Created
April 18, 2026 23:23
-
-
Save hed0rah/3f12cfd9e8e397b83770ad1b9631be75 to your computer and use it in GitHub Desktop.
Windows 11 Pro 25H2 -- AI and Telemetry Lockdown Cheatsheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Windows 11 Pro 25H2 -- AI and Telemetry Lockdown Cheatsheet | |
| Tested on build 26200.x. Assumes Windows 11 Pro (gpedit.msc access required for Group Policy sections). | |
| --- | |
| ## 1. Settings App | |
| ### Privacy & Security > General | |
| Turn off all four: | |
| - Let apps show me personalized ads by using my advertising ID | |
| - Let websites show me locally relevant content by accessing my language list | |
| - Let Windows improve Start and search results by tracking app launches | |
| - Show me suggested content in the Settings app | |
| ### Privacy & Security > Speech | |
| - Online speech recognition: **Off** | |
| ### Privacy & Security > Inking & Typing Personalization | |
| - Custom inking and typing dictionary: **Off** | |
| ### Privacy & Security > Diagnostics & Feedback | |
| - Diagnostic data: **Required diagnostic data only** | |
| - Improve inking and typing: **Off** | |
| - Tailored experiences: **Off** | |
| - Delete diagnostic data: click **Delete** | |
| - Feedback frequency: **Never** | |
| ### Privacy & Security > Activity History | |
| - Store my activity history on this device: **Unchecked** | |
| - Clear activity history: click **Clear history** | |
| ### Privacy & Security > Search Permissions | |
| - Cloud content search (Microsoft account): **Off** | |
| - Cloud content search (Work or School account): **Off** | |
| - Search history on this device: **Off** | |
| - Search highlights: **Off** | |
| ### Privacy & Security > Recall | |
| - Turn off entirely if present (requires NPU hardware, may not appear) | |
| ### Privacy & Security > Find My Device | |
| - Find My Device: **Off** (unless you actually want remote locate capability) | |
| ### Apps > Installed Apps | |
| - Uninstall **Microsoft Copilot** if present | |
| - Uninstall **Copilot** (sometimes listed separately) | |
| - Uninstall any other Microsoft bloat you don't use (Clipchamp, News, etc.) | |
| ### Apps > Startup | |
| - Review and disable anything unnecessary, especially Killer Network, Copilot, OneDrive, etc. | |
| ### System > Notifications | |
| - Get tips and suggestions when using Windows: **Off** | |
| - Suggest ways to get the most out of Windows and finish setting up this device: **Off** | |
| ### System > Clipboard | |
| - Clipboard history: **Off** (unless you use it) | |
| - Sync across devices: **Off** | |
| ### System > Delivery Optimization | |
| - Allow downloads from other PCs: **Off** (or set to "PCs on my local network" as a less aggressive option -- see Warnings) | |
| ### Personalization > Lock Screen | |
| - Personalize your lock screen: change from **Windows Spotlight** to **Picture** or **Slideshow** | |
| - Get fun facts, tips, tricks, and more on your lock screen: **Off** | |
| ### Taskbar | |
| - Right-click taskbar: | |
| - Widgets: **Off** | |
| - Copilot: **Off** (if shown) | |
| --- | |
| ## 2. Group Policy (gpedit.msc) | |
| Run `gpedit.msc` as administrator. All paths below are under: | |
| `Computer Configuration > Administrative Templates > Windows Components` | |
| ### Windows AI | |
| | Setting | State | | |
| |---|---| | |
| | Remove Microsoft Copilot App | **Enabled** | | |
| | Allow Recall to be enabled | **Disabled** | | |
| | Allow export of Recall and snapshot information | **Disabled** | | |
| | Turn off saving snapshots for use with Recall | **Enabled** | | |
| | Disable Click to Do | **Enabled** | | |
| | Disable Settings agentic search experience | **Enabled** | | |
| ### Data Collection and Preview Builds | |
| | Setting | State | | |
| |---|---| | |
| | Allow Diagnostic Data | **Enabled**, set to "Send required diagnostic data" | | |
| | Do not show feedback notifications | **Enabled** | | |
| | Limit Dump Collection | **Enabled** | | |
| | Limit Diagnostic Log Collection | **Enabled** | | |
| | Disable OneSettings Downloads | **Enabled** | | |
| | Allow commercial data pipeline | **Disabled** | | |
| | Allow Desktop Analytics Processing | **Disabled** | | |
| | Configure Connected User Experiences and Telemetry | **Skip** -- enterprise proxy setting, not useful on standalone Pro | | |
| ### Cloud Content | |
| | Setting | State | | |
| |---|---| | |
| | Turn off cloud optimized content | **Enabled** | | |
| | Turn off cloud consumer account state content | **Enabled** | | |
| | Do not show Windows tips | **Enabled** | | |
| | Turn off Microsoft consumer experiences | **Enabled** | | |
| ### Search | |
| | Setting | State | | |
| |---|---| | |
| | Do not allow web search | **Enabled** (may be deprecated in 25H2, see note) | | |
| | Don't search the web or display web results in Search | **Enabled** (may be deprecated in 25H2, see note) | | |
| Note: these policies have been deprecated in recent Windows 11 builds. They may still appear in gpedit but might not be honored. The `DisableSearchBoxSuggestions` registry key in section 3 is the reliable method for disabling web results in Start menu search. | |
| ### Widgets | |
| | Setting | State | | |
| |---|---| | |
| | Allow widgets | **Disabled** | | |
| ### Windows Copilot (if this section exists separately) | |
| | Setting | State | | |
| |---|---| | |
| | Turn off Windows Copilot | **Enabled** | | |
| --- | |
| ## 3. Registry Edits (Admin Command Prompt) | |
| These duplicate some of the Group Policy settings above but serve as a fallback if policies don't stick, and also cover machines without gpedit. | |
| ```bat | |
| :: disable copilot | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" /v TurnOffWindowsCopilot /t REG_DWORD /d 1 /f | |
