Privacy hardening guide for Windows 10 and 11

  • Windows 10 and 11 share the same telemetry model, with required data that cannot be disabled and optional data that can be limited.
  • Privacy is strengthened by managing diagnostics, app permissions, history, advertising, and connected services, both from Settings and through GPO and MDM.
  • Tools such as the Diagnostic Data Viewer and Data Processor Configuration help to comply with GDPR and exercise the rights of data subjects.
  • Choosing the right Windows edition, account type, cloud usage, and AI features makes a difference in the actual level of data exposure.
Joaquin RomeroUpdated on

20 minutes

How to improve privacy in Windows 10 and 11

Have you ever stopped to think about how much personal information can leave your Windows PC every time you turn it on? Windows 10 and Windows 11 come loaded with connected features, telemetry, and cloud options. These settings, if left unchecked, end up sending far more data than most users realize. The good news is that, with a little patience and knowing where to adjust them, this data leakage can be significantly reduced without rendering the system unusable.

In this guide we'll see, step by step, how Strengthening privacy in Windows 10 and 11 in home and professional environmentsWhat data does the system actually collect, what you can and can't disable, how to manage it as a user and as an administrator (group policies, MDM, registry, etc.), and how to comply with GDPR and other regulations. The goal is for you to end up with a much less intrusive Windows, but just as usable for everyday use.

Windows Editions and Scope of the Guide

Before we get down to business, it's important to clarify that Not all editions of Windows offer the same privacy controlsThis guide applies primarily to:

  • Windows 10 and 11 Enterprise
  • Windows 10 and 11 Education
  • Windows 10 and 11 Professional
  • Windows Server 2016 and later versions

In these editions, advanced telemetry options, group policies, and certain data restrictions They are fully available. In Windows Home, many settings can be adjusted from the Settings app, but key features are missing (such as some telemetry policies or BitLocker), so the maximum possible hardening level is lower.

Within the full range, Enterprise and Education are the editions with the most privacy and security controls, including the most aggressive restrictions on diagnostic data. Pro offers almost everything interesting in terms of privacy hardening (BitLocker, Hyper-V, advanced networking and security options), but some ultra-restrictive telemetry policies are only available in Enterprise/Education.

How to manage a RAID system in Windows 11
Related article:
A comprehensive guide to protecting your privacy in Windows 11: all the key settings

What data does Windows collect and why?

At the system level, Windows distinguishes between Required (mandatory) data and optional dataThis is vital to avoid frustration: there are things that You can't turn it off completely because they are considered essential for the system to receive updates and remain secure.

Diagnostic data required

Called The required diagnostic data is the minimum telemetry basis that Windows sends even in the most restrictive settings. They include information such as:

  • Device features: model, hardware, basic configuration.
  • system status: whether it works correctly, critical errors, crashes.
  • Preparing for updates: low battery, disk space, network type.
  • Essential software configuration and patch compatibility.

This data is used to Keep Windows up to date, deploy patches safely, and detect widespread vulnerabilitiesYou can't completely disable them in any consumer edition, but you can prevent them from being expanded with more intrusive optional information.

Optional diagnostic data

Based on that minimum, Microsoft offers to send much more detailed optional diagnostic datawhich you can disable without breaking the system. These include, among others:

  • Using apps and features (what you open, for how long, how often).
  • Advanced performance data and service behavior.
  • More granular activity history on the device.
  • Extended software configuration and inventory information.

In practice, This data is used to refine products, test new features, and power personalized experiences and advertising.From a strict privacy perspective, this is where it's most important to turn off the tap: the system continues to function even if you disable them. You reduce a volume of clearly unnecessary data for normal use.

Privacy and out-of-the-box experience (OOBE)

Tips to improve privacy in Windows 10 and 11

The first time you turn on a PC with Windows 10 or 11, you go through the initial setup wizard (OOBE). Critical privacy decisions are made there. Microsoft account vs. local account, diagnostic data level, location, advertising, personalized experiences...

At this time, Windows displays specific privacy screens with explanatory text and links to the Microsoft Privacy StatementIf it's a corporate or managed team, it's common for the administrator to disable this quick experience and set the values ​​per directiveso that the user sees a message like "your organization manages some options".

