Get The Most of Win 11 (and the least bloat)

calendar Nov 1, 2023 · 19 min read · Windows Privacy  ·

11/03/2023 Update: I fixed some grammar, and Google just announced they’re going to stop the implementation of WEI (hopefully permanently, but they may just be trying to outwait bad publicity and anti-trust actions - only time will tell).

If you read my first post here you probably got the idea I have strong feelings about recent versions of Windows, and you wouldn’t be wrong. There’s a lot of junk on Windows, but there are many ways you can go around and clean up some of the worst of it, and I thought I would go over a few potential ways of doing so.

There are plenty of tools to “debloat” an ISO, or scripts/tools to run after installing Windows, but I’d recommend against those to avoid putting total trust into a (hopefully well-meaning) internet stranger. I also cannot imagine my workplace (or most workplaces) happy with running random Tools/PowerShell scripts on work devices.

I plan to structure this post where I go over things you may want to do before an install, followed by things you may want to do during an install, then things you could do after an install or on an already completed Windows 11 installation.

Finally, if you’re on Windows 10 and want to avoid Windows 11 for now by all means do so. Security updates will keep coming in until 2025, and I have a feeling that they’ll extend the date once or twice since many people are putting off installing Windows 11. But once security updates run out updating that day or before is paramount.

Before Installing

Get your Activation Keys

If you have an activated Windows installation then before upgrading/re-installing (or at any point for backup purposes) you should grab a copy of your key using the following command in PowerShell:

wmic path softwarelicensingservice get OA3xOriginalProductKey

Tricks for Getting an ISO

If you have a device running Windows Microsoft will push you to get an ISO by running the Windows Media Creation tool. If you’re not running Windows you can download an ISO directly, but recently when trying to create a Windows VM I had some trouble but found a workaround. With a Linux browser agent I kept getting the error below, even on a clean data center and residential IP address.

Error We are unable to complete your request at this time. Some users, entities and locations are banned from using this service. For this reason, leveraging anonymous or location hiding technologies when connecting to this service is not generally allowed. If you believe that you encountered this problem in error, please try again. If the problem persists you may contact Microsoft Support – Contact Us page for assistance. Refer to message code [error code] and [error code].

Trying it on my Android phone from the same IP address worked, and even worked with VPN and Tor IPs. I’m unsure if it was a fluke or intentional, but if you keep getting the error try downloading with a phone.

Rufus

Once you have an ISO, unless you’re going to burn it to a CD/DVD, you’ll need to burn it to a thumb drive or SD card. The two main options are Rufus (Win) or Balena Etcher (Win/Linux), though Rufus will offer to bypass the TPM requirement and/or create a local account when you are burning the ISO. If you don’t use Rufus there are ways to do both listed below, but burning the ISO with Rufus would be the easiest way to do either.

Tutorial that shows how to use Rufus

Installation Process

If you’re reading this and you intend to install Windows 11 in the future there are some ways to cut out junk during the installation process. The installation options I would recommend considering are listed below in the order you’ll run into them.

Bypassing TPM Requirements

TPM 2.0 seems like a bit of an odd hill to die on as far as Microsoft making things a requirement, but there’s a tutorial here from Tom’s Hardware that goes over three ways to bypass the TPM requirement.

Geo Location Setting

One of the first things you’ll be prompted for in a Windows installation is to select a language and country. At the time of writing, selecting “English (world)” will skip installing the bloat and sponsored content that is selected by region and give you a much cleaner install.

This will disable the Microsoft Store until you select a region afterwords, but the region can be changed at any time. You may also get a generic error, and then get prompted to select a keyboard layout. You can ignore the error, select the keyboard layout, and continue on.

Version and Activation

During your setup process you will be prompted to choose a Windows version. If you already have a product key, select the version that corresponds with the key you have. Otherwise, choose Windows 11 Pro and choose they “I don’t have a key option”. You can always go on forever without activating it: the only thing that will affect you is that you’re stuck with the annoying taskbar in the center of the screen and the default background.

