Worried about Windows 10 privacy issues? Group/Local policy to the rescue!

win10privacy

I hear and see all over the Internet that people have privacy concerns about Windows 10 and for good reason. For any security concious person, like myself, they’re probably not very happy about many of the decisions that were made for Windows 10. Microsoft seems to be very tight lipped about their updates and what information is actually shared in their “learning” and “telemetry” information that is sent back to the Microsoft mother ship. There are also many other features included in Windows 10 that are, or could be seen as, a privacy concern; such as the advertising ID, WiFi Sense, Cortana, and the list goes on…

One of the biggest worries, though, is Microsoft’s policy on disclosing or sharing your personal information. The following is an excerpt from the privacy policy:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”

I’m sure many from the IT community are aware of Microsoft’s direct involvement with Government spying programs – so make no mistake, you are being watched.

The Solution

With that aside, I will say there are tools at your disposal to greatly minimize the privacy issues in Windows 10. This can said for both users at home and businesses with thousands of Windows 10 desktops. The answer is simple: Group or Local Policy. It is the safest and easiest way to secure your Windows 10 desktops from Microsoft’s spying eye’s. There are third-party tools available that you can run to achieve similar results but with those you never know what else your getting and in a business environment this would be a big no-no.

Group Policy – Fix Windows 10 privacy issues in an Active Directory domain (Business)

To secure computers in a Active Directory domain we will be making changes to group policy. Group Policy tools use Administrative template files to populate policy settings in the GPO Management interface. To do this we we must download the Windows 10 Group Policy (.ADMX) templates from Microsoft and upload them onto one of your domain controllers. This is a more advanced change I would recommend to system administrators.

  1. Download the Windows 10 Group Policy (.ADMX) templates, visit http://www.microsoft.com/en-us/download/details.aspx?id=48257
  2. You’ll then need to copy ADMX templates you downloaded to the Central Store on a AD domain controller server. I won’t go into detail on how to do this, so carefully follow the instructions as seen here: https://msdn.microsoft.com/en-us/library/bb530196.aspx
  3. Once the ADMX files are installed to the Central Store, open the Group Policy Management RSAT from your workstation (that is on the domain)
  4. Now simply filter/search for the GPO’s as listed below and set them to your desired configuration. I would highly recommend creating a new GPO object to apply these rules to – not the Default GPO!

Local Policy – Fix Windows 10 privacy issues for users at home without a AD domain (User)

For home users we can skip all of the ADMX templates stuff. It’s irrelevant because the Windows 10 policy definitions are already installed in the /Windows/Policy Definitions folder by default. That means we can just modify the Local Policy to achieve the same results as above. This is much easier to do and can be done by anyone with a good understanding of how Windows works.

  1. Start –> Run –> “gpedit.msc”
  2. You should now be on the Local Group Policy Editor. Expand “Computer Configuration” –> Administrative Templates –> “All Settings”
  3. Right click on “All Settings” and click on “Filter Options”
  4. This is where you will be searching for and applying each of the GPO’s as listed below to your system. Search for each one and configure as necessary.
    • Note: Make sure you are making the changes to the Computer Configuration section, and not User Configuration. User configuration is applied to the USER session. Computer configuration is applied to the entire computer thus effecting every user.

Policy Edit List

Search and enable/disable the following Windows 10 policy edits as per the list below. This list applies for both Group and Local policy edits. This list was compiled by myself after carefully combing through the policies and removing and disabling things that I personally do not use or want on the systems.  You can make all or some of these recommendations at your own discretion for your environment. Be aware that some of these settings have two values that must be configured (state and option) for them to work properly.

SettingStateOptionsNotes
Allow CortanaDisabled
Allow input personalizationDisabled
Allow search and Cortana to use locationDisabled
Configure Windows SmartScreenDisabled
Join Microsoft MAPSDisabled
Allow TelemetryEnabled0 - Security [Enterprise Only]It says "Enterprise Only" but you are still able to modify the setting
Disable Windows Error ReportingEnabled
Do not show feedback notificationsEnabled
Do not syncEnabled
Do not sync passwordsEnabledSlightly redundant since "Do not sync" disables all of sync - but enabling this anyway!
Don't search the web or display web results in SearchEnabled
Don't search the web or display web results in Search over metered connectionsEnabled
Download ModeEnabledNoneThis relates the Windows 10 Update P2 Peer-to-peer download settings in the "how updates are delivered" advanced options
Let Windows apps access account informationEnabledForce Deny
Let Windows apps access call historyEnabledForce Deny
Let Windows apps access contactsEnabledForce Deny
Let Windows apps access emailEnabledForce Deny
Let Windows apps access locationEnabledForce Deny
Let Windows apps access messagingEnabledForce Deny
Let Windows apps access motionEnabledForce Deny
Let Windows apps access the calendarEnabledForce Deny
Let Windows apps access the cameraEnabledForce Deny
Let Windows apps access the microphoneEnabledForce Deny
Let Windows apps access trusted devicesEnabledForce Deny
Let Windows apps access control radiosEnabledForce Deny
Let Windows apps sync with devicesEnabledForce Deny
Prevent managing SmartScreen FilterEnabledOff
Prevent participation in the Customer Experience Improvement ProgramEnabled
Prevent the usage of OneDrive for file storageEnabledThis will disable OneDrive on the system, including the tray icon
Send file samples when further analysis is requiredEnabledNever send
Turn off Application TelemetryEnabled
Turn off automatic learningEnabled
Turn off AutoplayEnabled
Turn off Inventory CollectorEnabled
Turn off locationEnabled
Turn off location scriptingEnabled
Turn off Microsoft consumer experiencesEnabled
Turn off the advertising IDEnabled
Turn off Windows Customer Experience Improvement ProgramEnabled
Turn off Windows DefenderEnabledI would only recommend this if you are using another Anti-Virus solution
Turn off Windows Error ReportingEnabled
Turn off Windows Search AutoCompleteEnabled

Once these settings have been applied to your Windows 10 system its best to run a “gpupdate” and then reboot for them to take full effect. If you need to roll-back any of these changes simply follow the same steps and change the setting of the policies you wish to remove or modify.

Let me know in the comments below if you found this useful or have other comments and suggestions! Thanks!

Karl has been involved in the virtualization, server, web development and web hosting industry for over 15 years. In his current role at a managed service provider, he is focused on cloud-based solutions for enterprise clients. His diverse background of sales, management, and architectural/technical expertise bring a unique perspective to the virtualization practice.

5 Comments

  1. Tinfoil Hat

    Win10 home edition seems to lack gpedit. I’ve noticed the same thing missing in windows 7.

    Really pathetic on Microsoft’s part.

  2. Moofey

    “windows cannot find gpedit.msc”

    Fails right out of the box.

    • As I mentioned this change is NOT for everyone. There is lots of documentation on the internet on how to get to a command prompt in Windows. I suggest starting there. 😉

  3. Bill Clay

    The last time I made privacy changes to Win 10, they were all reset to default when Windows Update installed a new update. I feel that this is a losing battle if Microsoft is going to keep resetting our systems every time they send an update.

    • Bill, you make a good point. That’s exactly why applying these settings using policy is a good countermeasure as it will override any setting that a Windows Update may apply in the future. 🙂

Comments are closed.