Overview
A fresh Windows 11 installation ships with telemetry collection, personalized advertising, background app execution, and AI features all enabled by default. While these defaults serve Microsoft’s data and product goals, they consume bandwidth and system resources, and generate noise that most enterprise users and IT administrators would rather not deal with.
This guide provides a structured, technical approach to taking back control of a Windows 11 environment — covering manual settings for individual users and scalable enforcement mechanisms for enterprise administrators using Group Policy, PowerShell, and Microsoft Intune.
Privacy configuration should never compromise security. The following must remain enabled at all times:
- Windows Update — disabling it leaves devices exposed to known exploits and zero-day attacks.
- Windows Defender and Real-time Protection — disabling them eliminates active malware scanning.
- Certificate Revocation Checks — disabling them breaks trust validation for secure websites and applications.
Prerequisites
- Windows 11 device (any edition)
- For Group Policy: domain-joined device and Group Policy Management Console (GPMC)
- For PowerShell: local administrator rights
- For Intune: Microsoft Intune license and enrolled Windows device
Part 1 — Core Settings (Individual Users)
The fastest path to a cleaner Windows 11 experience is adjusting privacy and notification settings through the built-in Settings app. These changes apply locally to a single device and require no elevated permissions beyond a standard administrator account.
Remove lock screen and Start menu ads
- Open Settings → Personalization → Lock Screen.
- Change the background from Windows Spotlight to Picture or Slideshow.
- Uncheck the option to receive “fun facts, tips, tricks, and more” from the lock screen.
- Navigate to Personalization → Start and disable “Show recommendations for tips, shortcuts, new apps, and more”.
Suppress system notifications and pop-ups
- Open Settings → System → Notifications.
- Scroll to Notifications from apps and other senders and toggle off:
- Get tips and suggestions when using Windows
- Offer suggestions on how I can set up my device
- Enable Do Not Disturb and set Focus Assist to Priority only or Alarms only.
Disable tailored experiences and advertising ID
- Open Settings → Privacy & security → General.
- Toggle off “Let apps show me personalized ads by using my advertising ID”.
- Disable all remaining options in this section to block suggested content across the OS.
Reduce telemetry and disable background apps
- Navigate to Settings → Privacy & security → Diagnostics & feedback.
- Set Diagnostic data to Required diagnostic data (the minimum available).
- Turn off Tailored experiences.
- For background apps, go to Privacy & security → Background apps and toggle off “Let apps run in the background” globally, or manage individual apps via Installed apps → App → Advanced options.
Setting diagnostic data to Required diagnostic data is the minimum level available to consumer Windows 11 editions. Enterprise and Education editions can go further using Group Policy or Intune (see Part 2 and Part 3 below) to set telemetry to
0 – Security.Part 2 — Group Policy (Domain-Joined Devices)
For on-premises environments with domain-joined Windows devices, Group Policy provides granular, enforceable control. Changes made via GPO override local settings and re-apply at each policy refresh cycle.
Restrict telemetry to Security level
- Open the Group Policy Management Console (GPMC).
- Create or edit a GPO linked to the relevant OU.
- Navigate to:
Computer Configuration → Administrative Templates → Windows Components → Data Collection and Preview Builds - Open Allow Telemetry and set it to Enabled with the value 0 – Security.
Disable location services enterprise-wide
- In the same GPO, navigate to:
Computer Configuration → Administrative Templates → Windows Components → Location and Sensors - Enable the policy to Turn off location.
The
0 – Security telemetry level is only available for Windows 11 Enterprise, Education, and IoT Enterprise editions. Home and Pro editions cannot go below Required via Group Policy.Part 3 — PowerShell (Local or Scripted Enforcement)
PowerShell is useful for one-off configurations or scripted deployments where Group Policy is not in place. Run all commands from an elevated (Run as administrator) PowerShell session.
Set telemetry to minimum via registry
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" `
-Name "AllowTelemetry" -Value 0 -PropertyType DWORD -Force
This writes the telemetry restriction directly to the Policies registry hive, equivalent to the Group Policy setting above. The -Force flag overwrites any existing value.
Revoke background execution for modern apps
PowerShell can enumerate installed apps and revoke their background execution permissions at a system level — useful for locking down shared or kiosk devices where background app activity should be fully suppressed.
Always test PowerShell registry modifications in a non-production environment or on a pilot device before deploying via script to a broader machine set. Back up the affected registry key first using
reg export.Part 4 — Microsoft Intune Settings Catalog (Cloud-Managed Devices)
For Microsoft 365-managed environments, the Settings Catalog in the Intune admin center is the most comprehensive and scalable way to enforce Windows 11 privacy configurations across an entire device fleet.
Step 1 — Create a new configuration profile
- Sign in to the Microsoft Intune admin center.
- Navigate to Devices → Configuration → + Create → New Policy.
- Set Platform to Windows 10 and later and Profile type to Settings catalog.
- Click Create.
Step 2 — Configure privacy settings
On the Configuration settings tab, click + Add settings and search for each of the following. Enable or set each one as specified:
| Setting Path | Setting Name | Recommended Value |
|---|---|---|
Experience |
Allow Cortana | Block |
Windows 11 › Start |
Start_HideRecommendationsSection | Enable |
System |
Allow Telemetry | 0 – Security |
Step 3 — Assign and deploy
- On the Assignments tab, assign the policy to your target device group.
- Click through to Review + create and click Create.
- Devices check in and apply the policy within the standard Intune sync cycle (typically 8 hours, or trigger a manual sync from the device).
Windows 11 25H2 — New Intune Controls
With the release of Windows 11 version 25H2, Microsoft added over 30 new settings to the Intune Settings Catalog, including granular controls for Copilot, Recall, lock screen widgets, and system-level AI models. These provide day-zero management support for the latest privacy-relevant features, meaning enterprise admins can configure them before end users encounter them.
The Settings Catalog approach is an “enable once and forget” solution. Once the profile is assigned and applied, the configured settings persist across Windows updates, reboots, and user profile changes — unlike manual UI adjustments which users can reverse.
Implementation Strategy Summary
| Scenario | Recommended Approach | Enforced? |
|---|---|---|
| Personal or single device | Settings app — Core Settings (Part 1) | No — user can revert |
| On-premises domain environment | Group Policy (Part 2) ± PowerShell (Part 3) | Yes — GPO enforced |
| Cloud-managed (Microsoft 365 / Intune) | Intune Settings Catalog profile (Part 4) | Yes — MDM enforced |
| Hybrid (domain + Intune co-management) | Intune Settings Catalog as primary; GPO for fallback | Yes |
Summary
Windows 11 does not have to behave like an advertising platform. By systematically addressing telemetry, lock screen promotions, background app execution, and AI feature exposure, you recover measurable performance, bandwidth, and user experience improvements. For individual users, the Settings app is sufficient. For enterprise administrators managing a fleet, Intune’s Settings Catalog is the definitive tool — scalable, enforceable, and built to handle new Windows features from day zero.
