In this post, I collected all Group Policy settings that are related to privacy in Windows 10. I will update the list when I receive new information. Please contribute to this ongoing project.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.
Contents of this article

An updated list of Windows 10 privacy settings is now in our wiki.

Many bloggers and journalists raised privacy concerns about Windows 10. Terry Myerson, Microsoft's Executive Vice President of the Windows and Devices Group, now reacted in a blog post to the critique. According to Myerson, Microsoft uses the data for “a personalized Windows experience” and to improve Windows 10.

Previous Windows versions also sent a lot of data to Microsoft and third parties. However, in Windows 10, new features such as Cortana and the search feature of the Start menu require that even more data is collected and sent across the Internet for further analysis.

You have to decide for yourself if you really need these Windows features and if it is worth the risk that one day your personal data might be used against your interests. Windows 10 offers myriad settings that help you protect your privacy. I recommend that you invest the time to find out if the default Windows 10 settings serve you best.

Windows 10 privacy settings

Windows 10 privacy settings

I believe that, in a corporate environment, these decisions should not be left to the end user. You can use Group Policy to disable many features that send information to Microsoft or third parties.

Below, I collected all Group Policy settings that I found in blogs and forums that are related to privacy in Windows 10. To make it easier for you to decide whether a policy is relevant for the privacy policy of your organization, I copied the part of the description that helps you understand what data is sent and to whom.

I wasn’t able to find all Group Policy settings that Windows 10 offers in its privacy settings. I added a question mark to the corresponding title and marked it in red. If you know these Group Policy settings, please share the information in a comment. I will then update the article. If you want to contribute to this ongoing project, you have various ways to search Group Policy settings.

In cases where I only found the corresponding Registry setting, I added this information instead of the Group Policy settings. This allows you to build your ADMX templates or deploy the setting with Group Policy Preferences. You can use tools such as the Sysinternals Process Monitor to find the Registry settings that belong to a particular Windows 10 setting.

Thus far, this list is in no particular order. The first part covers all the configurations from the Windows 10 privacy settings. Aside from the policy description, I also added the corresponding explanation in the Windows settings. In the second part, I added all the other privacy-related configurations I found on the web.

If you are aware of additional privacy-related settings, you can post a comment below. Please contribute to this project.

Windows 10 privacy settings

Turn off the advertising ID ^

Computer Configuration > Administrative Templates > System > User Profiles

This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps.

Windows setting (Settings > Privacy > General):

Let apps use my advertising ID for experiences across apps

Configure Windows smartscreen ^

Computer Configuration > Administrative Templates > Windows Components > File Explorer

This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.

Windows settings (Settings > Privacy > General):

Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use

Improve typing? ^

Windows settings (Settings > Privacy > General):

Send Microsoft info about how I write to help us improving typing and writing in the future

Registry key (according to this post):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TIPC
Value name: Enabled
Value data: 0 or 1

Locally relevant content? ^

Windows settings (Settings > Privacy > General):

Let websites provide locally relevant content by accessing my language list.

Registry key (according to this post):

HKEY_CURRENT_USER\Control Panel\International\User Profile
Value name: HttpAcceptLanguageOptOut
Value data: 1 (disable the option)

Location on / off? ^

Windows settings (Settings > Privacy > General):

When location services for this account are on, apps and services you allow can request location and location history.

Location history? ^

Windows settings (Settings > Privacy > Location):

When location is on, the location obtained to meet the needs of your apps and services will be stored for a limited time on the device. Apps that have access to these stored location will appear below.

Camera? ^

Windows settings (Settings > Privacy > Camera):

Let apps use my camera

Microphone? ^

Windows settings (Settings > Privacy > Microphone):

Let apps use my microphone

Allow input personalization ^

Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options

Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.  Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech.

Windows settings (Settings > Privacy > Speech, inking, & typing):

Getting to know you

Windows and Cortana can get to know your voice and writing to make better suggestions for you. We’ll collect info like contacts, recent calendar events, speech and handwriting patterns, and typing history.

