10 Windows Privacy Tweaks to Reduce Telemetry and Surprises

Windows ships with a lot of sensible defaults — and a surprising number of questionable ones — and MakeUseOf’s recent roundup of “10 Windows settings I never leave on default” is a useful checklist for anyone who values privacy, stability, and fewer surprise interruptions.
This feature pulls together ten practical changes — from dialing back telemetry to unlinking OneDrive — and the recommendations are largely sound. Below is an expanded, verified, and critical take on each tweak, with step-by-step guidance, the technical rationale, compatibility notes, and the security or usability trade-offs you should consider before flipping any switches.

---

Background / Overview​

Windows exposes dozens of system-level toggles across Settings, Group Policy, and the Registry. Some are designed for convenience (automatic app updates, suggested hotspots), others for telemetry and feature improvement (diagnostic data, advertising ID), and a few are security controls that should be enabled on most systems (firewall, ransomware protection). The MakeUseOf list focuses on defaults that are frequently overlooked yet meaningful to privacy or system behavior: telemetry, advertising ID, location, store updates, active hours, untrusted fonts, public sharing, auto-connecting to hotspots, Dynamic Lock, and OneDrive backup.
Where appropriate, this guide verifies Microsoft’s official settings, explains the underlying mechanism, and cross-checks community reporting where Windows behavior has recently changed.

---

1) Telemetry: Reduce what Windows sends home (Diagnostics & feedback)​

What the default is and why it matters​

Windows collects diagnostic data to help Microsoft fix bugs and improve Windows, but not all data collection is equal. Windows exposes a tiered model: Required (the minimum) and Optional (more detailed usage and diagnostic content). Home editions can’t reach a full “off” state through Settings alone, but you can reduce the level and delete previously collected diagnostics. Microsoft documents the diagnostic levels and the mitigation options for enterprise and local control. (learn.microsoft.com)

How to reduce it (quick)​

• Settings → Privacy & security → Diagnostics & feedback → Disable “Send optional diagnostic data.”
• Use the “Delete diagnostic data” control in the same page to remove data Microsoft has stored from that device.

Trade-offs and verification​

• Pros: less app-usage and crash-detail telemetry leaving the PC; small CPU/memory savings from fewer telemetry services.
• Cons: Optional diagnostic data can help Microsoft diagnose faults and improve device-specific reliability; removing optional data may make troubleshooting trickier. Note that enterprise and Education SKUs have stronger controls (including “Diagnostic data off”) not available to typical Home users. (learn.microsoft.com, support.microsoft.com)

---

2) Advertising ID: Kill app-level ad tracking​

Why change it​

Windows assigns a per-user Advertising ID that apps can read to tailor ads and track usage across apps — roughly analogous to browser cookies. Turning it off stops apps from associating activity with that identifier. Microsoft documents the setting under Recommendations & offers. (support.microsoft.com)

How to turn it off​

• Settings → Privacy & security → Recommendations & offers → Toggle Advertising ID off (often labeled “Let apps show me personalized ads by using my advertising ID”).

Additional step​

Visit your Microsoft account privacy dashboard and opt out of interest-based advertising to cover tracking via Microsoft services outside the local device.

Trade-offs​

• You will still see ads; they’ll just be less personalized. Some in‑OS messaging and “recommended” content may still use basic device or account data to remain relevant. (support.microsoft.com)

---

3) Location Services: Turn off or lock down for privacy​

Why it matters​

Location services can reveal patterns about where you live, work, or travel. The NSA and other security organizations explicitly caution users that disabling location services alone is only one mitigation and that radios (Wi‑Fi/Bluetooth/cellular) can still leak location. If your threat model includes targeted location exposure, tighten radios and app permissions as well. (cyberscoop.com, bleepingcomputer.com)

How to disable or limit it​

• Settings → Privacy & security → Location → Toggle Location services off.
• If you need limited location access, scroll to Let apps access your location and grant permissions only to apps that require it.

Caveats​

• Disabling location will break services like Find my device and automatic time zone updates. For many users a middle ground (disable globally but allow specific apps) is the best trade-off.

---

4) Microsoft Store App Updates: Pause or control but expect limits​

What changed recently​

Microsoft has been tightening control over app updates distributed via the Microsoft Store. Recent reporting indicates the Store removed the ability to permanently stop app updates; you may now be limited to pausing updates for a limited window (commonly up to five weeks in current rollouts). That makes the Store behave more like Windows Update in forcing eventual updates, ostensibly to improve security. (tomshardware.com)

How to manage​

• Open Microsoft Store → Click profile icon → Settings → Toggle App updates off (or pause if the UI prompts you for a temporary pause).