For businesses, Microsoft allows automate the initial configuration using Configuration Manager or Windows Autopilot (or Create scripts to install Windows 11 with a specific configuration)This makes it easier to apply a uniform privacy profile and prevents each user from impatiently accepting the first thing they see.

At this time, Windows displays specific privacy screens with explanatory text and links to the Microsoft Privacy StatementIf it's a corporate or managed team, it's common for the administrator to disable this quick experience and set the values ​​per directiveso that the user sees a message like "your organization manages some options".

For businesses, Microsoft allows Automate the initial setup using Configuration Manager or Windows AutopilotThis makes it easier to apply a uniform privacy profile and prevents each user from impatiently accepting the first thing they see.

Main data categories and privacy settings in Windows

Beyond general telemetry, Windows includes many connected experiences that draw on the Internet and may access sensitive personal dataUnderstanding and adjusting them is key to proper hardening.

Diagnostic data, comments, and keyboard/handwritten input

En Settings > Privacy and security > Diagnostics and feedback You have the core of telemetry for the average user: choice between minimum level (mandatory data) or optional, deletion of diagnostic data and frequency of feedback requests.

This area also manages handwritten input and writing dataThat is, sending keyboard samples, handwriting samples, or dictation to improve language recognition models. From a GDPR perspective, this makes sense. disable the sending of linguistic data to the cloud if it is not essential in your environment, especially in organizations that handle sensitive data.

Location and Find My Device

The location service allows you to offer time, maps, local search, and other functions based on the computer's physical location.. You may:

  • Turn off location services completely at the system level.
  • Leave it active but control which apps can use it. (maps yes, games no).
  • Clear location history and set an approximate default location.

The function “Find My Device” uses location to locate your PC if it is lost or stolen.It can be disabled for the strictest privacy settings, but on corporate or personal laptops it often pays to keep it enabled, provided the organization is aware that This involves a specific tracking of the equipment when requested.

Personalized experiences and advertising identifier

Windows uses a unique advertising ID per user to deliver personalized ads in apps that support it. Additionally, through the optional diagnostic data can provide tailored recommendations and suggestions (“personalized experiences”).

From Settings > Privacy & Security > General you can:

  • Disable the use of advertising ID for applications.
  • Disable various tracking options and suggested content.
  • Turn off personalized experiences based on diagnostic data.

Everything related to advertising and usage-based personalization It is dispensable for the system to functionSo it's easy terrain to harden without technical penalty.

Activity history and synchronization

Windows can maintain a activity historyOpened files, used apps, visited websites—to display a kind of timeline or sync between devices. This history can Get on board with your Microsoft account to the cloud.

To reduce your footprint, it is recommended to:

  • Disable activity history or at least its transmission to Microsoft.
  • Delete existing history from the screen itself.
  • Review what you sync in Settings > Accounts > Windows Backup / Backup (passwords, settings, applications).

The less you sync automatically, You'll have less centralized data in the cloud.It can be helpful to shorten passwords and some personal settings if you're aiming for a very low profile.

Voice, Cortana, and other connected services

Among the privacy options you will find sections such as Voice, typing, and personalizationThese options control the use of online voice recognition services and storage of voice interactions to improve models.

In environments where privacy takes precedence over convenience, it is common Disable online voice recognition and any assistant integrations like Cortanaespecially in corporate teams. Although Cortana has lost prominence, specific policies still exist to allow or block its use at the organizational level.

Application permissions: camera, microphone, etc.

The section of App permissions In Settings > Privacy and security, it's critical: here you can review, one by one, which apps can access the camera, microphone, location, contacts, calendar, calls, etc.

After a clean installation of Windows 11, it is common to find several pre-installed apps with granted access to sensors such as location, camera or microphone without the user having done anythingThe sensible thing to do is:

This permissions control is very much in line with the GDPR data minimization principleEach app should only have what it truly needs to function.

Transparency tools: Diagnostic data viewer

For those who want to go a step further, Microsoft offers the Diagnostic Data Viewer (DDV), an app available from the Microsoft Store for Windows 10 (1803 or later) and Windows 11.

