1. Home
  2. Windows 10
  3. Windows 10 Privacy Settings

Windows 10 Privacy Settings

Windows 10 ships with a dedicated privacy group in the Settings application. You can open it in the following way:

  1. Use the keyboard shortcut Windows-I to open the Settings application. You may use the Start menu instead as it links to Settings as well.
  2. Select Privacy from the list of available groups.

Notes

  • These privacy settings apply only to apps, but not to legacy desktop programs. As a rule of thumb: apps are downloaded from Windows Store, desktop programs are not. This does not apply 100% but to the majority of cases.
  • The bulk of settings give you control over access to data on the device such as the calendar, contacts, and also hardware devices, like the microphone or camera.

The Privacy group of settings lists the following pages in the Windows 10 April 2018 Update, and divides it into Windows permissions and App permissions:

Windows Permissions

  • General – Lists important privacy settings, and links to look up information and manage information that is stored online.
  • Speech, inking, & typing – Enable or disable speech services and typing suggestions, and manage cloud information.
  • Diagnostics & feedback – Set the Telemetry data level (Basic or Full), set feedback frequency, and toggle the tailored experienced option.
  • Activity history — Powers the Windows Timeline feature and defines whether data is shared with the cloud.

App Permissions

  • Location – Manage location based settings such as enabling location-based look-ups, or clearing the location history.
  • Camera – Select whether apps may use a camera connected to the device, and manage this on a per-app basis.
  • Microphone – Select whether apps may use the microphone, and manage apps that are allowed to use the microphone.
  • Notifications – Select whether applications may access notifications, and manage the permission for individual apps.
  • Account info – Select whether apps may access your name, picture and other account information, and manage this on a per-application basis.
  • Contacts – Select whether apps may access your contacts, and manage individual application rights for that.
  • Calendar —  Define if apps may access calendars on the device, and manage individual app access.
  • Call history – Select whether apps may access your call history, and manage these apps individually.
  • Email – Select whether apps may access your email (including sending), and manage individual application rights.
  • Tasks – Select whether apps may access tasks, and manage these apps.
  • Messaging – Select whether apps may read and send messages (text or MMS), and manage these applications individually.
  • Radios – Manage radio support, e.g. for Bluetooth and select whether apps are allowed to control radios on the system.
  • Other devices – Configure app syncing with your other device, and manage the list of trusted devices.
  • Background apps – Select whether apps are allowed to run in the background, and manage individual app permissions in this regard.
  • App diagnostics – Select whether apps are allowed to access diagnostic information.
  • Automatic file downloads – Determines whether file sync services such as OneDrive may download online-only files automatically when requested by the user.
  • Documents — Select whether Windows or apps may access the documents folder.
  • Pictures –Select whether Windows or apps may access the pictures folder.
  • Videos — Select whether Windows or apps may access the videos folder.
  • File System — Select whether apps or Windows have access to files.

General

privacy general

The General page of the Privacy group lists the following options:

  • Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID) – This defines whether applications may access the advertising ID that identifies the device which in turn means tracking.
    • Windows generates a unique advertisingID for each user on a device, which app developers and advertising networks can use to provide more relevant advertising in apps. When the advertising ID is enabled, apps can access and use it in much the same way that websites can access and use a unique identifier stored in a cookie. Thus, app developers (and the advertising networks they work with) can use your advertising ID to provide more relevant advertising and other personalized experiences across their apps.
  • Let websites provide locally relevant content by accessing my language list – Defines whether websites that you open on the device may access the list of languages installed on the device to display local content instead of generic content.
    • Some websites may have their content available in different languages. Windows can share information about your preferred language list with websites so that they can have the opportunity to respect your language preferences without you having to independently set them for each site.
  • Let Windows track app launches to improve Start and search results – If enabled, Windows tracks application launches and uses the information for Start’s (most used apps) and search results.
    • Windows can personalize your Start menu based on the apps that you launch. This allows you to quickly have access to your list of Most used apps both in the Start menu and when you search your device.
  • Show me suggested content in the Settings application – Windows 10 may display suggestions, read tips and promotions, in the Settings application when not turned off.

