This guide lists most GPO settings to make Windows 10 a bit saner. It tries to strike a balance between privacy and usability, without compromising too much on both. It's what most users would work fine with.
While installing Windows, disconnect from the Internet and configure most of these policies offline. Do NOT use a Microsoft account.
Press Ctrl-R, run gpedit.msc and using the tree on the left navigate to certain subtrees. Configure the policies as needed. If something is not mentioned, it should be left as "Not configured", but you're free to configure anything interesting you see as you wish.
These settings assume you have Windows 10 Enterprise but have not joined any Active Directory (AD) domain. Many of these settings will not work on Home or Pro editions. Some optional, nice to have options are also mentioned below - while not contributing to privacy, they might generally be desired.
It's assumed that all settings that could be changed in the Settings app were changed as needed already. Some GPO settings can override these, but this guide is concerned primarily with settings that can't be changed from Settings.
This guide is up to date as of Win10 19H1. Each new update requires a refresh of this guide and reapplying settings, as Windows has a tendency to reset these.
- Allow Online Tips: Disabled.
- Regional and Language Options: Allow users to enable online speech recognition services: Disabled.
- Regional and Language Options > Handwriting Personalization: Turn off automatic learning: Enabled.
- Background Intelligent Transfer Service (BITS): Allow BITS Peercaching: Disabled. (If you want to use peer to peer Windows updates, leave this enabled. If you have multiple computers with Windows 10 in the same network, using Peercaching will save you some Internet bandwidth, since those computers will share downloaded updates with each other.)
- WLAN Service > WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services: Disabled.
- Notifications: Turn off notifications network usage: Enabled.
- (Optional) Display highly detailed status messages: Enabled.
This is an application virtualization feature that requires an enterprisey app server to work. If you're not using this feature, disable it, otherwise disable CEIP only.
- Enable App-V Client: Disabled.
- CEIP: Microsoft Customer Experience Improvement Program (CEIP): Disabled.
Device Guard is a set of features that increase your system security by introducing extra mitigations against certain attacks. If you care about security or want your family to be less able to shoot themselves in the foot, enable this. If you care about performance more, leave this disabled.
The exact configuration requires you to read all the requirements and considerations here.
- Enable Device Health Attestation Monitoring and Reporting: Disabled.
Some of these settings might break fully automatic online driver installation. You might want to leave optional settings alone if you want that to work.
- Prevent Windows from sending an error report when a device driver requests additional software during installation: Enabled.
- Do not send a Windows error report when a generic driver is installed on a device: Enabled.
- (Optional) Prevent device metadata retrieval from the Internet: Enabled.
- (Optional) Restring Internet communication: Enabled. Note that this is a "sledgehammer" solution to most Windows 10 issues. Enabling this will prevent many features from working correctly, like updates, automatic driver installation and so on. Instead of this, use the next solution.
- Internet Communication settings: Turn off chosen features by settings policies in this directory to Enabled. It's REALLY recommended to leave features related with Windows Update and Root Certificate updates available.
- Enables Activity Feed: Disabled.
- Allow upload of User Activities: Disabled.
- Allow publishing of User Activities: Disabled.
- Allow Clipboard synchronization across devices: Disabled.
- (Optional) Allow Clipboard History: Disabled.
- Configure Solicited/Offer Remote Assistance: Disabled.
- Allow downloading updates to the Disk Failure Prediction Model: Disabled.
- Diagnostics: Configure scenario retention: Enabled, set data size limit to 1MB.
- (Optional) Application Compatibility Diagnostics: Detect compatibility issues for applications and drivers: Disabled. Unless you don't want automatic fixes for certain old app issues, leave this enabled.
- Microsoft Support Diagnostic Tool: Troubleshooting: Allow users to access recommended troubleshooting for known problems: Enabled, Notify users when recommended troubleshooting is available then allow the user to run or ignore it.
- Microsoft Support Diagnostic Tool: MSDT: Turn on MSDT interactive communication with support provider: Disabled.
- Windows Performance PerfTrack: Enable/Disable PerfTrack: Disabled.
- Turn off the advertising ID: Enabled.
- Allow Microsoft accounts to be optional: Enabled.
- Turn off Steps Recorder: Enabled.
- Turn off Inventory Collector: Enabled.
- Turn off Application Telemetry: Enabled.
- Turn off Microsoft consumer experiences: Enabled.
- Do not show Windows tips: Enabled.
- Limit Enhanced diagnostc data to the minimum required by Windows Analytics: Enabled, Disable Windows Analytics collection.
- Do not show feedback notifications: Enabled.