This tool allows See in real time what diagnostic data the system is collecting and sending From that device, with the information organized into understandable categories, you can:

  • Review each event in JSON format with date, type of event and content.
  • Filter by keywords (for example, “location”, “microphone”, “kernel”).
  • Separate by categories such as problem reports, diagnostic services, etc.
  • Export visible data for audits or more in-depth analysis.

Administrators also have a Diagnostic Data Viewer PowerShell module to work without a graphical interface and automate reviews (using cmdlets such as Get-DiagnosticData).

Centralized privacy management for administrators

In business environments, it's not enough for each user to simply adjust their settings: it requires... homogeneous and auditable controls (good security practicesWindows allows you to manage privacy through Group policy, MDM solutions like Intune, and registry keys.

Key configuration controls by policy

Microsoft documents a number of privacy settings that can be adjusted using GPO (Group Policy Objects) or MDMSome of the most relevant factors for hardening are:

  • Voz : Allow or disallow online speech recognition services (GPO: Computer Configuration > Control Panel > Region and Language > Allow users to enable online speech recognition services; MDM: Privacy/AllowInputPersonalization).
  • Location: Allow Windows applications to access the location (GPO: Windows Components > Application Privacy; MDM: Privacy/LetAppsAccessLocation).
  • Find my device: Enable or disable the feature (GPO: Windows Components > Find My Device; MDM: Experience/AllFindMyDevice).
  • Diagnostic data (telemetry): level of data sent to Microsoft (GPO: Windows Components > Data Collection and Preview Builds > Allow Telemetry / Allow Diagnostic Data; MDM: System/AllowTelemetry).
  • Handwriting and writing diagnostics: send or not linguistic data (GPO: Windows Components > Text Input > Improve Handwriting Recognition and Handwriting Input; MDM: TextInput/AllowLinguisticDataCollection).
  • Personalized experiences: Use of diagnostic data to personalize suggestions and content (GPO: User Configuration > Windows Components > Cloud Content; MDM: Experience/AllowTailoredExperiencesWithDiagnosticData).
  • Advertising identifier: Allow or block the advertising ID (GPO: System > User Profile > Disable Advertising ID; MDM: Privacy/DisableAdvertisingId).
  • Timeline / activity history in the cloud: Uploading activities to the cloud (GPO: System > OS Policies > Allow user activity uploads; MDM: Privacy/EnableActivityFeed).
  • Cortana: allow or disallow the assistant (GPO: Windows Components > Search > Allow Cortana; MDM: Experience/AllowCortana).

For each of these options, Microsoft documents The default state if the initial setup experience is suppressed, and the recommended value if data collection is to be minimized.In general, these recommended settings involve disabling or minimizing the connection to Microsoft services, accepting some loss of convenience.

Managing the device setup experience

If you want to control every last detail from the very first startup, you can rely on Configuration manager To deploy custom Windows images with privacy settings already applied. This includes:

  • Disable unnecessary telemetry specific to Configuration Manager following the diagnostic documentation and usage data.
  • Configure consistent privacy profiles between teams and departments.
  • Integrate with other security solutions in the organization.

Another widely used option is Windows AutopilotWhich enables Enroll equipment directly from the factory into the organization and apply customized OOBE profilesBeing a cloud-based solution, during the initial startup A minimal set of device identifiers is sent to Microsoft to associate the device with the correct profile. It's a reasonable compromise between convenience and privacy, provided the subsequent settings are configured correctly.

Connected experiences and essential services

Windows includes features that connect to the Internet to offer, for example, Updated antimalware protection (Microsoft Defender Antivirus), improved search, rich content, or settings synchronizationMicrosoft distinguishes between:

  • Essential services: necessary to keep the product safe, licensed and functional (updates, licensing, basic security services).
  • Optional connected experiences: extra features that add value, but are not strictly essential.

Adjusting these connections requires a little care: Disabling it in bulk can break important functionalitiesMicrosoft maintains up-to-date documentation, such as “Manage connections from Windows operating system components to Microsoft services” and lists of Windows 11 Enterprise endpoints, which details what connects to what and what happens if it gets blocked.

Limited functionality baseline

For organizations that want to maximize data minimization, Microsoft publishes a “limited functionality baseline”This is similar to security baselines but focused on privacy. This baseline:

  • Minimize the amount of information sent to Microsoft..
  • Turn off or restrict many connected experiences and secondary services.
  • It can degrade or break non-critical functions (fewer amenities, less automatic “magic”).