Advertising ID

Note: The advertising ID is reset when you turn off the feature in the UI.

Group Policy options

  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > System > User Profiles
  3. Select Turn off the advertising ID.
  4. Set the policy to enabled.

Registry options

  1. Open the Windows Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo
  3. Right-click on AdvertisingInfo and select New > Dword (32-bit) Value.
  4. Name it Enabled.
  5. Set its value to 0.

or,

  1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo
  2. Right-click on AdvertisingInfo, and select New > Dword (32-bit) Value.
  3. Name it DisabledByGroupPolicy
  4. Set its value to 1.

Let websites provide locally relevant content by accessing my language list

  1. Open the Windows Registry Editor.
  2. Go to HKEY_CURRENT_USER\Control Panel\International\User Profile
  3. Right-click on User Profile, and select New > Dword (32-bit) Value from the context menu.
  4. Name it HttpAcceptLanguageOptOut
  5. Set its value to 1.

Let Windows track app launches to improve Start and search results

  1. Open the Windows Registry Editor.
  2. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  3. Right-click on Advanced, select New > Dword (32-bit) Value.
  4. Name it Start_TrackProgs
  5. Set its value to 0.

Speech, inking & typing

privacy speech

Speech services and typing suggestions can be turned on or off when you open the speech, inking & typing page of the privacy options.

When switched on, it enables you to talk to Cortana and other Store applications. Your typing history and handwriting patterns are used to create a local user dictionary, and provide you with better suggestions

Microsoft will use voice input to improve cloud-based speech services

When the setting is off, you cannot talk to Cortana, and any existing typing and inking user dictionary is erased. Voice data in the cloud is disassociated with the device.

Speech services that don’t rely on the cloud will still work, and so will typing suggestions and handwriting recognition that uses the system dictionary.

To use speech recognition, getting to know you (the privacy setting under Speech, inking & typing) must be turned on because speech services exist both in the cloud and on your device. The info Microsoft collects from these services helps to improve them. Speech services that don’t rely on the cloud and only live on your device, like Narrator and Windows Speech Recognition, will still work when this setting is turned off, but Microsoft won’t collect any speech data.

When your Diagnostic and usage data setting (Settings > Privacy > Feedback & diagnostics) is set to Full, your inking and typing input data is sent to Microsoft, and we use this data in the aggregate to improve the inking and typing platform for all users. Learn more about Diagnostic data here. As part of inking and typing on your device, Windows creates a user dictionary that stores unique words like names you write, which helps you type and ink more accurately.

Turn off automatic learning

Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user.

Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.

Group Policy

This policy setting turns off the automatic learning component of handwriting recognition personalization.

If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Handwriting personalization
  3. Select Turn off automatic learning.
  4. Set the policy to enabled.
 Registry Editor
  1. Open the Windows Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\Policies\Microsoft\InputPersonalization
  3. Right-click on InputPersonalization, and select New > Dword (32-bit) Value.
  4. Name it RestrictImplicitInkCollection.
  5. Set its value to 1.

or

  1. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings.
  2. Right-click on Settings, and select New > Dword (32-bit) Value.
  3. Name it AcceptedPrivacyPolicy.
  4. Set its value to 0.

or

  1. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore
  2. Right-click on TrainedDataStore, and select New > Dword (32-bit) Value.
  3. Name it HarvestContacts
  4. Set its value to 0.

Allow Input Personalization

Group Policy

This policy turns of the automatic learning component of input personalization (that includes speech, inking and typing).

Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information.  It is required for the use of Cortana. Some of this collected information may be stored on the user’s OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech.

Policy: Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow input personalization

  • Enabled – Automatic learning of speech, inking and typing is enabled. Some information may be uploaded to Microsoft, and some may be stored on OneDrive.
  • Disabled – The feature is turned off. Automatic learning of speech, typing and inking is stopped. 
Windows Registry

Key:  HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization

Name:  RestrictImplicitTextCollection

Type: Dword

  • 1 – Turn off implicit text collection.
  • 0 – Default, text is collected.

Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization

Name:  RestrictImplicitInkCollection

Type: Dword

  • 1 – Turn off implicit ink collection.
  • 0 – Default, ink data is collected.

Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore

Name:  HarvestContacts

Type: Dword

  • 0 – The feature is turned off.
  • 1 – Default, the feature is enabled.

Turn off updates to speech recognition and speech synthesis

Determines whether the device will check for speech recognition and speech synthesis updates, and download them automatically.

Group Policy

A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files.

If enabled (default), the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Speech
  3. Select Allow automatically update of Speech Data
  4. Set the policy to disabled.
Windows Registry
  1. Open the Windows Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Preferences
  3. Right-click on Preferences, and select New > Dword (32-bit) Value.
  4. Name it ModelDownloadAllowed.
  5. Set the value to 0.

Turn off handwriting personalization data sharing

The handwriting recognition personalization tool may be used on Windows Tablet PCs to adapt handwriting recognition to the user’s writing style.

Windows Tablet PCs may share handwriting data automatically with Microsoft to “improve handwriting recognition in future versions of Windows”.

Group Policy

 Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings > Turn off handwriting personalization data sharing

  • Enabled: When this policy is enabled Windows users may not share writing samples from the handwriting recognition personalization tool with Microsoft.
  • Disabled: Samples are shared automatically with Microsoft when the tool is being used.
  • Not Configured: Users are prompted and may decide to share the data with Microsoft.
Windows Registry

Registry Key: HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows\TabletPC

Name: PreventHandwritingDataSharing

Type: Dword

  • A value of 1 prevents handwriting data sharing.

Turn off handwriting recognition error reporting

The handwriting recognition error reporting tool enables users to report errors. The tool generates error reports, and transmits them to Microsoft.

Microsoft uses the data to improve handwriting recognition in future versions of Windows.

Group Policy

Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings > Turn off handwriting recognition error reporting

  • Enabled: When this policy is enabled, users may not start the handwriting recognition error reporting tool or send error reports to Microsoft.
  • Disabled: Same as not configured. Users may use the handwriting recognition error reporting tool to send error data to Microsoft.
Windows Registry

Registry Key: HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports

Name: PreventHandwritingErrorReports

Type: Dword

  • A value of 1 prevents use of the handwriting error reporting tool, and the reporting of errors to Microsoft.

Diagnostics & feedback

The Windows 10 Creators Update supports two diagnostic settings (down from three in previous versions of Windows.

The only exception to that is that Enterprise editions support turning off diagnostics completely.

We suggest you select Basic as it collects and transfers less data to Microsoft.

Basic – See this Microsoft page for a full list of what is collected:

https://docs.microsoft.com/en-us/windows/configuration/basic-level-windows-diagnostic-events-and-fields

The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.

The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.

Full – includes all basic level data sets, and additional data sets.

You find a listing of those here: https://docs.microsoft.com/en-us/windows/configuration/windows-diagnostic-data

  • Switch between Basic and Full diagnostic levels.
  • Improve inking & typing recognition – Sends inking and typing data to Microsoft. We suggest you turn this off.
  • Tailored experiences — Microsoft may use diagnostic data to provide personalized experiences, e.g. personalized advertisement, tips, or suggestions. We suggest you turn this off.
  • Diagnostic Data Viewer — You can install the app to view the diagnostic data that Microsoft collects.
  • Delete diagnostic data — option to delete all diagnostic data on the device.
  • Feedback Frequency — change the frequency in which Microsoft asks for feedback.

Windows should ask for my feedback

Group Policy

This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
  3. Select Do not show feedback notifications.
    1. Enable this policy to block feedback notifications through the Windows Feedback application.
    2. Disable this policy, or don’t configure it, to allow feedback notifications through the Windows Feedback application.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection
  3. Right-click on DataCollection, and select New > Dword (32-bit) Value.
  4. Name it DoNotShowFeedbackNotifications
    1. A value of 1 disables feedback notifications.
    2. A value of 0 allows them.
Alternatively
  1. Go to HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\
  2. Right-click on Rules, and select New > Dword (32-bit value)
  3. Name it PeriodInNanoSeconds
  4. Set its value according to the table below.
  5. Go to HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\
  6. Right-click on Rules, and select New > Dword (32-bit value)
  7. Name it NumberOfSIUFInPeriod
  8. Set its value according to the table below
Setting PeriodInNanoSeconds NumberOfSIUFInPeriod
Automatically Delete the registry setting Delete the registry setting
Never 0 0
Always 100000000 Delete the registry setting
Once a day 864000000000 1
Once a week 6048000000000 1

Use Diagnostic Data for Tailored Experiences

Group Policy

This policy setting lets you prevent Windows from using diagnostic data to provide tailored experiences to the user.

