2023-01-13 newest confirmation of applicability, 2021-04-19 newest contents, 2021-04-19
last update, 2019-11-18 first
day, Robert
Jasiek
Windows 10 Telemetry / Privacy Settings
These are the most important settings to restrict telemetry and enable
privacy. Application is your own responsibilty. Each user has
different needs. For more detailed and time-consuming configuration,
consult the links.
After
each major
Windows 10 update, again check all settings before reconnecting to the
internet. This is mandatory because some major Windows 10 updates have
reenabled telemetry in countless settings without user consent.
Unchanged GUI settings hide extremely severe changes of settings under
its surface.
With
Windows 10, Microsoft violates EU and German law by not setting
the defaults of opt-in and minimally necessary privacy violations.
Businesses using Windows 10 with its default settings also violate the
law with respect to data of their customers or patients. Deactivating telemetry is essential.
Due to time constraints, this page contains English and German text. In future, I might create two language versions.
The settings apply in particular to Windows 10 Pro 64b 20H2 or later unless stated otherwise.
Programs
Uninstall else deactivate or delete these programs with telemetry. Deny in software restriction
policies.
- for each user: all apps in the start menu
- Internet Explorer
- Edge
- Cortana
- OneDrive
GUI Settings
For each user account, set all privacy settings in the user interface:
off, never, basic. See the web for details on this basic advice.
Services
Stop if executed. Deactivate. Restart Windows.
Telemetry
DiagTrack =
Diagnostics Tracking Service = Connected User Experiences and Telemetry
= Benutzererfahrung und Telemetrie im verbundenen Modus | Automatisch
-> Deaktiviert
Microsoft
Diagnostics Hub Standard Collector Service = Standardsammlungsdienst
des Microsoft(R)-Diagnose-Hubs |
%WinDir%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| Manuell -> Deaktiviert
dmwappushsvc = WAP
Push-Nachrichtenroutingdienst | Manuell -> Deaktiviert
Additional Treatment of WAP
It can be necessary to create and call a file WAPoff.cmd by the task scheduler for all users' logons executed as administrator with this contents:
"%SystemRoot%\System32\sc.exe" stop dmwappushservice
"%SystemRoot%\System32\sc.exe" config dmwappushservice start= disabledAlternative: Command Line
Use the command sc
for each service then
echo "" >
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
Optional
The web search and Cortana capabilites of Windows
Search involve telemetry. Use a third party program for local search
and a browser for web search.
WSearch = Windows
Search | Automatisch (verzögerter Start) -> Deaktiviert
All XBox services
-> Deaktiviert
Deactivate any other not needed services, such as permanent Windows
Defender activity.
Taskmanager
MS | Windows |
Application Experience: disable <all>
MS | Windows |
Customer Experience Improvement Program: disable <all>
MS | Windows |
Autochk | Proxy: disable
Disable any other superfluous tasks.
Group Policies
In gpedit.msc
set these group policies. Restart Windows.
Computer
Configuration | Windows-Einstellungen
|
Sicherheitseinstellungen | Lokale Richtlinien | Sicherheitsoptionen |
Konten Microsoftkonten blockieren = "Benutzer können keine MS-Konten
hinzufügen oder sich damit anmelden"
Computer
Configuration | Administrative Templates
| Network |
Schriftarten | Schriftartenanbieter aktivieren = Deaktiviert
| Network | WLAN
Service | WLAN Settings | Zulassen = Deaktiviert
| Startmenü und
Taskleiste | Benachrichtigungen | Netzwerkverwendung für
Benachrichtigungen deaktivieren = Aktiviert
| System |
Benutzerprofile | Werbe-ID deaktivieren = Aktiviert
| System |
Internetkommunikationsverwaltung | Internetkommunikationseinstellungen
| Aktive Tests... deaktivieren = Aktiviert
Computer
Configuration | Administrative Templates | Windows Components
|
Anwendungskompatibilität | Anwendungstelemetrie deaktivieren = Aktiviert
| Datensammlung und
Vorabversionen | Telemetry zulassen = Deaktiviert
== | Data Collection
and Preview Builds | AllowTelemetry = Enabled 0 [no effect]
== | Data Collection
and Preview Builds | Telemetry = Disabled
| Datensammlung und
Vorabversionen | Benutzersteuerung für Insider... = Deaktiviert
| Einstellungen
synchronisieren | Nicht synchronisieren = Aktiviert
== | Sync your
settings | Do not sync = Aktiviert
| Karten |
Automatische Downloads... deaktivieren = Aktiviert
| OneDrive |
Verwendung von OneDrive für die Dateispeicherung verhindern = Aktiviert
== | OneDrive |
Prevent the usage of OneDrive for file storage = Enabled
|
Softwareschutz-Plattform | AVS... ausschalten = Aktiviert
| Suche | Cloudsuche
zulassen = Deaktiviert
| Suche | Cortana
zulassen = Deaktiviert
| Suche | Cortana
auf Startbildschirm zulassen = Deaktiviert
| Suche |
Cortana-Seite... zulassen = Deaktiviert
| Suche | Indizieren
verschlüsseler Dateien zulassen = Deaktiviert
| Suche | Der
Suche... = Deaktiviert
| Suche | Immer
automatische Spracherkennung... = Deaktiviert
| Suche | Websuche
nicht zulassen = Aktiviert
| Suche | Nicht im
Web suchen... = Aktiviert
| Windows-Sicherheit
| Systray | Windows Sicherheit im Systray ausblenden = Aktiviert
| Windows Defender Smartscreen | Explorer | Windows Defender Smartscreen konfigurieren = Deaktiviert
| Windows Defender Smartscreen | Microsoft Edge | Windows Defender Smartscreen konfigurieren = Deaktiviert
| Windows Update |
Automatische Updates konfigurieren = 2 - Notify for download
and notify for install
== | Windows Update
| Configure Automatic Updates = 2 - Notify for download and
notify for install
| Windows Update |
Softwarebenachrichtungen aktivieren = Aktiviert
== | Windows Update
| Turn on Software Notifications = Enabled
| Windows Update |
Automatische Updates sofort installieren = Deaktiviert
== | Windows Update
| Allow Automatic Updates immediate installation = Disabled
Registry
Set these registry paths and keys to block telemetry and deactivate
related activity. Restart Windows.