At some point, if you do want to activate it, you can. You can do so by buying a key from Microsoft or from third-party sellers with super cheap keys that probably weren’t meant to be sold, by “finding” a key for free that’s floating around on the internet, or by running some combination of tools/commands that might convince Windows that it’s mistaken and that you’ve already activated it.

Account Setup

Microsoft seems convinced you need a Microsoft account to sign into your computer. You can still use a local account, however, and I would prefer that for privacy and for the ideological reason that I wouldn’t want Microsoft controlling access to my computer. To set up a local account enter a fake email (e.g. [email protected] with the password nope), then after it fails it will offer a local account instead.

Privacy Settings

Once an account has been created, you’ll be prompted with some privacy toggles. Here is what I would recommend:

  • Location: Off unless you use location data, though I don’t know why location services would be useful on a computer (though it can always be turned back on if needed).
  • Find my device: Off unless you want to use it. If you don’t intend to use it then the less secret hardware second operating system stuff the better.
  • Diagnostic Data: minimal. Data collection is bad for privacy and not going to provide you any benefit; there’s really no reason to turn it on.
  • Inking and Typing: Off. Just no. Tracking what you type is not something I think should even be an option on a computer.
  • Tailored Experience: Off. I don’t think there’s any benefit in being repeatedly recommended various Microsoft services.
  • Advertising ID: Off. There is no benefit in providing advertisers with more information about you.

Post Install

There are many things you can do to get a Windows 11 installation cleaned up with what should be better performance and privacy while cutting back on bloat and clutter. The following can all be done whether you just installed Windows or have had an existing installation. None of these are mandatory: you can choose what you want to do and don’t, but below are the things I would recommend.

Settings:

There are a lot of different settings that might improve your privacy, increase performance, stop Windows from pestering you about things, and change things that could have been selected during the installation that were not. So, fire up the settings app and consider changing all of the following:

  • System/Notifications/Additional Settings: Disable “Suggest ways to get the most out of Windows” and “Get tips and suggestions when using Windows” if you want to avoid annoying prompts about Edge or something like that.
  • System/Power: Set your preferred power options. Saving battery is great if you’re on the move, but no point in hamstringing performance if you’re always plugged in.
  • Personalization/Device Usage: Turn off everything if you didn’t turn it off during installation; no point in handing over data on any of that so Microsoft can “better” serve you ads.
  • Accounts: You can change your account to a local account if you set up an online one and want to change that.
  • Time and Language/Region: You can set your country if you set it as world in the setup and want to use the Microsoft Store.
  • Time and Language/Typing/Typing Insights: Off to prevent Windows from keeping track of some of what you type, or on if you really like the feature.
  • Privacy and Security/Find My Device: Can be turned off here if you do not want it on but didn’t disable it during the installation.
  • Privacy and Security/General:
    • Disable Advertising ID: No benefit in letting advertisers track you more.
    • Disable Websites Accessing Language List: No benefit in letting websites track you unless you’re dual lingual or find some other benefit in it.
    • Disable Letting Microsoft Track App Launches: No benefit in letting Microsoft track you.
    • Disable Microsoft from showing you suggested content in the settings app: Less ads = good.
  • Privacy and Security/Inking and Typing Personalization: Disable the custom dictionary to decrease the amount of data Windows collects on what you type, leave it on if you really like the feature.
  • Privacy and Security/Diagnostics and Feedback: Turn everything off and feedback requests to never if you didn’t do this during the installation, there’s no benefit for you in handing a bunch of usage data to Microsoft.
  • Privacy and Security/Activity History: Disable sending activity to Microsoft, and optionally disable storing it locally as well. Sending your usage history to Microsoft brings you no benefit, and storing it locally is only useful if you actually use the feature.
  • Privacy and Security/Search Permissions:
    • Turn off cloud search content with personal and work/school accounts. There’s no benefit in handing over your searches to Microsoft.
    • Turn off storing searches locally on your device, unless you find value in being able to review past searches.
    • Turn off search highlights. There’s no benefit for you in Microsoft using your searches to advertise to you.
  • Windows Updates: You may want to turn off the “Be the first to get Windows Updates” option. This means you get pending features while Microsoft is still testing them, and your computer may be less stable as a result.
  • Windows Updates/Advanced Options/Delivery Optimization: Turn off allow updates from other PCs. When this is on, your computer might be used to deliver updates to other computers, and I wouldn’t want my computer acting as an update server on behalf of Microsoft.