- Configure colection of browsing data for Desktop Analytics: Enabled, Do not allow sending intranet or internet history.
- Allow Telemetry: Enabled, 0 - Security. (Setting this to Disabled leaves telemetry enabled at least on the Basic level.)
- Allow device name to be sent in Windows diagnostic data: Disabled.
These settings configure P2P updates. If you have multiple computers with Windows 10 in the same network, updates can be downloaded only once, then shared between computers in the same network automatically.
- Download Mode: Enabled, Simple (99) for privacy, LAN (1) for performance and P2P updates.
- Disable help tips: Enabled.
Find My Device is an anti-theft feature that requires a Microsoft account. If you want anti-theft features, consider Prey. (Note that no anti-theft feature will save your devices if a thief formats the device without ever going online.)
- Turn On/Off Find My Device: Disabled.
- Turn on Suggested Sites: Disabled.
- Privacy: Turn off collection of InPrivate Filtering data: Enabled.
Disabling location services may break maps and location-dependent apps. Disabling sensors breaks some games and apps requiring such devices. YMMV.
- Turn off sensors: Enabled.
- Turn off location/location scripting: Enabled.
- Windows Location Provider: Turn off Windows Location Provider: Enabled.
- Turn off unsolicited network traffic on the Offline Maps settings page: Enabled.
- (Optional) Turn off Automatic Download and Update of Map Data: Enabled.
- Disable MDM Enrollment: Enabled.
- Allow Message Service Cloud Sync: Disabled.
- Block all consumer Microsoft account user authentication: Enabled.
This feature allows a computer connected to an AD domain to synchronize data for its applications between computers - so that if you have some apps on one computer and sign in to another computer in the same domain, your apps and data should automatically get restored on the new computer. For non-enterprise computers, this feature isn't useful.
- Use User Experience Virtualization (UE-V): Disabled.
- Enable UEV: Disabled.
If you're actually using OneDrive, leave these settings alone.
- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: Enabled.
- Prevent the usage of OneDrive for file storage: Enabled.
- Save documents to OneDrive by default: Disabled.
- Allow Cloud Search: Enabled, Disable Cloud Search.
- Allow Cortana: Disabled.
- Allow Cortana above lock screen: Disabled.
- Allow search and Cortana to use location: Disabled.
- Do not allow web search: Enabled.
- Don't search the web or display web results in Search: Enabled.
- Allow Automatic Update of Speech Data: Disabled. If you're using speech services, leave this alone.
If you're using the Store, leave these alone.
- Turn off the Store application: Enabled.
- (Optional) Turn off the offer to update to the latest version of Windows: Enabled.
- Do not sync: Enabled.
- Improve inking and typing recognition: Disabled.
Disabling some of these settings might lower security. Leave these enabled for your family.
- MAPS: Join Microsoft MAPS: Disabled.
- MAPS: Send file samples when further analysis is required: Enabled, Never send.
As with Antivirus, it's a good idea to leave this enabled.
- Explorer: Configure Windows Defender SmartScreen: Disabled.
- Microsoft Edge: Configure Windows Defender SmartScreen: Disabled.
- Disable Windows Error Reporting: Enabled.
- Configure Error Reporting: Enabled, check Do not display links, do not collect files/machine data.
- Automatically send memory dumps for OS-generated error reports: Disabled.
- (Optional) Enables or disables WGRaB: Disabled.
- Allow suggested apps in Windows Ink Workspace: Disabled.
- Prevent Automatic Updates: Enabled.
Don't break updates completely. Remember to update and restart your computer at least weekly.
- No auto-restart with logged on users for scheduled automatic update installations: Enabled.
- Internet Communication settings: Enable policies for all the features you don't use here.
Enable everything except "Configure Windows spotlight on lock screen".
- Allow Telemetry: Enabled, 0 - Security. (Setting this to "Disabled" leaves Telemetry at least on 1 - Basic.)
- Configure collection of browsing data for Desktop Analytics: Enabled, do not collect anything.
If you use Japanese or Chinese (Pinyin) input methods, go over these features and disable online features you don't want.
Let's be serious, you're only going to use it to download something saner...
- Allow Microsoft services to provide enhances suggestions as the user types in the Address bar: Disabled.
Run the Command Prompt as admin, type:
sc delete diagtrack
sc delete diagnosticshub.standardcollector.service
sc delete dmwappushservice
Instead of IE/Edge, use Firefox (preferred) or Chrome. Go over their settings and disable features you don't use, navigation prediction and suggestions. Install uBlock Origin to block ads and trackers (also significantly speeds up browsing).