User management of sharing user name account picture and domain information with apps (not desktop apps) ^

Computer Configuration > Administrative Templates > System > User Profiles

This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.

Windows settings (Settings > Privacy > Account Info):

Let apps access my name, picture, and other account info

Access contacts? ^

Windows settings (Settings > Privacy > Contacts):

Choose apps that can access contacts

Some apps need access to contacts to work as intended. Turning off an app here might limit what it can do.

Access calendar? ^

Windows settings (Settings > Privacy > Calendar):

Let apps access my calendar

Apps that can access calendar? ^

Windows settings (Settings > Privacy > Calendar):

Choose apps that can access calendar

Some apps need access to your calendar to work as intended. Turning off an app here might limit what it can do.

Read or send messages? ^

Windows settings (Settings > Privacy > Messaging):

Let apps read or send messages (text or MMS):

Apps that can read or send messages? ^

Windows settings (Settings > Privacy > Messaging):

Choose apps that can read or send messages

Some apps need to read or send messages to work as intended. Turning off an app here might limit what it can do.

Disable Radios? ^

Windows settings (Settings > Privacy > Radios):

Some apps use radio – like Bluetooth – in your device to send and receive data. Sometimes, apps need to turn these radios on or off to work their magic.

Let apps control radios

Apps that can control radios? ^

Windows settings (Settings > Privacy > Radios):

Choose apps that can control radios

Apps that you need your permission to control your radios will appear here. Go to the Store to get apps.

Sync info with wireless devices? ^

Windows settings (Settings > Privacy > Other devices):

Sync with devices

Let your apps automatically share and sync info with wireless devices that don’t explicitly pair with your PC, tablet, or phone.

Other wireless devices that share info? ^

Windows settings (Settings > Privacy > Other devices):

Other devices that allow you to control app access will appear here.

Feedback frequency? ^

Windows settings (Settings > Privacy > Feedback & diagnostics):

Windows should ask for my feedback

Registry key (according to this comment):

HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\PeriodInNanoSeconds
HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\NumberOfSIUFInPeriod

Allow Telemetry ^

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview builds

This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 indicates that no telemetry data from OS components is sent to Microsoft.

Windows settings (Settings > Privacy > Feedback & diagnostics):

Diagnostic and usage data - Send your device data to Microsoft

This option control the amount of Windows diagnostic and usage data sent to Microsoft from your device.

Apps running in the background? ^

Let apps run in the background

Choose which apps can receive info, send notifications, and stay up-to-date even when you’re not using them. Turning off background apps can help conserve power.

Other privacy settings

Prevent the usage of OneDrive for file storage ^

Computer Configuration > Administrative Templates > Windows Components > OneDrive

This policy setting lets you prevent apps and features from working with files on OneDrive.

Turn off Active Help ^

Computer Configuration > Administrative Templates > Windows Components > Online Assistance

This policy setting specifies whether active content links in trusted assistance content are rendered.  By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.

Allow Cortana ^

Computer Configuration > Administrative Templates > Windows Components > Search

When Cortana is off, users will still be able to use search to find things on the device and on the Internet.

Allow indexing of encrypted files ^

Computer Configuration > Administrative Templates > Windows Components > Search

If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply).

Allow search and Cortana to use location ^

Computer Configuration > Administrative Templates > Windows Components > Search

If this is enabled, search and Cortana can access location information.

Do not allow web search ^

Computer Configuration > Administrative Templates > Windows Components > Search

Enabling this policy removes the option of searching the Web from Windows Desktop Search.

Don't search the web or display web results in Search ^

Computer Configuration > Administrative Templates > Windows Components > Search

If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search.

Don't search the web or display web results in Search over a metered connection ^

Computer Configuration > Administrative Templates > Windows Components > Search

If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web over metered connections, and if the web results are displayed in Search.

Set what information is shared in Search ^

Computer Configuration > Administrative Templates > Windows Components > Search

This policy setting allows you to control what information is shared with Bing in Search.

Sync Your Settings (various policies) ^

Computer Configuration > Administrative Templates > Windows Components

Prevent syncing to and from this PC.  This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.

