably the best starting point before you even begin to upgrade an existing system or set up Windows 10 on a new one is to read through the Privacy Policy and Service Agreement.

Yes, that is lots of text even if you only read the summaries that Microsoft provides. Please note that the two documents are not exclusive to Windows 10 but apply to Microsoft. You do find "Windows" listed under the privacy statement however.

There you find the following key information:

1. Microsoft creates a unique advertising ID for each user on a device running Windows 10. This can be turned off in the Privacy Settings.
2. What you say or type may be processed by Microsoft, for instance by the operating system's Cortana service or by providing spelling correction.
3. Windows supports a location service that allows apps and services, such as Find My Device, to request your location in the world. This can be turned off in the Privacy settings.
4. Microsoft syncs some Windows settings automatically when you sign in to a Microsoft account. This is done to provide users with a personalized experience across devices. Data that gets synced includes installed apps and their settings, web browser history and favorites, passwords and wireless network names, and addresses of shared printers.
5. Telemetry data is collected by Microsoft. This includes installed software, configuration data and network and connection data. While some of it can be turned off in the Settings, not all can.

Core Windows 10 Privacy Settings

You find Privacy settings that Microsoft makes available under Settings. The page is surprisingly large and while it provides you with lots of options, does not give you full control over what is collected and submitted.

Open the Privacy settings with a tap on the Windows-key and the selection of Settings when Start opens. If Settings is not listed there, type Settings and hit enter.

Switch to Privacy once the Settings window opens. There you find listed all privacy related settings. Suggests are in brackets)

General

1. Let apps use my advertising ID for experiences across apps (turning this off will reset your ID). (Off)
2. Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use. (Off, but note that this may reduce security on the system. If you are inexperienced, leave this on.)
3. Send Microsoft info about how I write to help us improving typing and writing in the future. (Off)
4. Let websites provide locally relevant content by accessing my language list. (Off)

Location

1. Turn location on or off. Apps or services that you allow may access location-based data if on. (Off, unless you rely on apps that require it to be on, e.g. the weather app)
2. Location History. If you have turned location services off, you may want to clear the location history on the device as well.

Camera and Microphone

1. Let apps use my camera. (Off)
2. Let apps use my microphone. (Off)

Switch these to off if you don't want apps to use the cam or microphone on your device. You may need it for select services, Cortana for instance or the Skype application.

Speech, inking & typing

1. Windows and Cortana can get to you know your voice and writing to make better suggestions to you. We'll collect info like contacts, recent calendar events, speech, and handwriting patterns, and typing history. (Off, unless Cortana is used. This will turn off Cortana and dictation).

Account Info

1. Let apps access my name, picture, and other account info. (Off, unless you require this for select applications. Then leave it on and set permissions per application instead).

Contacts and Calendar

1. Choose applications that may access your contacts or calendar. There are three by default for the Contacts, and two for the Calendar (the first two): App connector, Mail and Calendar and Windows Shell Experience. (Off, unless required).

Messaging

1. Let apps read or send messages. (Off if you are on the desktop and don't require apps to send text or MMS).

Radios

1. Let apps control radios. This enables apps to use radios, such as Bluetooth. (Off, unless you use apps that require this).

Other devices

1. Sync with devices. This setting syncs data with Microsoft and other devices you own. If you only use a single device, you may want to disable it. Note that syncing may come in handy when you set up the system anew. (Off)
2. Let apps use trusted devices. (Off, unless required).

Feedback and Diagnostic

1. Send your device data to Microsoft. If you are an Insider, you cannot switch from Full(Recommended). If you are not, you may switch the setting to Enhanced or Full. It does not seem possible to turn this off completely.

What is transferred if you switch the setting to Basic is listed in the FAQ (when you click on the learn more link):

Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all.

Background apps

1. Select which applications may run in the background (Turn off all that you don't require. If you use Mail for instance, you may want it to run in the background while you may not want the same for "Get Office", "Photos" or "Xbox".

Settings > Update & Security > Windows Update

1. Click advanced options.
2. Defer Upgrades (Enable, only available in Pro and Enterprise editions)
3. Select "choose how updates are delivered".
4. Download Windows updates and apps from other PCs in addition to Microsoft. (Off).

Advanced Windows 10 privacy settings

Changing the Telemetry value using the Group Policy Editor or Windows Registry

This setting is identical to the Feedback & diagnostics setting. There is one difference however which only applies to Enterprise customers. Enterprise customers may turn this off completely, while Home and Pro users may set it to basic only as the lowest level.

To make the change in the Group Policy, do the following:

1. Tap on the Windows-key, type gpedit.msc and hit enter.
2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection (It may be listed as Data Collection and Preview Builds).
3. Set Allow Telemetry to Off if you are using an Enterprise account, to Basic if you are not.

To make the change using the Windows Registry, do the following:

1. Tap on the Windows-key, type regedit and hit enter.
2. Confirm the UAC prompt if it comes up.
3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection.
4. Set the value of AllowTelemetry to 0 if you are on Enterprise, to 1 if you are not.

Use a local account

Windows 10 supports two account types: Microsoft accounts and local accounts. Microsoft accounts are used by default and if you select that option, you sign in to the operating system using your account's credentials (usually email and the password).

You may use a local account instead for day to day activies. This can be arranged in the Settings under Accounts > Your account.

If you use a local account, you will notice that you cannot use certain features of the operating system. Windows Store and certain applications become unavailable for instance, and account data is not synced across devices.

Misc Group Policy Settings

The following settings are provided in the Group Policy Editor.

Computer Configuration > Administrative Templates > Windows Components > OneDrive

1. Prevent the usage of OneDrive for file storage.

Computer Configuration > Administrative Templates > Windows Components > Online Assistance

1. Turn off Active Help.

Computer Configuration > Administrative Templates > Windows Components > Search

1. Allow Cortana.
2. Allow indexing of encrypted files.
3. Allow search and Cortana to use location.
4. Do not allow web search.
5. Don't search the web or display web results in Search.
6. Don't search the web or display web results in Search over a metered connection.
7. Set what information is shared in Search (Switch to Anonymous info)

Computer Configuration > Administrative Templates > Windows Components > Sync Your Settings

1. Disable all syncing or the synchronization of specific settings, for instance Start, browser or passwords.

Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting

1. Configure Error Reporting (do not collection additional files, do not collect additional machine data).
2. Disable Windows Error Reporting.
3. Disable logging.
4. Do not send additional data.

Computer Configuration > Administrative Templates > Windows Components > Windows Update

1. Configure Automatic Updates (Set to Notify for download and notify for install. May want to set the scheduled install day as well. This allows you to block updates from being installed)
2. Defer Upgrade (Pro and Enterprise only, may defer upgrades til next upgrade period)
3. Turn on Software Notifications ("Enhanced notification messages convey the value and promote the installation and use of optional software").
4. Allow signed updates from an intranet Microsoft update location.

Additional resources of interest

• Microsoft Edge Forensics - Detailed analysis of the browser's data collection.