How to configure Windows privacy settings with Intune
To personalize UX, Windows devices aren't shy about collecting user data. This isn't ideal for enterprise security. Discover how to lock down privacy settings with Intune.
Configuring Windows privacy settings can mean the difference between a secure, hardened Windows environment or a devastating data breach. Attackers can easily take advantage of improperly configured Windows privacy settings to capture data from employee devices -- and exploit your company.
In Mastering Windows Security and Hardening: Secure and protect your Windows environment from cyber threats using zero-trust security principles, authors Mark Dunkerley and Matt Tumbarello provide an in-depth look at how organizations should adjust privacy settings to keep employees and the business protected from external and internal attacks.
In the following excerpt from Chapter 10 of Mastering Windows Security and Hardening, learn which Windows privacy settings your organization should have enabled. Follow along as Dunkerley and Tumbarello list various privacy settings and how to set them to not only ensure personalized UX, but also the utmost security. Download the entire PDF of Chapter 10 to learn how to mitigate common attack vectors, such as man-in-the-middle attacks and privilege escalation.
Check out an interview where Dunkerley and Tumbarello share their top enterprise Windows security tips.
Windows privacy settings
Windows has many great features that provide a personalized and enhanced connected experience for its users. To support this personalization, Windows has permission settings that control what data and device features that applications are allowed to access. A few examples include allowing an application to access the camera, device location, or microphone. Unless controlled by a policy, many of these privacy permissions are allowed by default and could pose a potential privacy risk for some organizations. To view the Windows privacy settings, open Settings and choose Privacy & Security. Here, you can get an idea of the types of permissions that are available to applications, such as access to speech settings, diagnostics and feedback, activity history, and more. Through Settings, you can granularly configure app-specific permissions or allow or deny all for each permission type.
Let's run through a few settings and where we can configure them using Intune. Note that some of these privacy permissions may need to remain enabled if you are using solutions such as Log Analytics or Endpoint Analytics in Microsoft Endpoint Manager to collect telemetry data from the endpoints.
The Privacy & Security settings are available in the Intune Settings catalog and Templates. If the policies don't exist in the UI, they can also be mapped using a custom template if a CSP is available, by pushing a registry key with PowerShell scripts, and so on. Let's look at a few places we can configure these settings as they are hard to find based on the friendly name shown in the Windows Settings app. You can search for them using Settings Picker in the Settings Catalog area:
- Privacy & Security | General:
- Let apps show me personalized ads by using my advertising ID:
- Settings Catalog | Disable Advertising ID
- Let Windows improve Start and search results by tracking app launches:
- Settings Catalog | Turn off user tracking (User)
- Show me suggested content in the Settings app:
- Settings Catalog | Allow Online Tips
- Let apps show me personalized ads by using my advertising ID:
- Privacy & Security | Speech:
- Use your voice for apps using Microsoft's online speech recognition technology:
- Settings Catalog | All Input Personalization
- Use your voice for apps using Microsoft's online speech recognition technology:
- Privacy & Security | Inking & typing personalization:
- Personal inking and typing dictionary
- Privacy & Security | Diagnostics & feedback:
- Diagnostic Data:
- Settings Catalog | Allow Telemetry
- Improve inking and typing:
- Settings Catalog | Allow Linguistic Data Collection
- Tailored experiences:
- Settings Catalog | Allow Tailored Experiences with Diagnostic Data (User)
- Delete diagnostic data:
- Settings Catalog | Disable Device Delete
- Diagnostic Data:
- Privacy & Security | Activity history:
- Store my activity history on this device:
- Settings Catalog | Publish User Activities
- Send my activity history to Microsoft:
- Settings Catalog | Upload User Activities
- Store my activity history on this device:
- Privacy & Security | Search permissions:
- SafeSearch
- Settings Catalog | Do Not User Web Results
- Cloud Content Search:
- Settings Catalog | Allow Cloud Search
- SafeSearch
We didn't list every setting as some of them don't have mapped CSPs or Group Policy settings. It may be possible to configure them directly with registry keys, but that is outside the scope of this book.
Next, let's look at setting application-specific privacy permissions.
Controlling application privacy permissions
Using Intune, you can configure the access that specific applications have to privacy features. Most of these settings can be found in the Settings Catalog area by searching for Privacy in Settings Picker. For example, in the following screenshot, we have set the Let Apps Access Camera policy to Force deny and configured a list of allowed apps using Let Apps Access Camera Force Allow These Apps:
Configuring an application allow list is only supported for Microsoft Store apps at the time of writing. To do this, you will need to gather the application's Package Family Name (PFN) using the Microsoft Store URL or PowerShell. For example, to find the PFN for the Camera app using PowerShell, run Get-AppXPackage *Camera | Select Name, PackageFamilyName, as shown here:
Tip
You cannot control camera access to third-party apps selectively. Setting Let Apps Access Camera to Force deny will block third-party apps.
For more information about finding the package family name using PowerShell or the Microsoft app store, go to https://docs.microsoft.com/en-us/mem/ configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn.
Additional privacy settings
Let's look at a few additional privacy settings that you should consider that are not listed in the Privacy & Security settings. It's worth evaluating them and determining if they should be disabled on company devices, depending on your privacy controls:
- Settings Catalog | Allow Game DVR. Disabling this policy will block Windows Game Recording and Broadcasting.
- Settings Catalog | Disable Privacy Experience. Disabling this policy may prevent new users from changing company-managed privacy settings when they log on for the first time.
- Settings Catalog | Turn off toast notifications on the lock screen (User). Enabling this policy will prevent toast notifications from displaying on the lock screen.
- Settings Catalog | Allow Cortana Above Lock. Disabling this setting will prevent a user from interacting with Cortana on the lock screen using speech.
- Settings Catalog | Allow Windows Spotlight (User). Disabling this policy will turn off consumer features and Windows tips on the lock screen.
- Settings Catalog | Allow Advertising. Disabling this policy will prevent the device from sending out Bluetooth advertisements. We covered additional Bluetooth security settings in Chapter 4, Networking Fundamentals for Hardening Windows.
- Settings Catalog | Allow Location. Disabling this policy will prevent apps from accessing location services, including Cortana and Windows search.
About the authors
Mark Dunkerley is a cybersecurity and technology leader with over 20 years of experience working in higher education, healthcare and Fortune 100 companies. Dunkerley has extensive knowledge in IT architecture and cybersecurity through delivering secure technology solutions and services. He has experience in cloud technologies, vulnerability management, vendor risk management, identity and access management, security operations, security testing, awareness and training, application and data security, incident and response management, regulatory and compliance, and more. Dunkerley holds
a master's degree in business administration and has received certifications through (ISC)2, AirWatch, Microsoft, CompTIA, VMware, Axelos, Cisco and EMC. He has spoken at multiple events, is a published author, sits on customer advisory boards, has published several case studies and is featured as one of Security Magazine's 2022 Top Cybersecurity Leaders.
Matt Tumbarello is a senior solutions architect. He has extensive experience working with the Microsoft security stack, Azure, Microsoft 365, Intune, Configuration Manager and virtualization technologies. He also has a background working directly with Fortune 500 executives in a technical enablement role. Tumbarello has published reviews for Azure security products, privileged access management vendors and mobile threat defense solutions. He also holds several Microsoft certifications.