flipping settings manually, you don’t really need to be changing so many settings at all. for privacy, disable telemetry, error reporting, and don’t sign in with a microsoft account and you should be mostly good. for security, just do some defender hardening and read thru the microsoft security baselines and enable settings that are both relevant on a non-enterprise machine and also aren’t enabled by default (there aren’t many of these settings)
1 Like
I did not notice with hotcakes script you can pick and choose different sections. Would it make sense to do the Microsoft baselines category? I also see that bitlocker is configured to the max.
i wouldn’t use any sort of third-party script, microsoft already has a script for applying their security baselines, though most of the settings there are geared towards business usecases. applying all the settings there will just cause unnecessary breakage, with many settings having little to no security gain outside a business environment
Oh for sure. Very new to this so thank you for the insight!
1 Like
Frankly I find that hardening privacy on Windows manually is overwhelmingly complex and unpractical to manage for the average user.
Also many settings can be reverted after system updates and you can’t review all of them every month.
Privacy.sexy is nice and open source, has infos about what a setting is doing but it can’t detect which settings are already applied so you don’t have any overview of your current state.
I finally decided to trust a third party app O&O ShutUp10 to be able to apply and keep track of privacy settings and I’ve never had any problem.
The app clearly shows which settings are applied, which one are not recommended and could cause breakage and provides infos for every single item. Also prompts for a backup restore point before applying changes.
The software is not open source but devs are an official Microsoft Partner so that gives me some kind of trust about quality of code.
It is simple, reliable, portable, actively updated and it just works.
6 Likes
Oh that’s cool! Is it weird they are endorsed my microsoft?
They’ve got a lot of other products available, so I would say it isn’t weird.
Oh for sure
Does it make any difference security features wise if you install browser from the Microsoft Store or just as .exe? And is there any privacy trade off?
Privacy.sexy is definitely not a finished product, but I feel like it is the most transparent. I run it every time there is an update (I ran it 3 times in the past 7 months).
When there are updates, I compare the oldscript to the new one to see what changed. So it is time consuming, but I didn’t encounter any breakages. I use the “strict” options. then remove some of the options (for instance, the script removes Windows Defender, but I use it, so I remove some of the Windows Defender options).
I had a list of what I add and remove form the strict options but I lost it because of a Only Office bug… I could post it if it helps anyone, but it wont be until about 2-3 more months because I just ran the script this week. If anyone interest, please let me know.
1 Like
Reviving this thread to ask, is there a way to reliably trick software that demands high privileges in Windows?
Saw this Disable "Always install with elevated privileges" in Windows Installer in privacy.sexy but I assume it’s only for MSI installers. Many programs require elevation just so that they can install to C:\Program Files though that is unnecessary for most setups and is a security risk.
I still think this is a great idea for those of us that NEED access to a secure Microsoft Windows Pro PC that’s running a 100% legitimate version.
I know it’s possible to install “pirated” versions of Windows but I have no intention of doing this as these “pirated versions” are often loaded with backdoor trojans by the person who uploaded it.
try setting the env var __COMPAT_LAYER=RUNASINVOKER
1 Like
Ok so here it is.
DISCLAIMER
I am not an expert and based all the decisions on the information provided in the privacy.sexy program on my own judgement. I STRONGLY advise to read each and everyone one of the option if you want to use the “STRICT” option. Also, because everyone uses different programs. For example, the strict option removes some Windows Defender and Windows Update stuff that might not be desired, especially in the “privacy over security” section. For instance, I disabled the automatic driver updates, because I have NVinstall and update the rest via other means then Windows Update. Again, even if it takes about 2 hours to go through the options, it is necessary if you go ahead with the privacy.sexy strict option.
Here’s what I did (Windows 11 Home) and I didn’t encounter any breakage.