Disable Windows Error Reporting (various policies) ^

Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting

This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.

Join Microsoft MAPS ^

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS

Microsoft MAPS is the online community that helps you choose how to respond to potential threats. You can choose to send basic or additional information about detected software. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent.

Sent file samples when further analysis is required ^

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS

This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.

Do not send a Windows error report when a generic driver is installed on a device ^

Computer Configuration > Administrative Templates > System > Device Installation

Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure.

Turn off Windows Customer Experience Improvement Program ^

Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings

The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns.

Turn off Windows Error Reporting ^

Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings

Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.

Turn off Application Telemetry ^

Computer Configuration > Administrative Templates > Windows Components > Application Compatibility

­Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.

Turn off Inventory Collector ^

Computer Configuration > Administrative Templates > Windows Components > Application Compatibility

The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.

Prevent participation in the Customer Experience Improvement Program ^

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer

This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

Prevent Windows Media DRM Internet Access ^

Computer Configuration > Administrative Templates > Windows Components > Windows Media Digital Rights Management

When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.­

Prevent Music File Media Information Retrieval ^

User Configuration > Administrative Templates > Windows Components > Windows Media Player

This policy setting allows you to prevent media information for music files from being retrieved from the Internet.

Prevent Music CD and DVD Media Information Retrieval ^

User Configuration > Administrative Templates > Windows Components > Windows Media Player

This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.

An updated list of Windows 10 privacy settings is now in our wiki.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+
Share
35 Comments
  1. Simon 4 years ago

    Thanks! Much appreciated!

    1+

  2. Michael Pietroforte 4 years ago

    Simon, you are welcome!

    0

  3. Geert 4 years ago

    "Windows should ask for my feedback" can be disabled by setting following reg keys to zero:

    HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\PeriodInNanoSeconds
    HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\NumberOfSIUFInPeriod

    https://technet.microsoft.com/en-us/library/mt577208(v=vs.85).aspx contains a lot of additional info about GPOs and regedits

    0

  4. Michael Pietroforte 4 years ago

    Geert, thanks a lot! I updated the article.

    0

  5. Toby Foster 4 years ago

    This article fills in some of your missing settings.
    https://technet.microsoft.com/en-us/library/mt577208(v=vs.85).aspx

    0

  6. casper 4 years ago

    Thanks for the help saves the reading 🙂

    0

  7. scott s 4 years ago

    Can you turn any of these of with unattend.xml during installation?

    Thanks.

    0

  8. Ed Ferguson 4 years ago

    Some keys that Microsoft refers to for privacy settings do not seem to be available through my Win10 Pro policies. For example I cannot find Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the camera.

    Do you know if it's because settings such as this are only available in the enterprise edition?

    0

    • Ed Ferguson 4 years ago

      I have verified that some of these options are only available in the Enterprise edition. I was able to download Win10 Enterprise eval and install in Hyper-V. I then installed Microsoft's administrative tools and configured my group policy from that Enterprise station. Doing so provided registry keys for settings not found in the Pro edition.

      0

      • Ed Ferguson 4 years ago

        I setup a central store in my SYSVOL with the latest Microsoft ADMX files, and even though some policy settings are there now that weren't available before, I still don't have a few settings such as "Let Windows apps access the camera" available, which are available in an Enterprise policy. So, unless I'm missing something, that did not solve my issue for Windows Professional clients.

        So, even though my first project using a Win10 Enterprise eval to find some of those extra policy keys seemed much more of a project than using updated ADMX files, I did get what I needed after not finding enough info to reference for those settings on any tech forums.

        0

        • Ed Ferguson 4 years ago

          I was able to copy the extra ADMX files from the Win10 Enterprise eval to my central store to get the extra policies I was looking for, for my Win10 Pro stations.

           

          Check this link if receiving an error after copying ADMX files to your central store.

          https://support.microsoft.com/en-us/kb/3077013

          0

  9. Jimmy Desbiens 4 years ago

    https://technet.microsoft.com/en-us/itpro/windows/manage/disconnect-your-organization-from-microsoft#bkmk-priv-other-devices

    For: Sync info with wireless devices

     
    Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access trusted devices
     
    ◦Set the Select a setting box to Force Deny.
     