  1. Open the Group Policy Editor
  2. Go to User Configuration > Administrative Templates > Windows Components > Cloud Content
  3. Select Do not use diagnostic data for tailored experiences.
    1. Set this policy to enabled if you don’t want Windows to use diagnostic data from the device to customize content shown on the lock screen, and elsewhere.
    2. Set this policy to disabled, to enable personalized recommendations based on telemetry data.

Activity History

activity history

Activity History is a new feature that Microsoft introduced in Windows 10 version 1803.

The feature powers the operating system’s Timeline functionality which keeps track of activity on the system to display it in a view that Microsoft calls timeline.

Timeline can be used on individual PCs, across multiple PCs, and it even may display activity from supported apps that you run on your mobile devices.

The following preferences are available:

  • Let Windows collect my activities from this PC — Windows keeps track of the activity of supported applications on the local device.
  • Let Windows sync my activities from this PC to the cloud — Syncs the activity with the cloud so that it becomes available on all connected Windows 10 devices.
  • Show activities from accounts — You may select accounts that you want activities to be displayed for and disable the feature for other accounts if you use multiple accounts.
  • Clear Activity History — Option to clear the history for accounts.

Enables Activity Feed

enables activity feed

Enable Activity Feed is the main policy for Windows Timeline.

Group Policy
  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > System > OS Policies
  3. Double-click on Enables Activity Feed

The policy supports the following states:

  • Not configured — default state.
  • Enabled — Collects all activity type data and allow all data to be published
  • Disabled — If you disable the policy, activity data won’t be recorded and won’t be synced with the cloud.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
  3. If you don’t see the Dword EnableActivityFeed
    1. Right-click on System and select New > Dword (32-bit) Value.
    2. Name it EnableActivityFeed
  4. Set the value of the Dword to 0 to disable Activity Feed.
  5. Set the value of the Dword to 1 to enable Activity Feed

Allow publishing of User Activities

allow publishing user activities

The policy determines whether Windows can publish User Activities (in Timeline)

Group Policy
  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > System > OS Policies
  3. Double-click on Allow publishing of User Activities

The policy supports the following states:

  • Not Configured — default state.
  • Enabled — Windows is allowed to publish User Activities.
  • Disabled — Windows may not published User Activities.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
  3. If you don’t see the Dword PublishUserActivities
    1. Right-click on System and select New > Dword (32-bit) Value.
    2. Name it PublishUserActivities
  4. Set the value of the Dword to 0 to disable the publishing of User Activities
  5. Set the value of the Dword to 1 to enable the publishing of User Activities

Allow upload of User Activities

allow upload user activity

The policy determines whether Windows may upload user activities so that the data is shared across devices.

Group Policy
  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > System > OS Policies
  3. Double-click on Allow upload of User Activities

The policy supports the following states:

  • Not Configured — default state.
  • Enabled — Windows is allowed to upload User Activities.
  • Disabled — Windows may not upload User Activities.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
  3. If you don’t see the Dword UploadUserActivities
    1. Right-click on System and select New > Dword (32-bit) Value.
    2. Name it UploadUserActivities
  4. Set the value of the Dword to 0 to disable the uploading of User Activities
  5. Set the value of the Dword to 1 to enable the uploading of User Activities

Location

You can manage several location-specific privacy settings when you click on Location under App permissions.