| :: disable recall / AI data analysis | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" /v AllowRecallEnablement /t REG_DWORD /d 0 /f | |
| :: telemetry to minimum | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 1 /f | |
| :: disable advertising ID | |
| reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f | |
| :: disable web search in start menu | |
| reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableSearchBoxSuggestions /t REG_DWORD /d 1 /f | |
| :: disable widgets | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Dsh" /v AllowNewsAndInterests /t REG_DWORD /d 0 /f | |
| :: disable activity history | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableActivityFeed /t REG_DWORD /d 0 /f | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v PublishUserActivities /t REG_DWORD /d 0 /f | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v UploadUserActivities /t REG_DWORD /d 0 /f | |
| :: disable cloud content / consumer experiences | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /t REG_DWORD /d 1 /f | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableCloudOptimizedContent /t REG_DWORD /d 1 /f | |
| :: disable feedback notifications | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f | |
| ``` | |
| --- | |
| ## 4. PowerShell -- Remove Copilot and Bloat | |
| Run as administrator: | |
| ```powershell | |
| # remove copilot | |
| winget uninstall "Microsoft Copilot" | |
| Get-AppxPackage -AllUsers *copilot* | Remove-AppxPackage -AllUsers | |
| Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -like "*copilot*"} | Remove-AppxProvisionedPackage -Online | |
| # remove other common bloat (uncomment lines you want) | |
| # Get-AppxPackage -AllUsers *clipchamp* | Remove-AppxPackage -AllUsers | |
| # Get-AppxPackage -AllUsers *bingweather* | Remove-AppxPackage -AllUsers | |
| # Get-AppxPackage -AllUsers *bingnews* | Remove-AppxPackage -AllUsers | |
| # Get-AppxPackage -AllUsers *teams* | Remove-AppxPackage -AllUsers | |
| # Get-AppxPackage -AllUsers *todos* | Remove-AppxPackage -AllUsers | |
| ``` | |
| --- | |
| ## 5. Microsoft Edge (if installed) | |
| Edge has its own layer of AI/telemetry: | |
| - `edge://settings/sidebar` -- disable Copilot sidebar | |
| - `edge://settings/privacy` -- tighten all settings, disable "Optional diagnostic data", disable "Personalization & advertising" | |
| - `edge://settings/search` -- change default search engine if desired, disable search suggestions | |
| Or via registry to disable Edge Copilot: | |
| ```bat | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v HubsSidebarEnabled /t REG_DWORD /d 0 /f | |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v CopilotCDPPageContext /t REG_DWORD /d 0 /f | |
| ``` | |
| --- | |
| ## 6. Cleanup -- Orphaned Software (e.g., Killer Network) | |
| After uninstalling bloatware, check for leftover startup entries: | |
| 1. Registry: search `HKCR`, `HKLM\...\Run`, `HKCU\...\Run` for the app name | |
| 2. Task Scheduler: look for orphaned tasks | |
| 3. `shell:startup`: check for leftover shortcuts | |
| 4. AppModel StateRepository: search `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Activation\Data` for orphaned executables | |
| 5. AppModel PackageRepository: search `HKCR\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages` for orphaned packages | |
| Or use Sysinternals Autoruns to see everything in one view: | |
| https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns | |
| --- | |
| ## Warnings and Caveats | |
| **Delivery Optimization (section 1):** Disabling this entirely can noticeably slow down Windows Updates. It controls not just peer-to-peer sharing with strangers but also local network and Microsoft CDN optimization. A safer middle ground is setting it to "PCs on my local network" instead of fully off. | |
| **Find My Device (section 1):** Disabling this is a real security tradeoff if your machine is a laptop. If it gets stolen, you lose remote locate capability. Make a conscious decision here. | |
| **Disable OneSettings Downloads (section 2):** This stops Windows from downloading configuration data from Microsoft services. It is telemetry-adjacent, but there are reports of it occasionally causing odd behavior with some system components. Consider this one "test and revert if something acts up." | |
| **Connected User Experiences and Telemetry (section 2):** This policy is for enterprise environments where telemetry is routed through a proxy server. On a standalone Pro machine, skip it. The "Allow Diagnostic Data" policy is what actually controls your telemetry level, and on Pro the minimum is level 1 (Required). | |
| **Registry edits (section 3):** These are generally safe and mirror Group Policy settings, but editing the registry always carries some risk. Export keys before deleting them if you want a safety net. Incorrect registry edits can cause system instability. | |
| **Orphaned software cleanup (section 6):** Be careful when manually deleting registry keys in the AppModel StateRepository and PackageRepository. Only delete entries you can positively identify as belonging to the uninstalled software. Deleting the wrong key can break other UWP apps. | |
| ## Notes | |
| - Group Policy changes require `gpupdate /force` or a reboot to take effect | |
| - Some settings may revert after major Windows updates; re-audit after each feature update | |
| - This guide targets AI features, telemetry, and data collection specifically; it is not a full Windows hardening guide | |
| - For Windows 11 Home (no gpedit.msc), use the registry edits in section 3 instead of Group Policy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment