Windows 11 Pro: Next-Level Hardening (Local-Only Workstation Mode)
This guide locks Windows 11 Pro into a low-telemetry, cloud-isolated configuration suitable for professional workstations, labs, and security-conscious environments.
1) Reduce Windows Telemetry to Minimum
Windows 11 Pro cannot fully disable telemetry, but this sets it to the lowest supported level.- Open
gpedit.msc - Navigate to:
Computer Configuration └ Administrative Templates └ Windows Components └ Data Collection and Preview Builds - Set:
- Allow Telemetry → Enabled → 0 – Security
- Disable pre-release features → Enabled
- Do not show feedback notifications → Enabled
2) Disable Diagnostic & Feedback Services
sc stop DiagTrack sc config DiagTrack start=disabled sc stop dmwappushservice sc config dmwappushservice start=disabled
These services handle telemetry upload and diagnostic push data.
3) Disable Advertising ID & Consumer Profiling
- Open
gpedit.msc - Navigate to:
Computer Configuration └ Administrative Templates └ System └ User Profiles - Set Turn off advertising ID → Enabled
4) Disable Cloud Search, Web Results & Cortana Hooks
- Open
gpedit.msc - Navigate to:
Computer Configuration └ Administrative Templates └ Windows Components └ Search - Set all of the following to Disabled:
- Allow Cortana
- Allow search and Cortana to use location
- Allow web search
- Allow cloud search
5) Disable Windows Copilot & AI Cloud Assistants
- Open
gpedit.msc - Navigate to:
Computer Configuration └ Administrative Templates └ Windows Components └ Windows Copilot - Set Turn off Windows Copilot → Enabled
6) Lock Down Microsoft Edge (Local Browser Mode)
- Open
gpedit.msc - Navigate to:
Computer Configuration └ Administrative Templates └ Microsoft Edge
- Set:
- Disable synchronization of data → Enabled
- Enable shopping assistant → Disabled
- Show feature recommendations → Disabled
- Allow personalization reporting → Disabled
7) Enforce Local Accounts Only
This prevents Microsoft identity usage entirely.Computer Configuration
└ Windows Settings
└ Security Settings
└ Local Policies
└ Security Options
└ Accounts: Block Microsoft accounts
→ Users can’t add or log on with Microsoft accounts
8) Optional: Block Microsoft Telemetry Endpoints (Firewall)
Create outbound firewall rules for known telemetry domains if your environment allows it:vortex.data.microsoft.com settings-win.data.microsoft.com telemetry.microsoft.com watson.telemetry.microsoft.com
Best handled via perimeter firewall or DNS sinkhole (Pi-hole / Unbound).
Verification Checklist
- No OneDrive process or Explorer entry
- Search shows local files only
- Copilot icon absent
- No Microsoft account sign-in allowed
- DiagTrack service disabled
“All the way” PowerShell hardening script
$14.95
Description
“All the way” PowerShell hardening script (Admin, idempotent, backups)
What it does:
-
Disables OneDrive file sync (policy) + optional uninstall trigger
-
Disables consumer experiences, tailored experiences, ads ID
-
Minimizes diagnostics to lowest supported on Pro (Required) and disables feedback prompts
-
Disables web search and “cloud search” style toggles (where available)
-
Disables Copilot (policy) and optionally attempts to remove the Copilot appx (build-dependent)
-
Disables clipboard history/sync
-
Hardens Edge sync/personalization
-
Disables telemetry services (DiagTrack, dmwappushservice)
-
Exports policy registry backups before changes
You must be logged in to post a review.
Reviews
There are no reviews yet.