  • Location on / off – This toggle allows you to enable or disable location functionality on the device. If disabled, no application that runs on the device may make use of it.
  • Default location – You may add a default location which Windows, apps and services will make use of it no location cannot be detected.
  • Location history – Windows 10 stores the location history for a limited period of time (24 hours) on the device. You may use this option to clear the location history on the device.
  • Choose apps that can use your precise location – Select individual applications that are allowed to look up your location.
  • Geofencing – Lists applications that make use of Geofencing.
    • Some apps use geofencing, which can turn on or off particular services or show you information that might be useful when you’re in an area defined (or “fenced”) by the app

To turn off Location for this Device

Group Policy

If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature.

  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Location and Sensors
  3. Select Turn off Location.
  4. Set the policy to enabled, to disable location on the device.
Windows Registry Editor
  1. Open the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessLocation
  5. Set the value to 1 to turn on application location access, and users cannot change it.
  6. Set its value to 2 to turn off location access, and disallow users to change it.

To turn off Location for apps

Group Policy

This policy setting specifies whether Windows apps can access location.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the “Force Deny” option, Windows apps are not allowed to access location and employees in your organization cannot change it.

  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let Windows apps access location.
  4. Enable the policy.
  5. Set the “default for all apps” box to Force Deny.
Windows Registry
  1. Open the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors
  3. Right-click on LocationAndSensors, and select New > Dword (32-bit) Value.
  4. Name it DisableLocation
  5. Set its value to 1.

Turn off location

This setting determines whether the location feature is available on this device.

Policy:  Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Turn off location

  • Enabled – Location feature is turned off, and all programs on the computer are prevented from using the location feature.
  • Disabled – Same as not configured; the location feature is enabled.
Windows Registry

Key: HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\AppPrivacy

Name:  LetAppsAccessLocation

Type: Dword

  • 2 – Turned off

Turn off location scripting

This feature turns off scripting for the location feature (means whether scripts for the location feature may run).

Policy:  Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Turn off location scripting

  • Enabled – This turns location scripting off so that it is not available.
  • Disabled – Same as not configured; location scripting is enabled.
Windows Registry

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors

Name:  DisableLocationScripting

Type: Dword

  • 0 – The feature is enabled.
  • 1 – The feature is disabled.

Camera

camera

The Camera privacy group offers the following options:

  • Enable or disable access to the camera on the device.
  • Toggle the use of camera hardware (e.g. a webcam), by apps on or off.
  • Manage all applications that may use the camera, and allow or disallow usage individually.

General information on camera use:

Windows 10 highlights the use of the camera by turning on the camera light whenever it is in use.

If the device does not have a camera light, a notification is displayed instead.

Some exceptions apply to the general camera privacy settings.

Windows Hello, Windows 10’s biometric authentication system, will make use of the camera even if camera use is disabled for applications in the privacy settings.

The setting ignores desktop programs. Only Windows Store apps and apps that ship with Windows 10 by default are affected by the settings.

Let apps use my camera

apps camera

Group Policy

This policy setting specifies whether Windows apps can access the camera.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let Windows apps access the camera.
  4. Set the policy to enabled.
  5. In the “Default for all apps” box, select one of the following values:
    • User is in control means that users may allow or disallow access to the camera using the Settings application.
    • Force Allow means that apps may access the camera, and that users cannot change this.
    • Force Deny means that apps cannot access the camera, and that users cannot change this.
Windows Registry
  1. Open the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessCamera.
  5. Set the value to one of the following supported integers:
    1. A value of 0 means that the user is in control.
    2. A value of 1 means force allow.
    3. A value of 2 means force deny.

Microphone

microphone

The Microphone privacy settings page offers the following options:

  • Allow access to the microphone.
  • Toggle microphone use by applications. If turned off, applications may not use the microphone for functionality.
  • Select permissions for applications individually.

As is the case with the camera preference, the microphone preference affects only Windows Applications but not desktop programs.

Let apps use my microphone

Group Policy

This policy setting specifies whether Windows apps can access the microphone.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let windows apps access the microphone
  4. Set the policy to enabled.
  5. In the “default for all apps” box, set one of the following values:
    1. User is in control means that users may change the privacy setting using the Settings application.
    2. Force allow means that apps may access the microphone, and that users cannot change it.
    3. Force deny means that apps may not access the microphone, and that users cannot change this.
Windows Registry
  1. Open the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessMicrophone.
  5. Set it to one of the following values:
    1. A value of 0 means that users are in control.
    2. A value of 1 means force allow.
    3. A value of 2 means force deny.