REMOVE FROM ‘STRICT’
* Clear Quick Access recent files
* Remove "Network Connectivity Status Indicator (NCSI)" app (breaks internet connection status icon)
* Disable Defender Antivirus "Block at First Sight" feature
* Disable Defender Antivirus real-time security intelligence updates
* Disable Defender Antivirus Azure data collection
* Disable automatically enabling Windows Update Medic Service
* Disable Windows Push Notification
ADD TO ‘STRICT’
Privacy Cleanup
* Clear thumbnail cache
* Clear event logs in Event Viewer application
* Clear credentials in Windows Credential Manager
* Empty trash (Recycle Bin)
* Clear volume backups (shadow copies)
* Clear previous Windows installations
Disable OS Data Collection
* Disable "Diagnostics Hub Standard Collector" service
* Disable Windows Location Provider
* Remove "Windows Insider Program" from Settings
Configure Programs
* Disable "NVIDIA telemetry monitor" task
* Disable "Nvidia Telemetry Container" service
* Disable Visual Studio Code Data Collection
* Configure Browsers (check all + remove Firefox)
Security Improvements
* Improve Network Security (validate all manually to make sure)
* Enable protection against Meltdown and Spectre
Block tracking hosts
* Block Spotify Live Tile hosts
Privacy Over Security
* Disable SmartScreen in Microsoft browsers
UI for Privacy
* Remove folders from This PC in File Explorer
* Disable recent apps
Remove Bloatware
* Remove 3D Modeling apps
* Remove extension apps
* Remove Microsoft Office Apps
* Remove Microsoft Store Apps
* Remove third-party apps
* Remove "Contact Support" app
* Remove "App Installer" app
* Remove "Microsoft Tips" App
* Remove "Microsoft Messenging" App
* Remove "Mixed Reality Portal" App
* Remove "Windows Alarms and Clock" App
* Remove "Windows Camera" app
* Remove "Paint 3D" app
* Remove "Microsoft People" app
* Remove "Microsoft Pay" app
* Remove "Mobile Plans" app
* Remove "Microsoft Solitaire Collection" app
* Remove "Microsoft Sticky Notes" app
* Remove "Windows Media Player" app
* Remove "Movies & TV" app
* Remove "Microsoft Photos" app
* Remove "Skype" app
* Remove "GroupMe" app
* Remove "Windows Sound Recorder" app
* Remove "Microsoft Remote Desktop" app
* Remove "Microsoft To Do: Lists, Tasks & Reminders" app
* Remove "Edge"
* Remove "Xbox"
* Disable "Direct Play" feature
* Disable "Internet Explorer" feature
* Disable "Legacy Components" feature
* Disable "Windows Media Player" feature
* Remove "Internet Explorer 11" capability
* Disable User Data Access
1 Like
With Windows 10 being end-of-life, we should probably ensure that this guide is tailored to Windows 11.
5 Likes
or if the user somehow decides to use unconventional means to keep windows 10 alive we can stick to that, until 2032 (whenever thorough IoT LTSC or ESU) to my understanding
however yeah it would be generally a good idea to stick to 11
Is there going to be more details in the Windows section on the Privacyguides website?
I am sorry but i am a tech noob and do not know where to find current development.
I plan to install Windows on a few computers that is why i am asking. 
1 Like
Hi welcome!
I think the general consensus these days is to let Windows run up to date either bare metal or in a virtual machine and just isolate it in your home network in its VLAN or a dedicated network.
Do the things you need for specifically and nothing else
- Office work specifically needing MS Office
- Online Competitive Multiplayer
- CAD work (AutoCAD)
- Photoshop
- etc
Even better if you can spare each of the use above with a specific machine, specific virtual machine or at the very least, a separate non-admin local user account (if you cannot do VMs or dont have spare PCs).
Keep the rest of your computing in a separate Linux machine for general browsing, email, desktop versions of various chat software, and other general desktop usage.
1 Like
You can try this guide
1 Like
Can any of those powershell commands break the system?