    0

  10. Herald Joseph 3 years ago

    Great Work !!

    0

  11. Lonn 3 years ago

    Sync info with wireless devices?
    Windows settings (Settings > Privacy > Other devices):

    Sync with devices

    Let your apps automatically share and sync info with wireless devices that don’t explicitly pair with your PC, tablet, or phone.

    Registry key (discovered using Procmon):

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled
    Value name: ValueValue data (REG_SZ): Deny (to disable) | Allow (to enable)

    0

  12. Chris Millian 3 years ago

     
    Hi all
    Make sure that you have the latest ADMX and ADML files.
    In there are a lot of settings conserning App Privacy.
     
    Computer Configuration > Administrative Templates > Windows Components > App Privacy >
    Regards

    0

  13. Em Jay 3 years ago

    Acces of the calender, camera, contacts, lpocation, microphone, radios und many more can easily be regulated with the GPO Computer Configuration -> Policies -> Administrative Templates -> Windows Compoonents -> App Privacy

    0

  14. Philip Brewer 3 years ago

    I don't know if this helps, but the Windows 8 & 8.1 STIG has the information below concerning "location".  The windows 10 stig doesn't say anything about turning off location, though.  If 8 and 10 are similar enough, this may work.  I haven't tested it yet.

    Rule Title: The location feature must be turned off.
    Vulnerability Discussion:  The location service on mobile devices may allow sensitive data to be used by applications on the system. This should be turned off unless explicitly allowed for approved systems/applications.
    IAControls:  ECSC-1
    Check Content:
    If the following registry value does not exist or is not configured as specified, this is a finding:
    Registry Hive: HKEY_LOCAL_MACHINE
    Subkey: \Software\Policies\Microsoft\Windows\LocationAndSensors\
    Value Name: DisableLocation
    Type: REG_DWORD  Value: 1 (Enabled)
    If location services are approved for the device by the organization, this may be set to "Disabled" (0). This must be documented with the IAO.
    Fix Text: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Location and Sensors -> "Turn off location" to "Enabled".  If location services are approved by the organization for a device, this must be documented.  

    0

  15. Philip Brewer 3 years ago

    There's also Computer Config - Admin templates - win components - location and sensors - windows location provider - Turn off Windows Location Provider

    0

    • Author
      Michael Pietroforte 3 years ago

      I tried the policy, but I didn't notice any effect. At least the corresponding Windows 10 settings didn't change. However, this policy worked:

      Computer Configuration > Administrative Templates > Windows Components > Locations and Sensors > Turn off location

      Updated the wiki.

      0

  16. Philip Brewer 3 years ago

    Computer config - Admin templates - win components - App Privacy

    There are 13 settings that control application access.

    My group policy admx and adml files have been replaced with the latest downloads from Microsoft dated Nov 2015.

    0

  17. Author
    Michael Pietroforte 3 years ago

    Philip, thanks for the tips! How about adding the missing pieces to our wiki?

    0

  18. Stefan 3 years ago

    Hi Michael

    Thx for this detailed informations. Do you've the possibility to export your privacy gpo settings, so that I can import it? It complicated to translate.

    I look forward to hearing from you

    Stefan

    0

  19. steve 3 years ago

    We use Windows Server 2012 R2. We are just starting to install Window 10 machines. There is only one thing we can't figure out with GPO. Under settings, Email & app accounts, Add an account. Users can add their own google or yahoo account. How do we prevent this?

    1+

    • Troy 2 years ago

      did you ever find out an answer to blocking the Add a Microsoft Account inside Email & app accounts section?

      0

  20. Tarmizi 2 years ago

    Hi,

    how do I configure in a policy for a common indexing settings for all users in Windows 10

    0

  21. JJ 2 years ago

    Does this Group Policy also need to be set to disallow telemetry?

