Before you begin reading
Keep in mind that this guide is a work-in-progress. Information may be incomplete.
This guide is only applicable to users of Windows 11 Pro, Windows 11 Education and Windows 11 Enterprise, or any other Windows editions with access to Group Policy controls. Users of Windows 11 Home will have to upgrade to one of those editions.
Introduction
This is a guide on how to improve privacy on Windows 11, which is growing increasingly hostile towards user’s rights to disconnect. By following this guide, you will be able to make Windows 11 more privacy-friendly. Although, do keep in mind that it will still be using a privacy-hostile system.
This guide will try to mitigate most of the privacy drawbacks of Windows 11, but remember no proprietary OS will ever be as private as a libre OS. Consider switching to an operating system that respects your privacy, if you can. This guide should preferably be followed in a fresh install of Windows 11 to minimize the amount of information already collected.
Also, keep in mind that this is a “living document”, which means this article will be updated as the author obtains new information or discovers new ways to improve privacy in Windows 11. At the time of writing, this guide covers Windows 11 24H2.
Disclaimers
Windows 11 Pro users: About “Required diagnostic data”
Unfortunately, Microsoft does not allow Windows 11 Pro users to disable telemetry completely. Like with Windows 11 Home, Windows 11 Pro users must send at least “Required diagnostic data” to Microsoft. As it turns out, diagnostic data is not just used to help Microsoft’s engineers diagnose and solve problems in Windows–Microsoft can also use it to track and profile users. Consider reading about what Microsoft considers “Required diagnostic data” and how they use this data.
Security Features
While not mandatory and not recommended by author, this guide contains instructions on how to disable several security features in Windows for the purpose of minimizing network traffic. If you choose to do so, please be aware of the potential consequences of disabling each security feature below:
- Windows SmartScreen: By disabling Windows SmartScreen, the user will no longer be protected by Microsoft’s service that blocks known malicious URLs. SmartScreen comes with a serious privacy compromise: When you visit a webpage, the full unhashed URL is sent to Microsoft servers, along with a user identifier. Microsoft claims to not use this data for any other purpose other than for user security. It is up for you to decide whether you trust Microsoft with this data.
Chapter 1: Initial Setup
This guide assumes that you understand the basics of installing Windows 11 from scratch. We will only cover the most critical aspects of the installation that affect the privacy of the installed OS.
It is highly recommended to not connect to the internet before or during setup, and before configuring Group Policies. Your computer will begin sending data to Microsoft as soon as it connects to the internet, so it’s important that you have configured your computer to minimize how much data is sent.
Sign in with a local account–not a Microsoft account
When you install Windows 11, the most important thing is that you do not sign into a Microsoft account during setup if you intend to minimize traffic to Microsoft. If you do, many things you do on your computer will be linked to your Microsoft account. When prompted to create a user account, opt to create local account instead.
Do not enter a password when creating a local account or you will be required to set three security questions. They are notoriously pointless and do more harm than good. After the installation is finished, you may set a password without security questions in Account Settings.
Windows Pro users, read this:
Windows Pro users will have to go through some extra steps, as Microsoft no longer allows Pro users to sign in with a local account, but there are currently workarounds.
- After installing Windows from installation media, disconnect any Ethernet cables from your computer. Then reboot into Windows for the first time.
- When the first Windows setup screen appears, press Shift+F10 to open a command prompt. Type the command
oobe\bypassnro
into the command-line and press Enter, and the system should reboot into setup again. - Proceed with the Windows setup as per usual. When asked to connect to a network, click the option “I don’t have internet.” Then enter a username.
Setup Privacy Settings
During setup, you should be presented with a list of privacy choices. Set all of these to disabled. Make sure you scroll down, because there are more than just the first four. Once you have disabled every switch, click Accept to finish setup.
Chapter 2: Group Policies
You must configure group policies to exert a maximal amount of control over the computer’s settings. Prefer configuring Windows through these policies whenever possible, since they are strictly enforced by the OS and will (mostly likely) never be changed automatically. Windows unfortunately has the habit of undoing user settings whenever it updates and can make users feel gaslit.
These Group Policies are similar to the ones in the PrivacyGuides Knowledge Base, but I have included additional policies that are not listed under the original guide. To save myself time of reiterating what the official guide has already succinctly put, here is some important preliminary information about these policies:
“These settings should be set on a brand-new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictable behavior and is done at your own risk.”