Notifications

notifications

The Notifications page of the Settings application displays the following options when you open it:

  • Enable or disable access to notifications by apps.
  • Manage notifications for individual applications.

Note that you are limited to control the use of notifications by applications. Windows will still use notifications to inform you about certain things even if you turn off notifications in the privacy application.

Let apps access my notifications

Group Policy

This policy setting specifies whether Windows apps can access notifications.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy.
  3. Select Let Windows apps access notifications.
  4. Set the policy to enabled.
  5. Set the “default for all apps” box to one of the following values:
    1. User is in control means that users can control the access to notifications using the Settings application.
    2. Force allow means that apps are allowed to access notifications, and that users cannot change that.
    3. Force deny means that apps are not allowed to access notifications, and that users cannot change that.
Windows Registry
  1. Open the Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessNotifications.
  5. Set it to one of the following values:
    1. A value of 0 means that the user is in control of the functionality.
    2. A value of 1 means force allow.
    3. A value of 2 means force deny.

Account Info

account info

The Account info page provides you with the means to enable or disable general access to your name, picture and other account information.

Microsoft added options to turn off access to account information globally or only for applications in Windows 10 version 1803.

You may also allow or disallow access on a per-application basis instead.

Let apps access my name, picture, and other account info

Group Policy

This policy setting specifies whether Windows apps can access account information.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the “Force Deny” option, Windows apps are not allowed to access account information and employees in your organization cannot change it.

  1. Load the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy.
  3. Open Let Windows apps access account information.
  4. Set the policy to enabled.
  5. Set the “default for all apps” setting to one of the following values:
    1. User is in control means that users may select to allow or block individual apps, or the privacy feature, in the Settings application.
    2. Force Allow means that Windows apps may use account information, and that users cannot change that.
    3. Force Deny means that Windows apps may not use account information, and that users cannot change that.
Windows Registry
  1.  Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy.
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value from the menu.
  4. Name the new value LetAppsAccessAccountInfo
  5. Set its value to one of the following supported values:
    1. Value of 0 means user is in control.
    2. Value of 1 means force allow.
    3. Value of 2 means force deny.

Contacts

contacts

The Contacts privacy page lists two main options right now:

  • Enable or disable contacts access on the device.
  • Enable or disable access to contacts by applications.
  • Manage access rights to contacts for individual applications.

Choose apps that can access contacts

Group Policy

This policy setting specifies whether Windows apps can access contacts.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy.
  3. Open the Let Windows apps access contacts policy.
  4. Enable the policy.
  5. Set the “default for all apps” setting to one of the following values
    1. User is in control gives users options to allow or disallow apps to access contacts.
    2. Force allow means that applications may access contacts, and that users cannot prevent this.
    3. Force deny means that applications may not access contacts, and that users cannot allow them.
Windows Registry
  1. Open the Windows Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy
  3. If the Dword value LetAppsAccessContacts does not exist, right-click on AppPrivacy, and select New > Dword (32-bit) Value from the context menu, and name it accordingly.
  4. Set the preference to 2 to disable access to contacts.

Calendar

calendar

You may use the Calendar page of the privacy settings to allow or disallow application and/or system access to the calendar.

You may furthermore allow or disallow access to the calendar for individual applications if you don’t block access globally.

Let apps access the calendar

Group Policy

This policy setting specifies whether Windows apps can access the calendar.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Load the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy.
  3. Open Let Windows apps access the calendar
  4. Set the policy to enabled.
  5. Set the “default for all apps” setting to one of the following values:
    1. User is in control means that users may allow or block apps to access the calendar.
    2. Force allow means that apps may access calendar data, and that users cannot block this.
    3. Force deny means that apps may not access calendar data, and that users cannot block this.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy.
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value from the menu.
  4. Name the new value
  5. Set its value to one of the following values:
    1. Value of 0 means user is in control.
    2. Value of 1 means force allow.
    3. Value of 2 means force deny.

