2021-04-19 newest contents, 2021-04-19 last update, 2019-11-18 first day, Robert Jasiek


Windows 10 Telemetry / Privacy Settings

These are the most important settings to restrict telemetry and enable privacy. Application is your own responsibilty. Each user has different needs. For more detailed and time-consuming configuration, consult the links.

After each major Windows 10 update, again check all settings before reconnecting to the internet. This is mandatory because some major Windows 10 updates have reenabled telemetry in countless settings without user consent. Unchanged GUI settings hide extremely severe changes of settings under its surface.

With Windows 10, Microsoft violates EU and German law by not setting the defaults of opt-in and minimally necessary privacy violations. Businesses using Windows 10 with its default settings also violate the law with respect to data of their customers or patients. Deactivating telemetry is essential.

Due to time constraints, this page contains English and German text. In future, I might create two language versions.

The settings apply in particular to Windows 10 Pro 64b 20H2 or later unless stated otherwise.

Programs
GUI Settings
Services
Taskmanager
Group Policies
Registry
Firewall
Autoruns
Windows 10 Pro 64b 1909
Links

Programs

Uninstall else deactivate or delete these programs with telemetry. Deny in software restriction policies.

GUI Settings

For each user account, set all privacy settings in the user interface: off, never, basic. See the web for details on this basic advice.

Services

Stop if executed. Deactivate. Restart Windows.

Telemetry

DiagTrack = Diagnostics Tracking Service = Connected User Experiences and Telemetry = Benutzererfahrung und Telemetrie im verbundenen Modus | Automatisch -> Deaktiviert

Microsoft Diagnostics Hub Standard Collector Service = Standardsammlungsdienst des Microsoft(R)-Diagnose-Hubs | %WinDir%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | Manuell -> Deaktiviert

dmwappushsvc = WAP Push-Nachrichtenroutingdienst | Manuell -> Deaktiviert

Additional Treatment of WAP

It can be necessary to create and call a file WAPoff.cmd by the task scheduler for all users' logons executed as administrator with this contents:

"%SystemRoot%\System32\sc.exe" stop dmwappushservice
"%SystemRoot%\System32\sc.exe" config dmwappushservice start= disabled

Alternative: Command Line

Use the command sc for each service then

echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl

Optional

The web search and Cortana capabilites of Windows Search involve telemetry. Use a third party program for local search and a browser for web search.
WSearch = Windows Search | Automatisch (verzögerter Start) -> Deaktiviert

All XBox services -> Deaktiviert

Deactivate any other not needed services, such as permanent Windows Defender activity.

Taskmanager

MS | Windows | Application Experience: disable <all>

MS | Windows | Customer Experience Improvement Program: disable <all>

MS | Windows | Autochk | Proxy: disable

Disable any other superfluous tasks.

Group Policies

In gpedit.msc set these group policies. Restart Windows.

Computer Configuration | Windows-Einstellungen

| Sicherheitseinstellungen | Lokale Richtlinien | Sicherheitsoptionen | Konten Microsoftkonten blockieren = "Benutzer können keine MS-Konten hinzufügen oder sich damit anmelden"

Computer Configuration | Administrative Templates

| Network | Schriftarten | Schriftartenanbieter aktivieren = Deaktiviert

| Network | WLAN Service | WLAN Settings | Zulassen = Deaktiviert

| Startmenü und Taskleiste | Benachrichtigungen | Netzwerkverwendung für Benachrichtigungen deaktivieren = Aktiviert

| System | Benutzerprofile | Werbe-ID deaktivieren = Aktiviert

| System | Internetkommunikationsverwaltung | Internetkommunikationseinstellungen | Aktive Tests... deaktivieren = Aktiviert

Computer Configuration | Administrative Templates | Windows Components

| Anwendungskompatibilität | Anwendungstelemetrie deaktivieren = Aktiviert

| Datensammlung und Vorabversionen | Telemetry zulassen = Deaktiviert
== | Data Collection and Preview Builds | AllowTelemetry = Enabled 0 [no effect]
== | Data Collection and Preview Builds | Telemetry = Disabled

| Datensammlung und Vorabversionen | Benutzersteuerung für Insider... = Deaktiviert

| Einstellungen synchronisieren | Nicht synchronisieren = Aktiviert
== | Sync your settings | Do not sync = Aktiviert

| Karten | Automatische Downloads... deaktivieren = Aktiviert

| OneDrive | Verwendung von OneDrive für die Dateispeicherung verhindern = Aktiviert
== | OneDrive | Prevent the usage of OneDrive for file storage = Enabled