Trade-offs​

• Pros: automatic security patches for Store apps.
• Cons: reduces user control; buggy updates can be pushed through Store and will re-enable automatically after the pause window. If you need absolute control, avoid installing critical tools via the Store or use local install packages where possible. (tomshardware.com)

---

5) Active Hours: Prevent surprise reboots​

What it does​

Active Hours tells Windows when not to automatically reboot to finish updates. The manual option lets you set up to 18 hours of active time. Microsoft documents how to set this in Settings and offers an automatic option too. (support.microsoft.com, windowscentral.com)

How to set​

• Settings → Windows Update → Advanced options → Active hours → Choose Manually and set your start and end times (up to 18 hours).

Caveats​

• Active Hours are not an update blocker — they prevent reboots during your specified window. If you postpone reboots too long you risk delaying critical security fixes.

---

6) Untrusted Font Blocking: Enable via Group Policy or Registry​

Why this matters​

Fonts are complex file formats and have been the vector of remote and local privilege escalation attacks. Windows supports a mitigation feature to block untrusted fonts (fonts not in %windir%\Fonts) — a security setting that is off by default but can be enabled via Group Policy or the Registry. Microsoft provides explicit registry values to enable, disable, or audit the feature. (learn.microsoft.com)

Registry steps (verified)​

• Open regedit and navigate to:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
• Create a QWORD (64-bit) named MitigationOptions if not present.
• To enable blocking, set the value data to: 1000000000000 (hexadecimal base). To disable: 2000000000000. To enable audit: 3000000000000. Restart after changing. (learn.microsoft.com)

Trade-offs​

• Enabling can break applications that load fonts from custom locations; Microsoft documents how to exclude specific processes or install fonts to the Fonts directory instead. This is a valuable defense in high-risk environments or enterprise deployments.

---

7) File and Printer Sharing on Public Networks: Keep it off​

The risk​

File and printer sharing exposes services to others on the same network. For public network profiles, sharing should be disabled to prevent unauthorized access. Microsoft’s settings and community documentation show that public profiles default to sharing disabled, but this is one of the first things to verify on a new machine. (elevenforum.com, howtogeek.com)

How to check​

• Settings → Network & internet → Advanced network settings → Advanced sharing settings → Expand Public network → Ensure Network discovery and File and printer sharing are off.

Trade-offs​

• Turning this off prevents easy sharing on trusted networks — set the profile to Private when you trust the network (home/office) and enable sharing only there.

---

8) Auto-Connect to Suggested Open Hotspots: Stop auto-joining​

Background​

Older features like Wi‑Fi Sense used crowdsourced networks and could auto-connect. While Wi‑Fi Sense is deprecated, Windows can still auto-connect to open networks in some scenarios. The enterprise-focused Group Policy that governs auto-connect behavior remains documented, and Microsoft still offers controls over paid Wi‑Fi and “suggested open hotspots.” The safer, user-facing control is to enable random hardware (MAC) addresses to reduce tracking and to set known networks to not auto-connect. (learn.microsoft.com, support.microsoft.com)

Steps to reduce exposure​

• Settings → Network & internet → Wi‑Fi → Enable Random hardware addresses (global toggle).
• For specific networks: Manage known networks → choose network → set Random hardware addresses to Change daily or On.
• Forget or disable Connect automatically for unknown/open networks.

Trade-offs​

• Random hardware addresses help stop tracking across networks but can break networks that rely on fixed MAC addresses for whitelisting. Use per-network controls where you need a stable MAC.

---

9) Dynamic Lock: Disable if Bluetooth pairing is flaky​

What it is​

Dynamic Lock pairs Windows with a phone via Bluetooth and auto-locks the PC when the phone moves away. It’s handy on paper but depends on reliable Bluetooth connectivity, which is not consistent across devices. (support.microsoft.com)

How to disable​

• Settings → Accounts → Sign‑in options → Scroll to Dynamic Lock → Uncheck Allow Windows to automatically lock your device when you're away.

Trade-offs​

• If you have a stable Bluetooth setup and want automatic locking, this is convenient. If not, it can cause frustration (unexpected locks) and battery drain.

---

10) OneDrive Backup (Known Folder Move): Unlink or uninstall if you don’t need automatic cloud sync​

Why people change it​

During Windows setup many users find their Desktop, Documents, and Pictures automatically backed up to OneDrive (Known Folder Move). The default free OneDrive quota is small; if you don’t want automatic cloud sync, unlinking or uninstalling OneDrive stops the behavior. Community guides recommend unlinking first, and then uninstalling if desired. (lifewire.com)

How to unlink OneDrive​

• Click the OneDrive tray icon → Settings (gear) → Account → Unlink this PC.
• To remove completely: Settings → Apps → Apps & features → Find Microsoft OneDrive → Uninstall.