You don't have to apply it all if you don't want to; many administrators use it. as a reference for choosing specific settings that fit your balance between security, privacy, and usability.

Specific settings on diagnostic data

Privacy in Windows 10 and 11

Beyond "a lot or a little", there are several subtle nuances surrounding diagnostic data that are worth knowing, especially to comply seriously with GDPR.

Notifications for data level changes

From Windows 10 1803 and into Windows 11, if an administrator changes the diagnostic data level (for example, from required to optional), The user receives a notification upon the next login. reporting the change.

If this doesn't fit with your internal policy or you simply want to avoid constant notifications, you can disable notification through:

  • GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Previews > Configure Telemetry Participation Change Notifications.
  • MDM: ConfigureTelemetryOptInChangeNotification directive.

User's ability to lower the data level

Windows 10 (1803+) and Windows 11 allow the user, from Settings, Lower the diagnostic data level to one lower than that set by the administrator, but not the other way around.In other words, if optional telemetry is configured, the user could switch to only the necessary data.

For organizations that want tight control and to avoid these kinds of manual changes, it is possible block this ability to modify the interface through:

  • GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Accrual > Configure Optional Configuration User Interface.
  • MDM: ConfigureTelemetryOptInSettingsUx.

Deletion of diagnostic data

Windows 10 (1809+) and Windows 11 allow any user, from Settings > Diagnostics and feedback, delete diagnostic data associated with the device with a specific button.

For administrators, there is the PowerShell cmdlet Clear-WindowsDiagnosticData, which performs the same deletion operation from scripts or automated tasks.

If, for whatever reason (for example, compliance with internal policy or traceability), you don't want the user to be able to delete that data, it is possible disable the deletion option with:

  • GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Previews > Disable deletion of diagnostic data.
  • MDM: DisableDeviceDelete.

Windows Diagnostic Data Processor (GDPR) Configuration

In certain editions (Windows 11 Enterprise, Pro and Education; Windows 10 Enterprise, Pro and Education from 1809 onwards with certain requirements) there is the possibility of enabling the so-called Windows diagnostic data processor configuration.

Comparison of Window Managers for Windows
Related article:
How to force an update to the latest version of Windows on unsupported computers

This configuration means that, for the purposes of the GDPR, the organization becomes responsible for processing that diagnostic data For devices joined to Microsoft Entra (formerly Azure AD). This allows:

  • Associate diagnostic data with specific Microsoft user or device identifiers..
  • Addressing requests for data subject rights (DSR), both export and deletion, on those diagnostic data linked to a user.
  • Closing business space accounts and better manage the information lifecycle.

If this mode is enabled, Microsoft recommends, among other things:

  • Restrict sign-in with personal Microsoft accounts (MSA)to avoid mixing contexts.
  • Limiting users' ability to submit additional commentssince those comments and attachments may not be covered by this setting.

Microsoft's official documentation describes, in considerable detail, How to use this option to support GDPR compliance and manage DSRs in a structured way.

Exercising data subject rights over Windows data

Beyond theory, Microsoft offers different paths for users and administrators may exercise rights of access, rectification, erasure and portability about the data that Windows collects.

Delete data

An end user can:

  • Delete the diagnostic data from the device From Settings > Diagnostics and feedback > the “Delete” button under “Delete diagnostic data”.
  • Delete data associated with your Microsoft account (browsing history in Edge, activity, location, searches, etc.) by accessing the Microsoft online privacy dashboard.

An administrator can also Automate the removal of a specific device using PowerShell through Clear-WindowsDiagnosticData, or integrate with broader equipment decommissioning processes.

View and export diagnostic data

The Diagnostic Data Viewer offers the possibility not only of reading data in real time, but also of export the visible set of information to a file for analysis, internal audits, or responding to access requests.

PowerShell cmdlets such as Get-DiagnosticData allow administrators extract that data using scriptsfilter them and combine them with other corporate records if necessary.