| Softwareschutz-Plattform | AVS... ausschalten = Aktiviert

| Suche | Cloudsuche zulassen = Deaktiviert

| Suche | Cortana zulassen = Deaktiviert

| Suche | Cortana auf Startbildschirm zulassen = Deaktiviert

| Suche | Cortana-Seite... zulassen = Deaktiviert

| Suche | Indizieren verschlüsseler Dateien zulassen = Deaktiviert

| Suche | Der Suche... = Deaktiviert

| Suche | Immer automatische Spracherkennung... = Deaktiviert

| Suche | Websuche nicht zulassen = Aktiviert

| Suche | Nicht im Web suchen... = Aktiviert

| Windows-Sicherheit | Systray | Windows Sicherheit im Systray ausblenden = Aktiviert

| Windows Defender Smartscreen | Explorer | Windows Defender Smartscreen konfigurieren = Deaktiviert

| Windows Defender Smartscreen | Microsoft Edge | Windows Defender Smartscreen konfigurieren = Deaktiviert


| Windows Update | Automatische Updates konfigurieren = 2 - Notify for download and notify for install
== | Windows Update | Configure Automatic Updates = 2 - Notify for download and notify for install

| Windows Update | Softwarebenachrichtungen aktivieren = Aktiviert
== | Windows Update | Turn on Software Notifications = Enabled

| Windows Update | Automatische Updates sofort installieren = Deaktiviert
== | Windows Update | Allow Automatic Updates immediate installation = Disabled

Registry

Set these registry paths and keys to block telemetry and deactivate related activity. Restart Windows.
If necessary, temporarily take ownership, grant access and create registry paths and keys.

Telemetry Data Collection
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection AllowTelemetry REG_DWORD 0

Telemetry Autologger-Diagtrack-Listener
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener Start REG_DWORD 0

NLA
HKLM\SYSTEM\CurrentControlSet\Services\NLASvc\Parameters\Internet EnableActiveProbing REG_DWORD 0

Wifi Sense
HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config AutoConnectAllowedOEM REG_DWORD 0

OneDrive
HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive DisableFileSyncNGSC REG_DWORD 1
on 64 bit systems also
HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\OneDrive DisableFileSyncNGSC REG_DWORD 1

Windows Defender
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware REG_DWORD 1
on 64 bit systems also
HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender DisableAntiSpyware REG_DWORD 1

Firewall

Create the following blocking firewall rules. Restart Windows.
Block any other not needed allowances in the firewall rules.

Outbound | Profil: Alle | Aktiviert: Ja | Blockieren | Protokoll: TCP | Andere Parameter: Beliebig

backgroundTaskHost
%SystemRoot%\System32\backgroundTaskHost.exe

Outbound | Profil: Alle | Aktiviert: Ja | Blockieren | Protokoll: Alle | Andere Parameter: Beliebig

Host für die Windows Shell-Oberfläche (Windows Shell Experience Host)
%SystemRoot%\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

Inbound | Profil: Alle | Aktiviert: Ja | Blockieren | Protokoll: Alle | Andere Parameter: Beliebig

backgroundTaskHost
%SystemRoot%\System32\backgroundTaskHost.exe

Autoruns

You can use the program Autoruns to deactivate all superfluous autostart entries.

Windows 10 Pro 64b 1909

Group Policies
Computer Configuration | Administrative Templates | Windows Components

| Windows Defender Antivirus | ...deaktivieren = Aktiviert

== | Windows Defender | Turn Off Windows Defender = Enabled

| Windows Defender Antivirus | MAPS | Feature = Deaktiviert
== | Windows Defender | MAPS = Disabled

| Windows Defender Antivirus | MAPS | Dateibeispiele senden = Aktiviert (Nie senden)
== | Windows Defender Antivirus | Set file samples = Never send

Firewall

Outbound | Profil: Alle | Aktiviert: Ja | Blockieren | Protokoll: TCP | Andere Parameter: Beliebig

Cortana in Windows Search
%SystemRoot%\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

Edge
%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

Outbound | Profil: Alle | Aktiviert: Ja | Blockieren | Protokoll: Alle | Andere Parameter: Beliebig

GetHelp
%ProgramFiles%\WindowsApps\Microsoft.GetHelp_10.1909.22691.0_x64__8wekyb3d8bbwe\GetHelp.exe
The path of GetHelp changes with increasing version numbers, such as 1909.22691, so must be updated regularly.

Links

Manage connections from Windows 10 operating system components to Microsoft services. (1, 2.)

BSI: Analyse der Telemetriekomponente in Windows 10

Fix Windows 10

Windows 10 Tip: Manage Telemetry Settings

Even when you turn on Win 10's "privacy" flags, it still spies on you

3 Methoden um den in Windows 10 eingebauten Spy Keylogger zu entfernen

Configure Windows Telemetry in Your Organization

Security Concept for Windows (Sicherheitskonzept für Windows)

Sysinternals: check the programs ProcessExplorer, Autoruns and TCPView.