Trade-offs​

• Don’t disable OneDrive unless you have a reliable alternative backup plan. If you unlink/uninstall, implement local backups or another cloud provider to avoid data loss.

---

Practical rollout: safe order of operations​

• Back up your system (image or full-file backup) and create a Restore Point before editing Registry or Group Policy.
• Apply low-risk, reversible UI changes first (Advertising ID, Location, Random hardware addresses).
• Set Active Hours and adjust Microsoft Store update pause settings if needed.
• Disable Dynamic Lock and unlink OneDrive if you’re certain about alternate backup strategies.
• Tackle higher-risk items (MitigationOptions QWORD, disabling store update mechanisms) only after testing on a spare or non-critical machine.
• For enterprise fleets, manage settings through Group Policy / MDM and document changes carefully.

---

Critical analysis — strengths and limitations of the MakeUseOf list​

• Notable strengths:
• The list targets settings with real privacy or stability impact (telemetry, advertising ID, OneDrive sync).
• It mixes quick UI toggles with deeper, enterprise-ready mitigations (Group Policy, Registry) where appropriate.
• Many suggestions are low-risk and reversible, giving users an immediate improvement in privacy or fewer interruptions.
• Risks and caveats:
• Some changes — notably blocking untrusted fonts via MitigationOptions — can break legacy or poorly-designed apps. Microsoft explicitly documents exclusions and provides audit mode; use that first. (learn.microsoft.com)
• Aggressively stopping updates (including Microsoft Store app updates) is increasingly difficult and risky; Microsoft has been moving to more forced update models for both system and Store-delivered apps to reduce the security surface. Recent reporting shows the Store can now force updates back on after a brief pause window. If you require strict control over updates, you’ll need enterprise management tooling. (tomshardware.com)
• Disabling diagnostic/telemetry features can limit Microsoft’s ability to diagnose issues; it won’t make Windows “insecure” per se, but it can hinder troubleshooting for exotic hardware faults. The Required diagnostic level is still used for security and update telemetry on consumer devices. (learn.microsoft.com)
• The security trade-offs depend on threat model. For high-risk users (e.g., sensitive operatives, journalists), the NSA recommends significantly reducing location exposure and limiting app permissions and ad identifiers — actions that align with several items on this list but may be overkill for most consumers. (cyberscoop.com, bleepingcomputer.com)

---

Final verdict and recommended checklist​

MakeUseOf’s list is a practical, user-friendly collection of tweaks that appreciably improves privacy and reduces surprise behavior on most Windows PCs. The recommendations are aligned with Microsoft documentation and community best practices for responsible hardening. Use this concise checklist as a starting point:

• Disable optional telemetry (Diagnostics & feedback) and delete existing diagnostic data. (support.microsoft.com)
• Turn off Advertising ID in Recommendations & offers; opt out of interest-based ads in your Microsoft account. (support.microsoft.com)
• Disable Location Services or lock app-level access; weigh consequences for Find my device/time zone. (bleepingcomputer.com)
• Set Active Hours to cover your typical day; don’t rely on it to delay security patching indefinitely. (support.microsoft.com)
• Use Random hardware addresses for Wi‑Fi to limit tracking; manage per‑network exceptions for whitelisted networks. (support.microsoft.com)
• Disable Dynamic Lock if Bluetooth pairing is unreliable. (support.microsoft.com)
• Unlink OneDrive if you don’t want KFM backups; ensure you have an alternate backup plan. (lifewire.com)
• Disable File and Printer Sharing on public networks (Advanced sharing settings). (elevenforum.com)
• For security-conscious users, enable the Block Untrusted Fonts feature via Group Policy or the MitigationOptions registry QWORD (test in audit mode first). (learn.microsoft.com)
• Expect less control over Microsoft Store app updates than in the past; plan accordingly. (tomshardware.com)

This curated approach — starting with low-risk UI toggles and progressing to more invasive registry or Group Policy changes — preserves system reliability while improving privacy and reducing interruptions. MakeUseOf’s checklist is a useful blueprint; cross-check each change against your own workflow and hardware, and keep backups in place before making deeper system modifications.

---

Every Windows system is different: the best plan is measured change, verification, and a documented rollback path. The few minutes spent now tailoring these defaults will pay off in fewer interruptions, better privacy hygiene, and fewer puzzling behavior surprises later.

---

Source: MakeUseOf 10 Windows Settings I Never Leave on Default