“All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We’ve also explained some of our choices below whenever the explanation included with Windows is inadequate.”
In this section, we will be mostly focusing on Administrative Templates. Follow the instructions below to open the Group Policy editor on your computer.
“You can find these settings by opening
gpedit.msc
and navigating to Local Computer Policy > Computer Configuration > Administrative Templates in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.”“To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that’s the case the appropriate settings are noted below as well.”
Some important points to consider:
-
This chapter will not include instructions on how to disable critical security components of Windows 11, such as Windows Defender and Windows Update. While these services send some data about user activity to Microsoft, the benefits gained from these security features can outweigh the downsides depending on your circumstances. If it is in your best interest to disable any of those features, refer to Chapter 5 of this guide.
-
This chapter will also not include instructions on how to disable the Microsoft Store or Microsoft User Authentication as they may introduce unexpected side effects. If it is in your best interest to disable any of those features, refer to Chapter 5 of this guide.
Computer Configuration: Administrative Templates
Control Panel
-
Allow Online Tips: Disabled
-
Regional and Language Options → Allow users to enable online speech recognition services: Disabled
-
Regional and Language Options → Handwriting personalization → Turn off automatic learning: Enabled
Start Menu and Taskbar
-
Do not keep history of recently opened documents: Enabled
-
Remove Personalized Website Recommendations from the Recommended section in the Start Menu: Enabled
-
Notifications → Turn off notifications network usage: Enabled
System
Device Guard
-
Turn on Virtualization Based Security: Enabled
-
Platform Security Level: Secure Boot and DMA Protection
-
Secure Launch Configuration: Enabled
-
Internet Communication Management → Internet Communication settings
-
Turn off Event Viewer “Event.asp” links: Enabled
-
Turn off Help and Support Center “Did you know?” content: Enabled
-
Turn off Help and Support Center Microsoft Knowledge Base search: Enabled
-
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com: Enabled
-
Turn off Internet download for Web publishing and online ordering wizards: Enabled
-
Turn off Internet File Association service: Enabled
-
Turn off Search Companion content file updates: Enabled
-
Turn off the “Order Prints” picture task: Enabled
-
Turn off the “Publish to Web” task for files and folders: Enabled
-
Turn off the Windows Messenger Customer Experience Improvement Program: Enabled
-
Turn off Windows Customer Experience Improvement Program: Enabled
-
Turn off Windows Error Reporting: Enabled
-
Turn off Windows Network Connectivity Status Indicator active tests: Enabled
OS Policies
-
Allow Clipboard history: Disabled
-
Allow Clipboard synchronization across devices: Disabled
-
Allow publishing of User Activities: Disabled
-
Allow upload of User Activities: Disabled
-
Enables Activity Feed: Disabled
User Profiles
- Turn off the advertising ID: Enabled
Windows Components
Autoplay Policies
-
Disallow Autoplay for non-volume devices: Enabled
-
Set the default behavior for AutoRun: Enabled
- Default AutoRun Behavior: Do not execute any AutoRun commands
-
Turn off Autoplay: Enabled
Cloud Content
-
Do not show Windows tips: Enabled
-
Turn off cloud consumer account state content: Enabled
-
Turn off cloud optimized content: Enabled
-
Turn off Microsoft consumer experiences: Enabled
Credential User Interface
- Prevent the use of security questions for local accounts: Enabled
Data Collection and Preview Builds
-
Allow Diagnostic Data: Enabled
-
Options: Send required diagnostic data (Pro Edition); or
-
Options: Diagnostic data off (Enterprise or Education Edition)
-
-
Limit Diagnostic Log Collection: Enabled
-
Limit Dump Collection: Enabled
-
Limit optional diagnostic data for Desktop Analytics: Enabled
- Options: Disable Desktop Analytics collection
-
Do not show feedback notifications: Enabled
File Explorer
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: Enabled
Find My Device
- Turn On/Off Find My Device: Disabled
MDM
- Disable MDM Enrollment: Enabled
Microsoft Edge
- Configure search suggestions in Address bar: Disabled
The policy below disables Windows SmartScreen in Microsoft Edge. Please read the Windows SmartScreen disclaimer at the start of this guide to ensure that you understand the consequences of doing so.
