Windows 10 personal data services configuration

Applies to:

  • Windows 10, version 1803

Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.

IT Professionals that are interested in applying these settings via group policies can find the configuration for download here.

Introduction

Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services.

Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening Start > Settings > Privacy or by visiting the Microsoft Privacy dashboard. While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.

Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.

Windows diagnostic data

Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs.

The following options for configuring Windows diagnostic data are relevant in this context.

Diagnostic level

This setting determines the amount of Windows diagnostic data sent to Microsoft.

Note

In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. For more information on the Enhanced level, see Configure Windows diagnostic data in your organization.

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Policy Name Allow Telemetry
Default setting 2 - Enhanced
Recommended 2 - Enhanced
Group Policy User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Policy Name Allow Telemetry
Default setting 2 - Enhanced
Recommended 2 - Enhanced

Registry

Registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection
Value AllowTelemetry
Type REG_DWORD
Setting "00000002"
Registry key HKCU\Software\Policies\Microsoft\Windows\DataCollection
Value AllowTelemetry
Type REG_DWORD
Setting "00000002"

MDM

MDM CSP System
Policy AllowTelemetry (scope: device and user)
Default setting 2 – Enhanced
Recommended 2 – Allowed

Diagnostic opt-in change notifications

This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration.

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Policy Name Configure telemetry opt-in change notifications
Default setting Enabled
Recommended Enabled

Registry

Registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection
Value DisableTelemetryOptInChangeNotification
Type REG_DWORD
Setting "00000001"

MDM

MDM CSP System
Policy ConfigureTelemetryOptInChangeNotification
Default setting 0 – Enabled
Recommended 0 – Enabled

Configure telemetry opt-in setting user interface

This setting determines whether people can change their own Windows diagnostic data level in in Start > Settings > Privacy > Diagnostics & feedback.

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Policy Name Configure telemetry opt-in setting user interface
Default setting Enabled
Recommended Enabled

Registry

Registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection
Value DisableTelemetryOptInSettingsUx
Type REG_DWORD
Setting "00000001"

MDM

MDM CSP System
Policy ConfigureTelemetryOptInSettingsUx
Default setting 0 – Enabled
Recommended 0 – Enabled

Policies affecting personal data protection managed by the Enterprise IT

There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.

The following options for configuring these policies are relevant in this context.

BitLocker

The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption.

Fixed Data Drives

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives
Policy Name Deny write access to fixed drives not protected by BitLocker
Default setting Not configured
Recommended Enabled

Registry

Registry key HKLM\System\CurrentControlSet\Policies\Microsoft\FVE
Value FDVDenyWriteAccess
Type REG_DWORD
Setting "00000001"

MDM

MDM CSP BitLocker
Policy RemovableDrivesRequireEncryption
Default setting Disabled
Recommended Enabled (see instructions)

Removable Data Drives

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives
Policy Name Deny write access to removable drives not protected by BitLocker
Default setting Not configured
Recommended Enabled

Registry

Registry key HKLM\System\CurrentControlSet\Policies\Microsoft\FVE
Value RDVDenyWriteAccess
Type REG_DWORD
Setting "00000001"
Registry key HKLM\Software\Policies\Microsoft\FVE
Value RDVDenyCrossOrg
Type REG_DWORD
Setting "00000000"

MDM

MDM CSP BitLocker
Policy RemovableDrivesRequireEncryption
Default setting Disabled
Recommended Enabled (see instructions)

Privacy – AdvertisingID

This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off.

Group Policy

Group Policy Computer Configuration\Administrative Templates\System\User Profiles
Policy Name Turn off the advertising ID
Default setting Not configured
Recommended Enabled

Registry

Registry key HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo
Value DisabledByGroupPolicy
Type REG_DWORD
Setting "00000001"

MDM

MDM CSP Privacy
Policy DisableAdvertisingId
Default setting 65535 (default) - Not configured
Recommended 1 – Enabled

Edge

These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.

Note

Please see this Microsoft blog post for more details on why the “Do Not Track” is no longer the default setting.

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge
Policy Name Configure Do Not Track
Default setting Disabled
Recommended Disabled
Group Policy User Configuration\Administrative Templates\Windows Components\Microsoft Edge
Policy Name Configure Do Not Track
Default setting Disabled
Recommended Disabled

Registry

Registry key HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
Registry key HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"

MDM

MDM CSP Browser
Policy AllowDoNotTrack (scope: device + user)
Default setting 0 (default) – Not allowed
Recommended 0 – Not allowed

Internet Explorer

These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites.

Group Policy

Group Policy Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Policy Name Always send Do Not Track header
Default setting Disabled
Recommended Disabled
Group Policy User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Policy Name Always send Do Not Track header
Default setting Disabled
Recommended Disabled

Registry

Registry key HKLM\Software\Policies\Microsoft\Internet Explorer\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
Registry key HKCU\Software\Policies\Microsoft\Internet Explorer\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"

MDM

MDM CSP N/A

Additional resources

FAQs

Blogs

Privacy Statement

Windows Privacy on docs.microsoft.com

Other resources