Call History

call history

The Call History, just like most of the other privacy settings, provides you with three options:

  • Disable access to the call history on the device.
  • Allow or disallow access to the Call History for all applications
  • Allow or disallow individual application access to the Call History.

Let apps access my call history

Group Policy

This policy setting specifies whether Windows apps can access call history.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Open Let Windows apps access call history.
  4. Set the policy to enabled.
  5. Set the “default for all apps” setting to one of the following values:
    1. User in control gives users control over the call history. They may allow or disallow apps access to the call history.
    2. Force Allow enables access to the Call History automatically. Users may not change this.
    3. Force Deny disables access to the Call History automatically. Users may not change this.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessCallHistory.
  5. Give it one of the following values:
    1. A value of 0 means users are in control.
    2. A value of 1 means force allow.
    3. A value of 2 means force deny.

Email

email

The Email privacy settings can be used to allow access to email on the device, to allow or disallow application access to emails on a global level, and to allow or disallow access for individual applications.

The built-in applications Mail and Calendar are allowed to access and send email regardless of how the options are configured.

Let apps access and send email

Group Policy

This policy setting specifies whether Windows apps can access email.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let Windows apps access email
  4. Set the policy to enabled.
  5. Set the value of the policy under Default for apps:
    1. User is in control means that users can decide whether Windows apps may access email.
    2. Force Allow means that Windows apps are allowed to access email, and users cannot change it.
    3. Force Deny means that Windows apps are not allowed to access email, and that users cannot change it.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name the new value LetAppsAccessEmail.
    1. Set its value to 0 to give users control over the feature.
    2. Set its value to 1 to force allow.
    3. Set its value to 2 to force deny.

Tasks

tasks

You may use the Tasks privacy page to allow or disallow device access to tasks, to disallow all apps to access tasks, or to allow or disallow access to tasks for individual applications.

The built-in applications Mail and Calendar are whitelisted. They have access to the tasks even if you disable tasks globally.

Let apps access Tasks

Group Policy

This policy setting specifies whether Windows apps can access tasks.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let Windows apps access Tasks
  4. Set the policy to enabled.
  5. Select one of the following values for “default for all apps”.
    1. User is in control – Users may enable or disable Tasks access for all or specific apps.
    2. Force Allow – Tasks access is enabled, and users cannot change that.

Force Deny – Tasks access is disabled, and users cannot change that.

Messaging

messaging

You may use the Messaging privacy options to disallow access to messaging on the device, to turn on or off application read and send access to messages (both text and MMS).

It is furthermore possible to allow or disallow individual applications to use messaging.

Let apps read or send messages (text or MMS)

Group Policy

This policy setting specifies whether Windows apps can read or send messages (text or MMS).

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select the Let Windows apps access messaging policy.
  4. Set the policy to enabled.
  5. Set the default for all apps value to
    1. User is in control to allow users to control the feature.
    2. Force Allow to enable app access to messaging, and block users from changing this.
    3. Force Deny to disallow app access to messaging, and block users from changing this.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessMessaging
    1. Set its value to 0 to put users in control.
    2. Set its value to 1 to force allow.
    3. Set its value to 2 to force deny.

Radios

radios

Some apps use radios – like Bluetooth – in your device to send and receive data. Sometimes, apps need to turn these radios on and off to work their magic.

You may use the Radios settings to allow or disallow access to Radios such as Bluetooth globally, or for individual applications.

Let Windows apps control radios

Group Policy

This policy setting specifies whether Windows apps have access to control radios.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let Windows apps control radios.
  4. Set the policy to enabled.
  5. Set the default for all apps value to
    1. User is in control to let users decide.
    2. Force Allow to enable application access to control radios, and prevent users from changing that.
    3. Force Deny to disable application access to control radios, and prevent users from changing that.
Windows Registry
  1. Open the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
  3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
  4. Name it LetAppsAccessRadios.
    1. Set its value to 0 for user is in control.
    2. Set its value to 1 for force allow.
    3. Set its value to 2 for force deny.

Other Devices

other devices

Manage other devices, those that you sync data with, or that you connect to your Windows machine using this setting. Other devices may be other Windows 10 devices but also tablets or phones.