- Configure Windows Defender SmartScreen: Disabled
OneDrive
-
Prevent the usage of OneDrive for file storage: Enabled
-
Prevent OneDrive from generating network traffic until the user signs in to OneDrive: Enabled
-
Save documents to OneDrive by default: Disabled
Push To Install
- Turn off Push To Install service: Enabled
Search
-
Allow Cloud Search: Disabled
-
Allow Cortana: Disabled
-
Don’t search the web or display web results in Search: Enabled
-
Set what information is shared in Search: Enabled
- Type of information: Anonymous info
Sync your settings
-
Do not sync: Enabled
-
Enable Winows Backup: Disabled
Text Input
- Improve inking and typing recognition: Disabled
Widgets
- Allow widgets: Disabled
Windows AI
-
Allow Recall to be enabled: Disabled
-
Disable Click to Do: Enabled
-
Turn off saving snapshots for use with Recall: Enabled
Windows Error Reporting
-
Do not send additional data: Enabled
-
Disable Windows Error Reporting: Enabled
-
Consent → Configure Default consent: Enabled
- Consent level: Always ask before sending data
Windows Messenger
- Do not allow Windows Messenger to be run: Enabled
User Configuration: Administrative Templates
Start Menu and Taskbar
-
Clear history of recently opened documents on exit: Enabled
-
Do not search Internet: Enabled
-
Turn off user tracking: Enabled
Windows Components
Account notifications
- Turn off account notifications in Start: Enabled
Cloud Content
-
Do not suggest third-party content in Windows spotlight: Enabled
-
Do not use diagnostic data for tailored experiences: Enabled
-
Turn off all Windows spotlight features: Enabled
Desktop Gadgets
- Turn off desktop gadgets: Enabled
Search
- Turn off storage and display of search history: Enabled
Windows Copilot
- Turn off Windows Copilot: Enabled
Chapter 3: Configuring your user account
Change your settings
This part assumes that you have configured the Group Policies in accordance to the Chapter 2 of this guide. So, if a setting looks like it should be changed but is not listed in this part, then it is because it was already set with a Group Policy in Chapter 2.
Open the Settings app and change the settings in “Privacy & Security”:
General
- Let websites show me locally relevant content by accessing my language list: Disabled
Inking & typing personalization
- Custom inking and typing dictionary: Disabled
Search permissions
-
Cloud content search → Microsoft account: Disabled
-
Cloud content search → Work or School account: Disabled
-
History → Search history on this device: Disabled
App permissions
- You may change App permissions at your discretion. Do note, however, that most of these app permissions only apply to Windows Store apps. Classic apps (Win32 apps) are not restricted by these permissions.
Uninstall apps
In the apps section, uninstall everything you know is safe to uninstall and that you know you won’t need. Below is a table of most of the pre-installed apps that come with Windows 11. Some apps pre-installed in your system may be missing from this table. For those apps, use your intuition and best judgment to decide whether or not you can uninstall them. The pre-installed apps can have one of the following ratings:
Symbol | Rating | Description |
---|---|---|
![]() |
Acceptable | This app may be useful for everyday or occassional use and transmits minimal user data. |
![]() |
Hostile | Apps that are extremely hostile to user privacy that you should consider uninstalling. |
![]() |
Useless | Deprecated by better, more privacy-friendly alternatives. May be hostile to user privacy and rights. |
![]() |
Unfriendly | May be useful for everyday use, but more privacy-friendly alternatives exist. May contain some privacy hostile elements. |
![]() |
Unknown | The author of this guide acknowledges the existence of this app, but does not fully understand its purpose. These apps may be safe to uninstall, unless marked otherwise. |
For apps marked Hostile, Useless or Unfriendly, consider looking for alternatives in PrivacyGuides.
Any app marked with an
is an app that you cannot or should not uninstall. Attempting to uninstall marked apps may result in system instability or corruption.
