Windows 11 Privacy Hardening: Stop Telemetry & Data Collection

Why You Should Harden Windows 11’s Privacy Settings

Windows 11 collects a staggering amount of telemetry data about your system: which apps you use, websites you visit, files you open, and hardware you own. This data flows to Microsoft servers automatically, even if you disable tracking in Settings.

If you’re serious about privacy, you need to disable this at multiple levels: Settings, Services, Group Policy, and Registry. This guide shows you exactly how.

Part 1: Settings-Based Hardening

Step 1: Disable Advertising ID

1. Open Settings > Privacy & Security > General
2. Toggle off “Tailored experiences”
3. Toggle off “Improve inking & typing”
4. Toggle off “Tailored ads”
5. Toggle off “Show suggestions in Start”

These settings prevent Windows from creating an advertising ID tied to your activity.

Step 2: Disable Activity History

1. Open Settings > Privacy & Security > Activity history
2. Uncheck “Store my activity history on this device”

Activity history tracks every app you launch, file you open, and website you visit.

Step 3: Disable App Diagnostics

1. Open Settings > Privacy & Security > App diagnostics
2. Toggle off “Optional diagnostic data”
3. Toggle off “Inking & typing”
4. Toggle off “Tailored experiences”

This prevents individual apps from sending telemetry to Microsoft.

Step 4: Disable Typing and Inking Data

1. Open Settings > Privacy & Security > Inking & typing personalization
2. Toggle off “Personal inking and typing dictionary”
3. Toggle off “Tailored typing experiences”

These send samples of everything you type to Microsoft.

Step 5: Disable Camera and Microphone Access

1. Open Settings > Privacy & Security > Camera
2. Toggle off “Camera access”
3. Open Settings > Privacy & Security > Microphone
4. Toggle off “Microphone access”

This prevents apps from accessing your hardware without explicit permission.

Step 6: Disable Location Services

1. Open Settings > Privacy & Security > Location
2. Toggle off “Location services”
3. This disables GPS and WiFi-based location tracking

Step 7: Disable Search Suggestions and History

1. Open Settings > Privacy & Security > Search permissions
2. Toggle off “Search history”
3. Toggle off “Search suggestions”

This prevents Windows Search from logging your queries.

Part 2: Services Hardening

Windows 11 runs background services that constantly collect and transmit data. Disable the most egregious ones by opening Services:

Launch Services

1. Press Win + R
2. Type services.msc and press Enter
3. Find each service below and disable it

Services to Disable

Service Name	Display Name	Purpose
DiagTrack	Connected User Experiences and Telemetry	Sends usage data to Microsoft
dmwappushservice	dmwappushservice	Sends app usage data
docsvc	Document Push Service	Monitors document usage
CanonicalGroupPolicyClient	Canonical Group Policy Client	Enforces telemetry policies
lfsvc	Geolocation Service	Tracks location using WiFi
MapsBroker	Maps Data Manager	Collects location history
NetConnService	Network Connection Broker	Network telemetry

For each service:

1. Right-click the service
2. Select Properties
3. Set Startup type to Disabled
4. Click Apply > OK

Restart your computer to apply changes.

Part 3: Group Policy Hardening (Windows 11 Pro/Enterprise Only)

If you’re running Windows 11 Pro, Home edition doesn’t have Group Policy accessible.

Access Group Policy Editor

1. Press Win + R
2. Type gpedit.msc and press Enter

Configure Telemetry Settings

Disable Diagnostic Data:

1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
2. Find “Allow Diagnostic Data”
3. Double-click and select “Enabled”
4. Set to “Diagnostic data off” (option 0)
5. Click Apply > OK

Disable Connected User Experiences:

1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Connected User Experiences and Telemetry
2. Find “Allow Diagnostic Data”
3. Double-click and select “Enabled”
4. Set to “Diagnostic data off”
5. Click Apply > OK

Disable CEIP (Customer Experience Improvement Program):

1. Navigate to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings
2. Find “Turn off the Customer Experience Improvement Program”
3. Double-click and select “Enabled”
4. Click Apply > OK

Part 4: Registry Hardening

Warning: Editing the Registry can cause system instability. Backup your registry first.