    User Configuration > Administrative Templates > Windows Components>Data Collection and Preview Builds>Allow Telemetry

    It seems to be a repeat of
    Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry

    After setting the User Configuration version (without setting the Computer Configuration version) the associated Settings UI (Settings > Privacy > Feedback & diagnostics: Diagnostic and usage data) gets a greyed out box, which is normal. However, if its then reset back to Not Configured, the box still remains greyed out. It should return back to white and be configurable from the Settings UI.

    0

    • Author
      Michael Pietroforte 2 years ago

      "Not Configured" means that any settings that are already in the registry won't be modified. Or in other words "Not Configured" means "don't change any existing configuration."

      Also note that the policy exists for computers and users. Thus, it is not a repeat. If there is a conflict between the computer and the user configuration, the computer configuration wins.

      0

  22. jj 2 years ago

    Thanks Michael about the explanation. It does help. I’ve obviously popped an extra policy setting in somewhere which is causing me the greyed out box problem.

    I’ve also used some additional settings from a medical information risk website; http://www.hipaaone.com/wp-content/uploads/2017/02/HIPAA-Compliance-with-Microsoft-Windows-10-Enterprise.pdf

    A lot of policies are the same as Microsoft’s Baseline’s but they have a few extra. Some are debateable whether they are necessary or even if they could add to problems (eg turning off Root certificate updates) but so you don’t have to trawl through the whole lot, I’ve listed the ones which are not included on your site or in Microsoft’s Baselines.

    Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings

    Turn off Automatic Root Certificates Update - Enabled ?

    Turn off the handwriting recognition error reporting - Enabled

    Turn off printing over HTTP – Enabled ?

    Turn off downloading of print drivers over http – Enabled ?

    Turn off internet file association Service - Enabled

    Turn off access to the Store – Enabled

    Turn off handwriting personalization data sharing - Enabled

    Computer Configuration>Administrative Templates>Windows Components>Data Collection and Preview Builds>

    Disable Pre-release feature or settings – Disabled

    Computer Configuration > Administrative Templates > Windows Components > Internet Explorer

    Turn off the auto-complete feature for web addresses - Disabled

    Disable Periodic Check for Internet Explorer software updates- Disabled (Microsoft Baseline policy is set for Enabled) ?

    Computer Configuration>Administrative Templates>Windows Components>Application Compatibility

    Turn off Program Compatibility Assistant - Enabled ?

    Turn off Step Recorder – Enabled ?

    Computer Configuration>Administrative Templates>Windows Components>Camera

    Allow use of Camera - Disabled ?

    Computer Configuration > Administrative Templates > Windows Components > MDM

    Disabled MDM Enrollment – Enabled

    Computer Configuration > Administrative Templates > Windows Components > Microsoft User Experience Virtualization

    Enable UEV - Disabled ?

    Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\

    Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services – Disabled

    Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options>Interactive logon

    Machine inactivity limit - Enabled ?

     

    0

  23. Cool Charac 2 years ago

    Thanks for collecting (most) of the privacy settings with their registry keys. This will make it easier to export/import Windows settings manually.

    Could we expand the project to all of the Settings/Control Panel options?

    0

  24. Steve Lawrence 2 years ago

    I found this post very helpful. For those wanting to "Hide" control panel settings here is a very interesting article I found while searching on this topic of controlling Windows 10 via GPO.

    https://blogs.technet.microsoft.com/mniehaus/2017/04/13/hiding-pages-in-settings-with-windows-10-1703/

     

    0

    • Author
      Michael Pietroforte 2 years ago

      Steve, thanks! I posted an updated version of all the Windows 10 privacy settings I am aware of in the wiki. I am unsure if hiding Control Panel pages from users counts as a privacy setting. I guess this feature is more about preventing users from messing with Windows configurations.

      Nevertheless, this is an interesting new feature and I think we didn't cover this on 4sysops. Let me know if you want to blog about it.

      0

  25. Daniel 1 year ago

    Thanks for the detailed post. Helped me alot.
    I did some research for the location settings in Windows Settings -> Privacy -> (App permissions) Locations. Then location for this device:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\Value
    The set the string to Allow/Deny

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account