Worried about Windows 10 privacy issues? Group/Local policy to the rescue!
I hear and see all over the Internet that people have privacy concerns about Windows 10 and for good reason. For any security concious person, like myself, they’re probably not very happy about many of the decisions that were made for Windows 10. Microsoft seems to be very tight lipped about their updates and what information is actually shared in their “learning” and “telemetry” information that is sent back to the Microsoft mother ship. There are also many other features included in Windows 10 that are, or could be seen as, a privacy concern; such as the advertising ID, WiFi Sense, Cortana, and the list goes on…
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”
I’m sure many from the IT community are aware of Microsoft’s direct involvement with Government spying programs – so make no mistake, you are being watched.
With that aside, I will say there are tools at your disposal to greatly minimize the privacy issues in Windows 10. This can said for both users at home and businesses with thousands of Windows 10 desktops. The answer is simple: Group or Local Policy. It is the safest and easiest way to secure your Windows 10 desktops from Microsoft’s spying eye’s. There are third-party tools available that you can run to achieve similar results but with those you never know what else your getting and in a business environment this would be a big no-no.
Group Policy – Fix Windows 10 privacy issues in an Active Directory domain (Business)
To secure computers in a Active Directory domain we will be making changes to group policy. Group Policy tools use Administrative template files to populate policy settings in the GPO Management interface. To do this we we must download the Windows 10 Group Policy (.ADMX) templates from Microsoft and upload them onto one of your domain controllers. This is a more advanced change I would recommend to system administrators.
- Download the Windows 10 Group Policy (.ADMX) templates, visit http://www.microsoft.com/en-us/download/details.aspx?id=48257
- You’ll then need to copy ADMX templates you downloaded to the Central Store on a AD domain controller server. I won’t go into detail on how to do this, so carefully follow the instructions as seen here: https://msdn.microsoft.com/en-us/library/bb530196.aspx
- Once the ADMX files are installed to the Central Store, open the Group Policy Management RSAT from your workstation (that is on the domain)
- Now simply filter/search for the GPO’s as listed below and set them to your desired configuration. I would highly recommend creating a new GPO object to apply these rules to – not the Default GPO!
Local Policy – Fix Windows 10 privacy issues for users at home without a AD domain (User)
For home users we can skip all of the ADMX templates stuff. It’s irrelevant because the Windows 10 policy definitions are already installed in the /Windows/Policy Definitions folder by default. That means we can just modify the Local Policy to achieve the same results as above. This is much easier to do and can be done by anyone with a good understanding of how Windows works.
- Start –> Run –> “gpedit.msc”
- You should now be on the Local Group Policy Editor. Expand “Computer Configuration” –> Administrative Templates –> “All Settings”
- Right click on “All Settings” and click on “Filter Options”
- This is where you will be searching for and applying each of the GPO’s as listed below to your system. Search for each one and configure as necessary.
- Note: Make sure you are making the changes to the Computer Configuration section, and not User Configuration. User configuration is applied to the USER session. Computer configuration is applied to the entire computer thus effecting every user.
Policy Edit List
Search and enable/disable the following Windows 10 policy edits as per the list below. This list applies for both Group and Local policy edits. This list was compiled by myself after carefully combing through the policies and removing and disabling things that I personally do not use or want on the systems. You can make all or some of these recommendations at your own discretion for your environment. Be aware that some of these settings have two values that must be configured (state and option) for them to work properly.
|Allow input personalization||Disabled|
|Allow search and Cortana to use location||Disabled|
|Configure Windows SmartScreen||Disabled|
|Join Microsoft MAPS||Disabled|
|Allow Telemetry||Enabled||0 - Security [Enterprise Only]||It says "Enterprise Only" but you are still able to modify the setting|
|Disable Windows Error Reporting||Enabled|
|Do not show feedback notifications||Enabled|
|Do not sync||Enabled|
|Do not sync passwords||Enabled||Slightly redundant since "Do not sync" disables all of sync - but enabling this anyway!|
|Don't search the web or display web results in Search||Enabled|
|Don't search the web or display web results in Search over metered connections||Enabled|
|Download Mode||Enabled||None||This relates the Windows 10 Update P2 Peer-to-peer download settings in the "how updates are delivered" advanced options|
|Let Windows apps access account information||Enabled||Force Deny|
|Let Windows apps access call history||Enabled||Force Deny|
|Let Windows apps access contacts||Enabled||Force Deny|
|Let Windows apps access email||Enabled||Force Deny|
|Let Windows apps access location||Enabled||Force Deny|
|Let Windows apps access messaging||Enabled||Force Deny|
|Let Windows apps access motion||Enabled||Force Deny|
|Let Windows apps access the calendar||Enabled||Force Deny|
|Let Windows apps access the camera||Enabled||Force Deny|
|Let Windows apps access the microphone||Enabled||Force Deny|
|Let Windows apps access trusted devices||Enabled||Force Deny|
|Let Windows apps access control radios||Enabled||Force Deny|
|Let Windows apps sync with devices||Enabled||Force Deny|
|Prevent managing SmartScreen Filter||Enabled||Off|
|Prevent participation in the Customer Experience Improvement Program||Enabled|
|Prevent the usage of OneDrive for file storage||Enabled||This will disable OneDrive on the system, including the tray icon|
|Send file samples when further analysis is required||Enabled||Never send|
|Turn off Application Telemetry||Enabled|
|Turn off automatic learning||Enabled|
|Turn off Autoplay||Enabled|
|Turn off Inventory Collector||Enabled|
|Turn off location||Enabled|
|Turn off location scripting||Enabled|
|Turn off Microsoft consumer experiences||Enabled|
|Turn off the advertising ID||Enabled|
|Turn off Windows Customer Experience Improvement Program||Enabled|
|Turn off Windows Defender||Enabled||I would only recommend this if you are using another Anti-Virus solution|
|Turn off Windows Error Reporting||Enabled|
|Turn off Windows Search AutoComplete||Enabled|
Once these settings have been applied to your Windows 10 system its best to run a “gpupdate” and then reboot for them to take full effect. If you need to roll-back any of these changes simply follow the same steps and change the setting of the policies you wish to remove or modify.
Let me know in the comments below if you found this useful or have other comments and suggestions! Thanks!
Win10 home edition seems to lack gpedit. I’ve noticed the same thing missing in windows 7.
Really pathetic on Microsoft’s part.
“windows cannot find gpedit.msc”
Fails right out of the box.
As I mentioned this change is NOT for everyone. There is lots of documentation on the internet on how to get to a command prompt in Windows. I suggest starting there. 😉
The last time I made privacy changes to Win 10, they were all reset to default when Windows Update installed a new update. I feel that this is a losing battle if Microsoft is going to keep resetting our systems every time they send an update.
Bill, you make a good point. That’s exactly why applying these settings using policy is a good countermeasure as it will override any setting that a Windows Update may apply in the future. 🙂