Backup Your Registry

1. Press Win + R
2. Type regedit and press Enter
3. Click File > Export
4. Save as Registry_Backup.reg to your Desktop
5. Click Save

Edit Registry Keys

1. Press Win + R
2. Type regedit and press Enter
3. Navigate to each key below and make the changes

Disable Telemetry at HKEY_LOCAL_MACHINE:

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

If the folder doesn’t exist, create it:

1. Right-click Windows folder
2. Select New > Key
3. Name it DataCollection

In the DataCollection folder:

1. Right-click empty space
2. Select New > DWORD (32-bit) Value
3. Name it AllowDiagnosticData
4. Set value to 0

Disable Advertising ID:

Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo

1. Right-click Enabled
2. Select Modify
3. Change value from 1 to 0

Disable Activity History:

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

1. Create a new DWORD called PublishUserActivities
2. Set value to 0

Disable Remote Assistance:

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance

1. Create a new DWORD called fAllowFullControl
2. Set value to 0

Disable Cortana Data Collection:

Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search

1. Create a new DWORD called BingSearchEnabled
2. Set value to 0

After each registry change, restart your computer for changes to take effect.

Part 5: Firewall Rules (Advanced)

Use Windows Firewall to block Microsoft’s telemetry servers at the network level.

Create Outbound Firewall Rules

1. Press Win + R
2. Type wf.msc (Windows Defender Firewall with Advanced Security)
3. Click Outbound Rules (left sidebar)
4. Click New Rule (right sidebar)

For each domain below, create a rule:

Rule Details:

• Rule Type: Custom
• Program: All Programs
• Direction: Outbound
• Action: Block
• Protocol: TCP/UDP

Domains to Block:

• *.vortex.data.microsoft.com
• telemetry.microsoft.com
• settings-win.data.microsoft.com
• telemetry.appex.bing.net

Repeat this process for each domain. Outbound rules with wildcards prevent entire subdomains from contacting Microsoft.

Part 6: Task Scheduler Cleanup

Windows 11 has hidden scheduled tasks that run telemetry jobs.

Access Task Scheduler

1. Press Win + R
2. Type taskschd.msc and press Enter

Disable Telemetry Tasks

Navigate to: Microsoft > Windows > Application Experience

Disable:

• Microsoft Compatibility Appraiser
• ProgramDataUpdater

Navigate to: Microsoft > Windows > Autochk

Disable:

• Proxy (if present)

Navigate to: Microsoft > Windows > Customer Experience Improvement Program

Disable:

• Consolidator
• UsbCeip

Navigate to: Microsoft > Windows > DiskDiagnostic

Disable:

• Microsoft-Windows-DiskDiagnosticDataCollector

For each task:

1. Right-click and select Disable
2. Confirm when prompted

Part 7: OneDrive Considerations

OneDrive is deeply integrated into Windows 11.

Uninstall OneDrive (Optional)

If you don’t use OneDrive:

1. Press Win + R
2. Type onedrive.exe /uninstall and press Enter
3. Wait for uninstall to complete
4. Restart your computer

If You Keep OneDrive

1. Open OneDrive
2. Click Account > Settings
3. Under Sync and backup, uncheck “Automatically save files”
4. Under Privacy, toggle off “Improve OneDrive”

Verification: Checking Your Changes

After hardening, verify that telemetry is disabled:

Use Wireshark to Inspect Network Traffic

1. Download Wireshark (a network analyzer)
2. Start a capture on your network adapter
3. Let it run for 5 minutes while you use Windows normally
4. Filter for traffic to Microsoft domains using: ip.dst == 1.1.1.1
5. Look for connections to microsoft.com, msedge.net, or bing.com

Reduced traffic to these domains indicates telemetry is blocked.

Check Services Status

1. Open Services (Win + R > services.msc)
2. Verify all telemetry services are marked “Disabled”
3. Verify startup type shows “Disabled” (not “Automatic”)

Maintenance Going Forward

After Windows Updates:

• Some services may re-enable automatically
• Check Services and Group Policy settings monthly
• Verify no new telemetry tasks appear in Task Scheduler

Stay Updated:

• Keep Windows updated for security patches
• Don’t disable security-critical services like Windows Defender (unless using third-party antivirus)
• Balance privacy with security

Caveats and Limitations

You cannot achieve 100% privacy on Windows 11. Even with all these hardening steps, Windows 11 is fundamentally designed for data collection. Consider these alternatives:

• Linux (Ubuntu, Fedora, or Linux Mint) for maximum privacy
• macOS (better privacy than Windows, though still collects some data)
• Qubes OS for extreme privacy and security

If you must use Windows, these hardening steps significantly reduce telemetry. Combined with privacy-respecting browsers (Firefox, Brave, LibreWolf) and a VPN, you can substantially improve your privacy posture on Windows 11.