You can turn off the the ability to communicate with unpaired devices entirely so that apps don’t “automatically share and sync info with wireless devices that don’t explicitly pair with the PC, tablet, or phone”.

Applications may use your trusted devices, such as your Xbox One, TVs, or projectors.

The following options are provided:

  • Enable or disable the synchronization of data with other devices.
  • Choose apps that can sync with the device you are using.
  • Let applications uses Trusted Devices such as memory cards, Xbox and other devices.

Background apps

background apps

Applications may run in the background, for instance to receive information from the Internet or a network, or send notifications.

If you turn off the feature, apps may not do so when they are not running on the system. A positive side effect of turning the functionality off is that you may conserve power depending on which apps are installed on the system, and how they are used.

The Settings application provides you with two options:

  1. Turn of the feature for all applications.
  2. Select the apps that you want to be able to run in the background.

Let Windows apps run in the background

Group Policy

This policy setting specifies whether Windows apps can run in the background.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

  1. Open the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
  3. Select Let Windows apps run in the background.
  4. Set the policy to enabled.
  5. Set one of the following options under “default for all apps”
    1. User is in control to provide users with options to enable or disable the functionality.
    2. Force Allow to allow apps to run in the background; users cannot change the preference.
    3. Force Deny to disallow apps to run in the background; users cannot change the preference.
Windows Registry
  1. Open the Windows Registry Editor.
  2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications
  3. Right-click on BackgroundAccessApplications, and select New > Dword (32-bit) Value.
  4. Name it GlobalUserDisabled.
    1. A value of 0 means the feature is turned on.
    2. A value of 1 means the feature is disabled.

Let Windows and your apps use your motion data and collect motion history

Windows applications may access motion data and collect the motion history. This requires special sensors in the device.

This policy setting specifies whether Windows apps can access motion data.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

Group Policy

Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access motion

  • Enabled – Default value. Windows apps may use motion data and collect motion history. Set Default for all apps value:
    • User is in control – Users may enable or disable Motion in the Settings.
    • Force allow – Motion is enabled, and users may not change that.
    • Force deny – Motion is disabled, and users may not change that either.
  • Disabled – Windows applications may not use motion data or collect motion history.
Windows Registry

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy

Name:  LetAppsAccessMotion

Type: Dword

  • A value of 0 means that the user is in control.
  • A value of 1 means force allow.
  • A value of 2 means force deny.

App diagnostics

app diagnostics

Some applications may use diagnostic information from other applications. Data may include the names of running applications, user account name that launched an application, memory, disk, processor, or network usage.

Preventing access may limit applications.

You can turn the access to diagnostic information off for all applications or manage individual apps with access.

Automatic file downloads

automatic file downloads

Windows may download files automatically from online storage providers such as OneDrive if applications request them.

You can block applications from requesting automatic file downloads, and when you do, may unblock them using this menu.

Documents

privacy documents

The Documents privacy page defines access to the documents libraries on the device.

You can disable access to document libraries entirely, for all applications, or for individual applications.

If you deny access, all Windows 10 apps downloaded from the Store won’t be allowed to access the Documents library.

The setting has no affect on non-Store apps.

Pictures

pictures

Similarly to what Documents does for the Documents library, the Pictures privacy page lets you do that for Pictures libraries.

You can disable access to picture libraries on the device, disallow all applications from accessing the pictures library, or manage access of individual applications.

If you deny access, all Windows 10 apps downloaded from the Store won’t be allowed to access the Pictures library.

The setting has no affect on non-Store apps.

Videos

videos

You may use the Videos privacy page to control application access to the video libraries on the device.

You may disallow access to video libraries on the device, disallow all apps from accessing the video libraries, or manage access rights of individual apps.

If you deny access, all Windows 10 apps downloaded from the Store won’t be allowed to access the Videos library.

The setting has no affect on non-Store apps.

File system

file system

Use the settings page to allow or disallow access to the file system on the device.

You can disallow all Store apps from accessing the file system or manage access rights of individual apps.

If you deny access, all Windows 10 apps downloaded from the Store won’t be allowed to access the file system.

The setting has no affect on non-Store apps.

Updated on August 19, 2018

Was this article helpful?

Related Articles