10 Windows Settings I Never Leave on Default

Windows has tons of settings buried between layers of menus that you ever touch. However, Windows isn’t set up for security by default, meaning there are several default settings you need to change.

10

Telemetry

Windows telemetry is Microsoft’s way of collecting data about how you use your system. They claim to do it for improving the overall user experience, but I’m not comfortable with my computer constantly sending data about my app usage, system performance, and hardware configuration to Microsoft.

Thankfully, disabling it is quite simple. Follow these steps:

1. Head over to Windows Settings and click the Privacy & security tab. Then, click Diagnostics & feedback.
2. Disable the Send optional diagnostic data setting.
3. As an added precaution, also click the Delete button under the Delete diagnostic data section to delete any data stored on Microsoft servers.

Microsoft will still collect some data from your system, as you can’t disable telemetry completely on Windows Home editions without some under-the-hood tweaking. However, you can still reduce the amount of information your PC sends over, saving the CPU and memory resources spent on running the telemetry services in the background.

9

Advertising ID

Windows generates a unique advertising ID for each user, which app developers and ad networks use to track you across apps. This works a lot like browser cookies, allowing advertisers to serve you personalized ads based on your browsing or app usage history.

Follow these steps to disable this behavior:

1. Head over to Windows Settings and click the Privacy & security tab. Then, click Recommendations & offers.
2. Disable the Advertising ID slider.
3. As an added precaution, disable all settings in this section except Show notifications in settings.

I also visit Microsoft’s Privacy Dashboard and disable interest-based advertising there. This ensures you’re not being tracked through other Microsoft services.

8

Location Services

The location services on your PC aren’t as accurate as those on your phone, but they serve the same purpose. This setting is enabled by default and can expose sensitive information about your daily routine and habits. Even if you trust Microsoft with this data, any app on your system can potentially access this information.

Here’s how to disable location services on Windows:

1. Head over to Windows Settings and click the Privacy & security tab. Then, click Location.
2. Disable the Location services slider.

Remember that location services aren’t the same as GPS. Even the NSA recommends disabling it on your devices to limit location exposure risks.

Disabling location services on Windows will break some functionality, like automatic time zones and Find my device. If you need location services enabled, I recommend that you check the Let apps access your location section right below the location services setting to ensure only the required apps have access.

7

Automatic App Updates in the Microsoft Store

Microsoft has made it impossible to permanently disable automatic app and Windows updates. You can now only pause them for up to 5 weeks. Here’s how you can get some control back:

1. Open Microsoft Store, click on your profile icon at the top-right. Click Settings from the menu that pops up.
2. Disable the App updates slider.

Automatic updates are generally good for security, but Microsoft Store updates have been unreliable for me for as long as I’ve used it. For more permanent control, you can use the Group Policy editor on Pro or Enterprise editions of Windows.

6

Windows Update Active Hours and Restart Options

Nothing’s more frustrating than Windows deciding to restart to install updates in the middle of your work. The default active hours go from 8 AM to 5 PM and don’t really suit my real-world usage patterns.

Here’s how to change them:

1. Head over to Windows Settings and click the Windows Update section. Once there, click Advanced options.
2. Change the Active hours setting to match your usage patterns.

You can set up to 18 hours of active time, which should match most people’s daily usage.

5

Untrusted Font Installation

This is a more technical setting that’s often overlooked by most people. However, it’s important for security, especially if you work with custom fonts. Windows allows programs to load fonts from anywhere on your system, which can be exploited by hackers for privilege escalation attacks.

Unfortunately, changing this setting requires the Group Policy editor. If you don’t have a Pro or Enterprise edition of Windows, you can modify the registry to change this setting.

1. Open the Registry Editor and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerKernel registry subkey
2. You should see a key named MitigationOptions. If it’s not present, right-click the empty space on the right and create a new QWORD (64-bit) and give it the same name.
3. Update the Value data of the MitigationOptions key by double-clicking it. Use 1000000000000 to enable or 2000000000000 to disable the feature.

Windows will now block all untrusted fonts from loading and log any attempts to do so. Do keep in mind that enabling this feature can cause compatibility issues with some applications, in which case you’ll have to revert any changes for the program to work.

4

File and Printer Sharing Over Public Networks

Unless you know how network sharing works on Windows and enable this feature by default, file and printer sharing should never be enabled on public networks.

Here’s how to disable file and printer sharing over public networks:

1. Open Windows Settings and head over to Network & internet. Then, click Advanced network settings.
2. Click Advanced sharing settings.
3. Expand the Public network section and ensure Network discovery and File and printer sharing are disabled.

This is one of the most important settings to change when setting up a new Windows PC. If enabled on public networks, anyone can potentially access your shared files or printers.

3

Auto-Connect to Suggested Open Hotspots

Windows has a feature that automatically connects your laptop to open hotspots in public areas. Now, public Wi-Fi isn’t automatically insecure, but some mistakes make it dangerous. It’s also far from your only option to get online on the go, and there are much safer alternatives to public Wi-Fi available.

While Wi-Fi Sense has been discontinued in Windows 11, it might still connect to random open Wi-Fi networks from time to time. You can’t completely stop this from happening without modifying the registry, but you can protect your device by using randomized hardware addresses. Here’s how:

1. Open Windows Settings and head over to Network & internet. Then, click Wi-Fi.
2. Enable the Random hardware addresses slider.

This makes it harder for people to track your device’s location as the hardware or MAC address of your Wi-Fi card remains the same across networks. By randomizing it, it becomes harder to tell whether the same device is connected to multiple networks.

2

Dynamic Lock

The Dynamic Lock feature uses Bluetooth to detect when your paired phone moves away and automatically locks your PC. The feature is great, but only as long as you have reliable Bluetooth—a feature only found on top-tier Windows laptops in my experience.

Here’s how you can disable it:

1. Open Windows Settings and head over to the Accounts section. Once there, click Sign-in options.
2. Scroll down and expand the Dynamic Lock section. Uncheck the Allow Windows to automatically lock your device when you’re away option.

This one’s a bummer for me because I’d really like to see this feature working reliably and not lock my PC in my face. However, the constant Bluetooth connection requirement is not only unreliable, but also drains your battery faster.

1

OneDrive Backup

Windows automatically enables cloud backups to your OneDrive account during setup. This means your Desktop, Documents, Pictures, Music, and Videos folders are automatically backed up to OneDrive. Except, you only get 5GB of free space—and it runs out faster than you think.

Disabling this is a simple matter of unlinking OneDrive on your PC. Here’s how:

1. Click the OneDrive tray icon followed by the settings gear icon.
2. Head over to the Account section and click Unlink this PC under your account.

Additionally, I uninstalled OneDrive and several other unnecessary programs using FreeTimeTech’s Windows 11 Debloater tool. It’s one of the best hacks if you want a faster, cleaner Windows 11.

Windows 11 isn’t cut out for security or privacy out of the box. There are benefits to letting Windows invade your privacy, but ultimately, the balance of convenience to privacy is for you to decide. Taking the time to tweak a few settings here and there can make a massive difference in the long run.