App | Rating | Description |
---|---|---|
Calculator | ![]() |
|
Clock | ![]() |
Refuses to launch if it needs to update. |
Cortana | ![]() |
Deprecated. |
Copilot | ![]() |
Microsoft’s AI assistant has an overreaching privacy policy and unclear data usage policy. |
Feedback Hub | ![]() |
|
![]() |
![]() |
Unknown. |
Maps | ![]() |
|
Media Player | ![]() |
Sends album metadata to Microsoft. |
Movies & TV | ![]() |
Deprecated. |
Microsoft 365 Copilot | ![]() |
Documents are processed by Microsoft cloud servers. Consider privacy-respecting alternatives. |
Microsoft Clipchamp | ![]() |
Video data is sent to Microsoft servers. Low quality software. Consider replacing with Kdenlive. |
![]() |
![]() |
Sends all browsing data to Microsoft and associates it with an unique ID. User settings do not persist and reverse after each update. Microsoft Editor is enabled by default, which uploads typed data to Microsoft’s cloud. Extremely hostile and cannot be uninstalled – avoid using at all costs. |
Microsoft OneDrive | ![]() |
Microsoft’s cloud file storage. Has a reputation of uploading files to the cloud without consent. Uploaded user files are scanned by AI. |
Microsoft Outlook (new) | ![]() |
Upon signin with an email account that is not a Microsoft account, it uploads all emails to Microsoft’s servers for AI scanning. It also shares the data with Microsoft’s 801 advertising partners – however, this disclaimer is only shown to EU customers. |
![]() |
![]() |
Uses the Windows serial key to track across installations. |
Microsoft Teams | ![]() |
Microsoft’s teleconference app. Has an overreaching privacy policy and no end-to-end encryption. |
Microsoft To-Do | ![]() |
|
Microsoft Photos | ![]() |
Has an “Edit with Designer” button that stealthily uploads viewed image to Microsoft without confirmation or consent – no way to turn it off. |
Microsoft News | ![]() |
A webpage wrapper for Bing news with additional telemetry and tracking. |
Notepad | ![]() |
Windows’ classic Notepad with Microsoft cloud AI. Consider turning off Copilot. |
Game Assist | ![]() |
|
Sound Recorder | ![]() |
Refuses to launch if it needs to update. |
Snipping Tool | ![]() |
|
Solitaire and Casual Games | ![]() |
Solitaire with ads and tracking. |
Sticky Notes | ![]() |
Refuses to launch if it needs to update. Nags users to sign in with a Microsoft account and sync. |
Terminal | ![]() |
|
Paint | ![]() |
Microsoft’s drawing app now integrates with cloud AI and Copilot. |
Quick Assist | ![]() |
Safe to uninstall. |
Xbox Live | ![]() |
May be required if you play games from the Windows Store or games that authenticate with Microsoft Xbox accounts, like Minecraft. |
![]() |
![]() |
Allows display and playback of some media extensions. |
Uninstall Xbox Game Bar
Xbox Game Bar produces background traffic and sends telemetry to Microsoft. To uninstall it, enter the following commands in a PowerShell window as Administrator:
# Uninstall Xbox Game Bar
Get-AppxPackage -AllUsers -PackageTypeFilter Bundle -Name "*Microsoft.XboxGamingOverlay*" | Remove-AppxPackage -AllUsers
# Disable game capture.
#
# These two lines will set registry values that tell Windows to not open
# the Xbox Game Bar whenever it detects a game running.
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR /f /t REG_DWORD /v "AppCaptureEnabled" /d 0
reg add HKEY_CURRENT_USER\System\GameConfigStore /f /t REG_DWORD /v "GameDVR_Enabled" /d 0
Stop Microsoft Edge from running in the background
Microsoft Edge is a behemoth of unduly data collection and collects a massive amount of user data for tracking and profiling. Unfortunately, Microsoft has made Edge extremely difficult to uninstall, so the most we can do is get it out of our way and stop it from running in the background.
Go to Edge settings → System and performance and change:
- Startup boost: Disabled
- Continue running background extensions and apps when Microsoft Edge is closed: Disabled
Chapter 4: Further minimization of network traffic (Advanced)
Minimizing traffic from Microsoft Edge was covered in Chapter 4 of this guide, so we will be skipping over it in this section.
This chapter contains instructions on how to minimize traffic from Windows features that are harder to disable, as well as other features that were not included in Chapter 2 because they are critical security components and/or uninstallation is not supported by Microsoft.
Disable Windows Defender SmartScreen
This impacts your device’s security. Please read the disclaimers at the start of this guide for information on how disabling Windows SmartScreen affects your computer.
Change the following Group Policies on the device.