Devices linked to Microsoft accounts

When a user logs into Windows or certain applications using a microsoft account, lots of activity data, history, search and usage They are associated in the cloud with that identity. Then:

  • The user can view, export and delete that information from the Microsoft Privacy Panel.
  • It is important to clearly explain to employees when it is recommended to use corporate accounts and when it is not. to avoid mixing personal and professional contexts.

Data transfers and other related products

Regarding international transfers, Microsoft claims to comply with applicable legislation regarding the collection, use, retention, and cross-border transfer of personal dataDetails are set out in the Privacy Statement and in specific compliance documentation (GDPR, CCPA, etc.).

Other products and services connected to Windows use diagnostic data for specific functions:

  • Windows Server 2016 and laterThey follow mechanisms similar to Windows 10/11 in terms of personal data management and telemetry.
  • Surface Hub: shared device in which identifiers are associated with the device, not the user; it has its own tool for delete diagnostic data and is primarily managed via MDM.
  • Windows Update reports for businesses, Windows Autopatch y Intune update reportsThey all rely on Windows diagnostic data to provide information on compliance, driver and application compatibility, and deployment status.

In all these cases, strengthening privacy involves understanding what specific data feeds each service and assess whether the operational benefit justifies the level of information shared.

Practical notes on privacy and security in Windows 10 and 11

Beyond the purely "Privacy and security" options in Settings, there are several aspects that greatly influence the actual level of data exposure in Windows.

Microsoft accounts, OneDrive, and synchronization

Windows 11 puts a lot of pressure on Use an online Microsoft account instead of a local account, especially in Home, and increasingly makes it harder to hide the local account option in Pro and Enterprise during installation.

Using a Microsoft account makes it easier to sync data, settings, and files with the cloud (via OneDrive), but it also means that A huge amount of information is centralized on Microsoft serversAmong other things, we need to keep an eye on:

  • Automatic backup of user folders in OneDrivewhich in some recent Windows 11 installations has appeared to be enabled by default.
  • Synchronization of passwords, history, system and browser settings.
  • Deep integrations with Edge, Teams, Copilot, and other cloud services.

In advanced privacy scenarios, it may be of interest to work with Local accounts, less integration with OneDrive, and syncing only what's strictly necessary.or use managed corporate identities and clear usage policies.

Recall, Copilot, and new AI-powered features

One of the most controversial new features in the recent Windows ecosystem is Recall, a feature linked to Copilot+ that It takes periodic screenshots of what appears on the PC to allow for later visual searches.Although Microsoft has partially backtracked and the feature is no longer enabled by default, it's a clear example of how a "useful" feature can generate a massive volume of highly sensitive metadata.

Although Recall stores the information in a local database, according to the initial design This is decrypted when the device is turned onThis opens the door for malware or attackers with access to the system to extract it. In high-security environments, the reasonable approach is Disable Recall and review any AI features that continuously record or upload content.

Additional security and hardening applications

Privacy protection isn't just about what Microsoft sends: other factors also play a role. Windows Security settings and general hardening:

  • Antivirus and threat protectionKeeping Microsoft Defender enabled and properly configured, with scheduled scans, reduces the risk of malware stealing local data.
  • Firewall and network protectionA well-tuned firewall, with reasonable outbound rules, can limit which applications can freely call home.
  • Application and browser controlsFeatures like SmartScreen and exploit mitigations reduce the risk of attacks that result in data exfiltration, and it's advisable to review the Core Isolation and Memory Integrity configuration for additional layers.
  • Drive encryption (BitLocker): essential in laptops and equipment that leave the office; protects data in case of physical theft.

This does not replace privacy settings, but It strengthens the perimeter and reduces the likelihood of data leaks through less obvious channels..

Overall, a well-hardened Windows 10 or 11 installation can greatly reduce the amount of information that leaves the computer for Microsoft and third parties, while maintaining security updates, anti-malware protection, and the features truly necessary for work.

Prioritize dedicated web traffic QoS
Related article:
Windows 11: How to review and harden system telemetry

The key is to combine intelligent use of user privacy options, group policies or MDM in managed environments, and a conscious choice of which connected experiences and cloud integrations are accepted and which are turned off, without going to extremes that leave the system crippled or ungovernable. Share this guide so that more users can learn how to improve privacy in Windows 10 and 11.