Microsoft regards Windows 10 is the most secure version of Windows out of the box, and I do have to agree thats the case.
Which is all well and good, but the question that folks seem to continually ask me is various versions of How can I reduce how much personal information I send to Microsoft. Or in other words - why is Windows 10 so creeping me, and how do I dial back that creep factor?
Ive put a short list together of various features that people might consider to be at the big brother end of the spectrum, and how to script your way out of them - and yes, you knew thered be PowerShell involved! Note that if you are looking to disable these features in an Active Directory domain, these settings are all front-and-center in Group Policy, so are easily updated centrally.
First, lets look at Windows Telemetry. This is basic information on what applications run, search information, Cortana activity, gaming patterns and so on. Specific search terms arent sent, but for me this is well in to creep territory anyway. The resulting information gets sent to Microsoft, and they do resell it after its anonymized. But its not all bad - a very complete description of what telemetry does can be found here https://technet.microsoft.com/en-ca/itpro/windows/manage/configure-windows-telemetry-in-your-organization. A privacy specific discussion can be found here: https://privacy.microsoft.com/en-US/windows-10-feedback-diagnostics-and-privacy ) The Microsoft page covers the GUI adjustments for this, or changing three registry keys kills that datastream (Powershell command shown). Note that telemetry can">Computer Configuration Administrative Templates Windows Components Data Collection and Preview Builds ">Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection -Name AllowTelemetry -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection -Name AllowTelemetry -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection -Name AllowTelemetry -Type DWord -Value 0
Smartscreen Filter has a solid business use - it monitors your browser activity, and will give you a warning or block if you browse to known malicious sites, phishing or otherwise suspicous sites, or if you are downloading known malicious files. More info on this service can be found here: https://support.microsoft.com/en-ca/help/17443/windows-internet-explorer-smartscreen-filter-faq and here: https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacy
This sounds great, except that Microsoft is pretty cagey about how this works and what data is sent where - from most of their docs its not clear if your activity is sent to them, or if they download a database of malicious sites to you. Since that malicious sites thing never shows up in Windows Udpate, I know where I land on this question. All that being said, it *is* a useful feature, especially if you are in the support friends and family role. Since I dont generally use IE or Edge, this isnt a setting I normally worry about on my own gear. If you do want to disable this, its a toggle in Privacy Settings,">Control Panel / Internet Properties / Advanced / Enable SmartScreen Filter . ">Computer Configuration Administrative Templates Windows Components File Explorer ">Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer -Name SmartScreenEnabled -Type String -Value Off
Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost -Name EnableWebContentEvaluation -Type DWord -Value 0
Wi-Fi Sense connects you to Open hotspots that are greenlighted through crowdsourcing. This setting is disabled in current versions of Windows (Anniversary Edition or newer) - if you have not updated, today is a good day to do that! If for some reason you cant, more information on the various levels of trust you might have in this can be found at: https://privacy.microsoft.com/en-US/windows-10-about-wifi-sense For me, what crowdsourcing equates to is the mom-proverb if all of your friends jumped off a bridge .... - yes, your mom was right.
To disable this feature - in Group Policy it">Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots - set this to Disabled">Allow Windows to automatically connect to networks shared by contacts">Allow Windows to automatically connect to hotspots offering paid services">Set-ItemProperty -Path HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting -Name Value -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots -Name Value -Type DWord -Value 0
(note - these keys may not be there, you should check for the key being present first).
Searching the start menu seems like an innocuous thing, except that Microsoft pairs it with search suggestions, which means that this is part of the telemetry stream as well.">Computer Configuration Policies Administrative Templates Windows Components Search
Set Dont search the web or display web results in search to Enabled">Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Search -Name BingSearchEnabled -Type DWord -Value 0
Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager -Name SystemPaneSuggestionsEnabled -Type DWord -Value 0
Cortana is a cool thing, and is just as useful as Sira and Echo, but your interactions are processed in the cloud. Because of this, were starting to see noise about voice systems such as Siri, Echo and Cortana having interactions subpoenad in criminal cases. ">Computer Configuration Administrative Templates Windows Components Search Allow Cortana, set to Disabled">Set-ItemProperty -Path HKCU:\SOFTWARE\Policies\Microsoft\Windows\Windows Search -Name AllowCortana -Type DWord -Value 0
Location tracking? Great if youre asking how far do I need to walk for donuts or help, Im almost out of gas, but otherwise maybe not so much. Id like to see this enabled app by app (as is iOS), Windows makes a start at this, but win Windows there are only 5 granular picks for this, one being App Connector (which looks like it means any other app not listed">Computer Configuration Administrative Templates Windows Components Search Allow search and Cortana to use location, set to Disabled">Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44} -Name SensorPermissionState -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration -Name Status">Windows Feedback is more of an annoyance feature, its more or less a periodic pop-up How is Microsoft doing today? survey. In a corporate setting especially, youll likely look on this as a productivity-eater, plus people will confuse things and think that theyre providing feedback to your internal IT Group rather than Microsoft.
In the UI, you">Settings / Privacy / Feedback ">Settings / System / Notifications and Actions / Windows Feedback
you can adjust the frequency or turn this off. ">Computer Configuration Administrative Templates Windows Components Data Collection and Preview Builds ">Set-ItemProperty -Path HKCU:\Software\Microsoft\Siuf\Rules -Name NumberOfSIUFInPeriod -Type DWord -Value 0
These settings cover the adjustments I normally set - have I missed any that you might consider important? Please use our comment form to add any settings you enable or disable.
===============
Rob VandenBrink
Metafore