Worried about Windows 10 privacy issues? Group/Local policy to the rescue!

I hear and see all over the Internet that people have privacy concerns about Windows 10 and for good reason. For any security concious person, like myself, they’re probably not very happy about many of the decisions that were made for Windows 10. Microsoft seems to be very tight lipped about their updates and what information is actually shared in their “learning” and “telemetry” information that is sent back to the Microsoft mother ship. There are also many other features included in Windows 10 that are, or could be seen as, a privacy concern; such as the advertising ID, WiFi Sense, Cortana, and the list goes on…

One of the biggest worries, though, is Microsoft’s policy on disclosing or sharing your personal information. The following is an excerpt from the privacy policy:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”

I’m sure many from the IT community are aware of Microsoft’s direct involvement with Government spying programs – so make no mistake, you are being watched.

The Solution

With that aside, I will say there are tools at your disposal to greatly minimize the privacy issues in Windows 10. This can said for both users at home and businesses with thousands of Windows 10 desktops. The answer is simple: Group or Local Policy. It is the safest and easiest way to secure your Windows 10 desktops from Microsoft’s spying eye’s. There are third-party tools available that you can run to achieve similar results but with those you never know what else your getting and in a business environment this would be a big no-no.

Group Policy – Fix Windows 10 privacy issues in an Active Directory domain (Business)

To secure computers in a Active Directory domain we will be making changes to group policy. Group Policy tools use Administrative template files to populate policy settings in the GPO Management interface. To do this we we must download the Windows 10 Group Policy (.ADMX) templates from Microsoft and upload them onto one of your domain controllers. This is a more advanced change I would recommend to system administrators.

Download the Windows 10 Group Policy (.ADMX) templates, visit http://www.microsoft.com/en-us/download/details.aspx?id=48257 You’ll then need to copy ADMX templates you downloaded to the Central Store on a AD domain controller server. I won’t go into detail on how to do this, so carefully follow the instructions as seen here: https://msdn.microsoft.com/en-us/library/bb530196.aspx Once the ADMX files are installed to the Central Store, open the Group Policy Management RSAT from your workstation (that is on the domain) Now simply filter/search for the GPO’s as listed below and set them to your desired configuration. I would highly recommend creating a new GPO object to apply these rules to – not the Default GPO!

Local Policy – Fix Windows 10 privacy issues for users at home without a AD domain (User)

For home users we can skip all of the ADMX templates stuff. It’s irrelevant because the Windows 10 policy definitions are already installed in the /Windows/Policy Definitions folder by default. That means we can just modify the Local Policy to achieve the same results as above. This is much easier to do and can be done by anyone with a good understanding of how Windows works.

Start –> Run –> “gpedit.msc” You should now be on the Local Group Policy Editor. Expand “Computer Configuration” –> Administrative Templates –> “All Settings” Right click on “All Settings” and click on “Filter Options” This is where you will be searching for and applying each of the GPO’s as listed below to your system. Search for each one and configure as necessary. Note: Make sure you are making the changes to the Computer Configuration section, and not User Configuration. User configuration is applied to the USER session. Computer configuration is applied to the entire computer thus effecting every user.

Policy Edit List

Search and enable/disable the following Windows 10 policy edits as per the list below. This list applies for both Group and Local policy edits. This list was compiled by myself after carefully combing through the policies and removing and disabling things that I personally do not use or want on the systems. You can make all or some of these recommendations at your own discretion for your environment. Be aware that some of these settings have two values that must be configured (state and option) for them to work properly.

Setting State Options Notes Allow Cortana Disabled Allow input personalization Disabled Allow search and Cortana to use location Disabled Configure Windows SmartScreen Disabled Join Microsoft MAPS Disabled Allow Telemetry Enabled 0 - Security [Enterprise Only] It says "Enterprise Only" but you are still able to modify the setting Disable Windows Error Reporting Enabled Do not show feedback notifications Enabled Do not sync Enabled Do not sync passwords Enabled Slightly redundant since "Do not sync" disables all of sync - but enabling this anyway! Don't search the web or display web results in Search Enabled Don't search the web or display web results in Search over metered connections Enabled Download Mode Enabled None This relates the Windows 10 Update P2 Peer-to-peer download settings in the "how updates are delivered" advanced options Let Windows apps access account information Enabled Force Deny Let Windows apps access call history Enabled Force Deny Let Windows apps access contacts Enabled Force Deny Let Windows apps access email Enabled Force Deny Let Windows apps access location Enabled Force Deny Let Windows apps access messaging Enabled Force Deny Let Windows apps access motion Enabled Force Deny Let Windows apps access the calendar Enabled Force Deny Let Windows apps access the camera Enabled Force Deny Let Windows apps access the microphone Enabled Force Deny Let Windows apps access trusted devices Enabled Force Deny Let Windows apps access control radios Enabled Force Deny Let Windows apps sync with devices Enabled Force Deny Prevent managing SmartScreen Filter Enabled Off Prevent participation in the Customer Experience Improvement Program Enabled Prevent the usage of OneDrive for file storage Enabled This will disable OneDrive on the system, including the tray icon Send file samples when further analysis is required Enabled Never send Turn off Application Telemetry Enabled Turn off automatic learning Enabled Turn off Autoplay Enabled Turn off Inventory Collector Enabled Turn off location Enabled Turn off location scripting Enabled Turn off Microsoft consumer experiences Enabled Turn off the advertising ID Enabled Turn off Windows Customer Experience Improvement Program Enabled Turn off Windows Defender Enabled I would only recommend this if you are using another Anti-Virus solution Turn off Windows Error Reporting Enabled Turn off Windows Search AutoComplete Enabled

Once these settings have been applied to your Windows 10 system its best to run a “gpupdate” and then reboot for them to take full effect. If you need to roll-back any of these changes simply follow the same steps and change the setting of the policies you wish to remove or modify.

Let me know in the comments below if you found this useful or have other comments and suggestions! Thanks!

Like this: Like Loading...