In Computer Configuration → Administrative Templates → Windows Components → Windows Defender SmartScreen:
Enhanced Phishing Protection
- Automatic Data Collection: Disabled
Explorer
- Configure App Install Control: Enabled
- Pick one of the following settings: Turn off app recommendations
- Configure Windows Defender SmartScreen: Disabled
Microsoft Edge
- Configure Windows Defender SmartScreen: Disabled
Disable Windows Defender’s network features
Change the following group policies:
In Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus:
MAPS:
MAPS is Microsoft’s crowdsourced malware sample collection network. By disabling this feature, Windows Defender will no longer upload potentially malicious samples for cloud analysis. This may impact malware detection rates. If you are a software developer, MAPS poses a real exfiltration risk–and it has happened before.
- Join Microsoft Maps: Disabled
- Send file samples when further analysis is required: Enabled
- Send file samples when further analysis is required: Never send
In Microsoft Defender Exploit Guard → Network Protection:
Network Protection expands on Microsoft SmartScreen. Please read the disclaimers at the start of this guide for information on how disabling Windows SmartScreen affects your computer.
- Prevent users and apps from accessing dangerous websites: Disabled
Reporting
Watson is Windows Defender telemetry. There is little documentation about what it sends to Microsoft. If you know or find related documentation, please feel free to edit this section with relevant information.
- Configure Watson events: Disabled
Security Intelligence Updates
The group policy below disables Microsoft Defender’s Security Intelligence updates. This may expose your device to undue infection risk. The author of this guide does not recommend disabling this policy, as security intelligence updates do not pose an apparent threat to your privacy, and the author believes that the benefits far outweigh the potential risks.
- Allow security intelligence updates from Microsoft Update: Disabled
Disable Windows Update
You should not disable Windows Update or automatic updates.
…Unless if you understand and are onboard with the consequences of doing so. Windows Update provides critical security patches, without which the device may be vulnerable to exploits. Disabling Windows Update will also stop the Microsoft Store from working properly.
If you just want to disable automatic updates, just change the Group Policy Computer Configuration → Administrative Templates → Windows Update → Manage end user experience → Configure Automatic Updates and set it to Disabled.
To disable Windows Updatge, change the group policies below.
In Computer Configuration → Administrative Templates → Windows Update:
Manage updates offered from Windows Server Update Service
- Do not connect to any Windows Update Internet locations: Enabled
- Specify intranet Microsoft update service location: Enabled
- The value of both fields below should just be a space.
- Set the intranet update service for detecting updates:
- Set the intranet statistics server:
- Set the alternate download server:
Manage end user experience
- Remove access to use all Windows Update features: Enabled
In Computer Configuration → Administrative Templates → System → Internet Communication Management → Internet Communication settings:
- Turn off access to all Windows Update features: Enabled
- Turn off Windows Update device driver searching: Enabled
- Turn off downloading of print drivers over HTTP: Enabled
- Turn off Automatic Root Certificates Update: Enabled
Disable Windows Store
In Computer Configuration → Administrative Templates → Store:
- Turn off the Store application: Enabled
- Turn off Automatic Download and Install of updates: Enabled
In Computer Configuration → Administrative Templates → System → Internet Communication Management → Internet Communication settings:
- Turn off access to the Store: Enabled
Disable Teredo
Teredo is a lesser-known Microsoft’s tunnel relay technology for IPv6 connectivity to IPv4-only networks through Teredo tunnels. As such, Teredo may relay your network activity through Microsoft’s servers.
In Computer Configuration → Administrative Templates → Network → TCPIP Settings:
- Set Teredo state: Enabled
- Select from the following states: Disabled State
Extra Minimization
This section is intended for power users only.
These are additional Group Policies that may generate network traffic to Microsoft. For this section, you are expected to read and understand the group policy name, description and relevant documentation.
In Computer Configuration → Administrative Templates → System:
Device Installation
- Do not send a Windows error report when a generic driver is installed on a device: Enabled
- Prevent automatic download of applications associated with device metadata: Enabled
- Prevent Windows from sending an error report when a device driver requests additional software during installation: Enabled
Group Policy
- Phone-PC linking on this device: Disabled
- Continue experiences on this device: Disabled
In Internet Communication Management → Internet Communication settings
- Turn off Registration if URL connection is referring to Microsoft.com: Enabled
Storage Health
- Allow downloading updates to the Disk Failure Prediction Model: Disabled
Windows Time Service → Time Providers
- Enable Windows NTP client: Disabled
Chapter 5: Preventing unwanted Microsoft traffic with Portmaster (Advanced)
This section will contain instructions on how to further minimize Microsoft traffic using the Portmaster firewall. TODO
Last edited by @KevPham 2025-06-18T16:50:26Z