Using Microsoft account
Avoid logging into Windows and third-party applications like Office 365 with your Microsoft account. According to this study, Windows’ telemetry collects more information when users are logged in with a Microsoft account.
You should log in to that specific app only if you need to.
or
Create another standard user account and connect it to Microsoft account. This is helpful for school or work computers, where the apps are kept to that account alone. By restricting other data drive access, it is fully isolated from other profiles.
Telemetry
To disable telemetry at full level, Open Group policy and navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview builds and choose as required
The above works only if you use Enterprise or Education edition. If you are using Windows Professional, It will send required (Basic) data.
If you read this article - Privacy Analysis of Windows 10 Enterprise at Telemetry Level 0, Enterprise even sends data even though telemetry is disabled. But there is no updated info about this available.
Disabling full telemetry or sending basic data to Microsoft is totally upto the user’s threat model.
- Disable
Automatic Sample Submissionin Windows Defender, as the feature will send your files as a sample for Signature Database and might leak your data. You can do it via the below Group Policy so to not prompt you again and again constantly.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS > Send file samples when further analysis is required to Never Send.
- Disable Windows spotlight by navigating to
User Configuration>Administrative Templates>Windows Components>Cloud Contentand setting Turn off all Windows Spotlight features policy to enabled.
Note
This explicitly disables Windows spotlight features in Lockscreen and Desktop to sever unnecessary connections between Microsoft servers and the device.
-
Disable Bing integration in Windows search, by navigating to
Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results. This way your search queries for local indexed data is not sent to Microsoft. -
Disable notification in the Lock screen in Windows settings
-
Disable Online Speech recognition and Voice activation
-
Disable delivery optimization in Windows Update settings.
-
Check all the App permissions and allow only necessary ones.
Hide MAC Address
Go to Settings > Network & Internet > Wifi
Enable Random hardware addresses
Restrict access to data drives
To prevent other users from accessing your secondary data drives. Type gpedit.msc in Windows Run dialog box.
Go to User Configuration > Administrative Templates > Windows Components > File Explorer and set the Group Policy as below.
The above configuration will restrict other users to the OS drive where Windows is installed. Making total isolation between your Account and other user account.
If you have a shared drive with another person but you do not want them to access sensitive data, enable Encrypting File Saving (EFS). EFS encrypts your documents, preventing unauthorized users from viewing it.
Make sure to export the Private key certificate and store in a safe place so as to use the file later in other devices. To do so,
Press, Win+R, Then type certmgr.msc, Under Personal > Certificates. Click the certificate that contains your username. Right Click and choose export. If you find this too tricky, then after using EFS for first time. You will see an encrypted locker Icon in system tray which help you in exporting on clicking it.
To import another device, open and install the device’s certificate and choose the above location. Then you can access EFS encrypted files in other system too.
Last edited by @KevPham 2025-05-08T16:02:31Z