If necessary, temporarily take ownership, grant access and create
registry paths and keys.
Telemetry Data Collection
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
AllowTelemetry REG_DWORD 0
Telemetry Autologger-Diagtrack-Listener
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener Start REG_DWORD 0
NLA
HKLM\SYSTEM\CurrentControlSet\Services\NLASvc\Parameters\Internet
EnableActiveProbing REG_DWORD 0
Wifi Sense
HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config
AutoConnectAllowedOEM REG_DWORD 0
OneDrive
HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive
DisableFileSyncNGSC REG_DWORD 1
on 64 bit systems also
HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\OneDrive
DisableFileSyncNGSC REG_DWORD 1
Windows Defender
HKLM\SOFTWARE\Policies\Microsoft\Windows
Defender DisableAntiSpyware REG_DWORD 1
on 64 bit systems also
HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows
Defender DisableAntiSpyware REG_DWORD 1
Firewall
Create the following blocking firewall rules. Restart Windows.
Block any other not needed allowances in the firewall rules.
Outbound | Profil: Alle |
Aktiviert: Ja | Blockieren | Protokoll: TCP | Andere Parameter: Beliebig
backgroundTaskHost
%SystemRoot%\System32\backgroundTaskHost.exe
Outbound | Profil: Alle |
Aktiviert: Ja | Blockieren | Protokoll: Alle | Andere Parameter: Beliebig
Host für die Windows
Shell-Oberfläche (Windows Shell Experience Host)
%SystemRoot%\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Inbound | Profil: Alle |
Aktiviert: Ja | Blockieren | Protokoll: Alle | Andere Parameter: Beliebig
backgroundTaskHost
%SystemRoot%\System32\backgroundTaskHost.exe
Autoruns
You can use the program Autoruns to deactivate all superfluous autostart entries.
Windows 10 Pro 64b 1909
Group Policies
Computer
Configuration | Administrative Templates | Windows Components
| Windows Defender
Antivirus | ...deaktivieren = Aktiviert
== | Windows
Defender | Turn Off Windows Defender = Enabled
| Windows Defender
Antivirus | MAPS | Feature = Deaktiviert
== | Windows
Defender | MAPS = Disabled
| Windows Defender
Antivirus | MAPS | Dateibeispiele senden = Aktiviert (Nie senden)
== | Windows
Defender Antivirus | Set file samples = Never send
Firewall
Outbound | Profil: Alle |
Aktiviert: Ja | Blockieren | Protokoll: TCP | Andere Parameter: Beliebig
Cortana in Windows
Search
%SystemRoot%\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
Edge
%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Outbound | Profil: Alle |
Aktiviert: Ja | Blockieren | Protokoll: Alle | Andere Parameter: Beliebig
GetHelp
%ProgramFiles%\WindowsApps\Microsoft.GetHelp_10.1909.22691.0_x64__8wekyb3d8bbwe\GetHelp.exe
The path of GetHelp
changes with increasing version numbers, such as 1909.22691, so must be
updated regularly.
Links
Manage
connections from Windows 10 operating system components to Microsoft
services. (1,
2.)
BSI:
Analyse der Telemetriekomponente in Windows 10
Fix Windows 10
Windows
10 Tip: Manage Telemetry Settings
Even
when you turn on Win 10's "privacy" flags, it still spies on you
3
Methoden um den in Windows 10 eingebauten Spy Keylogger zu entfernen
Configure Windows Telemetry in Your Organization
Security Concept for Windows (Sicherheitskonzept für Windows)
Sysinternals: check the programs ProcessExplorer, Autoruns and TCPView.