Taming Windows 11
by Bob Reite, CBT
With Windows 10 nearing end of life, it is time to tame Windows 11. While the method is similar to what was needed to be done with Windows 10, there are a few differences. This applies to Windows 11 Pro. Since Windows 11 home does not have the means to edit group policy, taming the home version requires a lot of registry hacking which may not survive updates. So lets get started.
Create a Local User
While Microsoft touts the convenience of logging in via a Microsoft account to sync all of your data across several devices, this is a security risk. In Windows 11 they made it somewhat more difficult to configure a machine without a local account. To force Windows 11 to give you this option, make sure that the machine is not connected to the Internet. If the machine has a built in WiFi adapter, temporarily disable it in BIOS. If asked where you are going to use it, choose “Work or School”. On the next screen, choose “continue with a limited setup” to go to the local account setup screen.
Disable Most of the Spyware
Go to the Privacy settings. You can get there quickly by typing “Privacy” in the search bar at the lower left. This will bring up Privacy > General. By default, everything is ON. Turn everything off here.
Go to Accessibility, then Speech. Turn this off unless you want to try the speech to text function. At Diagnostics & feedback turn off “Send optional diagnostic data”. Later, we will make group policy changes to disable this entirely. Turn “Improve inking and typing” off. Also turn off “Tailored experiences. The jury is out on “View diagnostic data” but I prefer to keep it simple and leave it off. Under Feedback, set Feedback frequency to “Never”. Up to you if you want to also uncheck “Store my activity history on this device”, I left it checked because I do find this convenient and it’s not really dangerous.
Get Rid of Bloatware
Much of the bloatware can be uninstalled by going to Apps > Installed apps then click the three dots to the right of the listing to get the uninstall menu right clicking it and choosing “Uninstall”. This works for Co Pilot, Feedback Hub, Microsoft 365 (Office), Clipchamp, Microsoft OneDrive, Microsoft Teams, Microsoft ToDo, News, Outlook (new), Weather, Web Search from Bing, Xbox and Xbox Live. Under “System Components” go to each one use the triple dots to get “advanced options” and choose “Never” for Let this system component run in the background. This will go a long way in speeding up the machine. However If you are using the Microsoft Security suite, leave it set to “Power optimized.” Under “Gaming” turn off everything that you are not going to use. One thing that seems to have improved with Windows 11 is that it is possible to get rid of the bloatware without having to resort to a paid third party program such as CleanMyPC or PowerShell.
Note that some of this bloatware or even a new annoyance may come back to haunt you after a major update, so you may have to do it again.
Get rid of Breaking News
This is fairly easy. Right click a blank area of the taskbar. Choose taskbar setting and turn off Widgets.
Get Rid of Search Highlights
A major annoyance of Windows 11 as shipped is the “search highlights” in the search box. To me that search box should be for just the local machine. If I want to search the web, I’ll open a web browser for that purpose. There are several ways to get rid of it, but the least dangerous method is to use Settings. Go go Privacy and Security > Search Permissions. Turn off “Show search highlights” at the bottom. While you are on this screen turn off both “Cloud content search” options.
Blocked Forced Updates
Although Windows 11 does allow you to ‘postpone’ updates for up to a week, you have to remember to keep doing it. It would be much better to have it set up like you could in Windows 7, with the option of “Let me know when updates are ready, but I’ll choose when to download and install them.” That way, you can wait a week or so, to see if the most recent update is faulty, which happened a year or so ago that turned half the computers that ran it into a brick. Oddly enough the Enterprise edition gives the choice as an administrator menu option, but not so the Professional edition, much less the Home edition.
In Windows 11 Pro it is now possible to fix this without touching the registry In the search box type “Edit Group Policy” On the left side Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience. On the right select “Configure Automatic Updates”. Click “Edit policy Setting.
On the new window that opens, select “Enabled” Choose item 2 – Notify for download and auto install. Then click “Apply” then close the policy editor window. Back in Windows Update, turn off “Get the latest updates as soon as they’re available. To see if you changes “took” click “Advanced options”, then “Configured update policies”. It will show as “Set Automatic Update options Type: Group Policy. It would have been nice if it had spelled out here what the policy is now set to.
Totally Disable Data Collection.
Remember that you only had a choice to turn off “Optional” data collection? We are going to fix that now. Like automatic updates, this can also be fixed with the policy editor.
In the search box type “Edit Group Policy” On the left side Navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds. On the right side choose “Allow Diagnostic Data”. Click “Edit policy setting”. In the window that opens, choose “Enabled” and select “Diagnostic data off”. Hit apply and OK
Next you will have to disable some services. In the search box, type “Services” then run the Services app as administrator.
Look for:
Diagnostics
Tracking Service
dmwappushsvc
On some machines you might find it as:
Connected
User Experiences and Telemetry
dmwappushsvc
Don’t worry if you can’t find dmwapushsrv, it is not present on all machines. In any case change the startup type on the ones that you do find to “Disabled”
Final Analysis
Having had the previous experience with Windows 10 it only took about an hour and a half to figure this out the first try, subsequent machines took under an hour each once I knew what to do. Like Windows 10, Windows 11 keeps trying to make encrypted connections to an IP address owned by Microsoft. Perhaps it was trying to connect to OneDrive, even though I said “no” to that option. Perhaps checking for updates.
On one computer I set up a firewall rule to block all traffic in and out from known Microsoft IP addresses. Once I did that the mystery packets stopped. However after doing that I could not get files that people wanted to share with me using OneDrive, nor connect to any site hosted by Microsoft.
Bob Reite operates his contract engineering firm, Telecentral Electronics, Inc. servicing radio stations in Pennsylvania and New York state and may be contacted at br@telcen.com