Software

Disable the Windows Telemetry Service

Even if you went through all the settings above, Windows 11 still collects a fair bit of information about your computer and what you are doing. To further decrease data collection, you can disable the service that runs in the background collecting the data and sending it to Microsoft.

In the taskbar search for “Services” and click on the program with the gear icon. In the list of services, scroll down until you find the service titled “Connected User Experiences and Telemetry,” right click on it and choose properties. Once in the properties menu choose the startup type “Disabled” from the menu and hit “okay” to disable even more data collection.

This shouldn’t affect you in any way, but if for some strange reason it did start causing issues later you can re-enable it again in two clicks.

Uninstall Pre-Installed Apps

If you have an existing installation where Microsoft or the manufactuerer pre-loaded many unnecessary applications, consider removing/disabling them. Type “add or remove programs” in the start menu, then go through and remove anything you don’t want or need.

Browsers:

We use browsers for a ton, so they’re definitely worth configuring to improve your computer’s performance and battery life and to have a more private and less cluttered web browsing experience. There are three browsers I’ll talk about how I would want them configured: Edge, Firefox, and Brave. If you’re using a package manager (e.g. Winget/Chocolatey) then LibreWolf might be worth using as well.

Thoughts/Ideology on Browser Engines & Google Stuff

Browser engines, if you’re unaware, are the part of the browser that reads web files and puts them on your screen. There are three different main ones: Chromium (by Google), Gecko (by Mozilla), and Webkit (by Apple). Every browser is going to use one of these three engines under the hood, and most browsers as well as with a vast majority of web traffic is using the Chromium engine.

This means browsers like Edge and Chrome are nearly identical, minus the coat of paint Microsoft or Google placed on the engine. This is also why a lot of tech-y people (including myself) think it’s a good idea to use browsers that don’t run Chromium (like Mozilla Firefox & derivatives that use Gecko) because with Google’s near monopoly on browsers they can easily dictate that the web change in ways they want (though some more heavily modified versions of Chromium like Brave could be argued to be contributing less to the Chromium monopoly). That said, use whatever suits you best, as technology is a means to an end.

Speaking of things Google could dictate to the web, there have been three browser changes Google has been making in rapid succession that many people (including myself) are not happy with.

First, Google is phasing in Manifest V3, which seriously hampers ad-block plugins in Chromium-based browsers. They claim it’s a security feature, and things are not entirely cut and dry, though the consensus seems to be overwhelmingly leaning towards Google using monopoly power to try to cut out ad-block. This affects most Chromium-based browsers, though Brave is not affected.

Secondly, Google has been implementing WEI (web environment integrity) being a form of attestation (effectively DRM or anti-cheat for the internet) implemented in Chromium. Google is not doing anything with WEI at the moment, but the point of something like that is to monitor or exclude devices for some reason so it’s for now just sitting there like a crate of dynamite waiting to go off when Google decides to try to say that computers running software, plugins, or operating systems they don’t like shouldn’t be allowed to connect to the internet. Some Chromium-based browsers, including Brave, are not implementing WEI.

Third, Google just released privacy sandbox, which in true double-speak fashion is neither private nor a sandbox. Privacy sandbox takes the websites in your browsing history and then tells advertising networks what types of websites you visit. This, to my knowledge, only affects Chrome and not browsers built with Chromium.

Edge:

Microsoft Edge is sort of a meme, but being based on Chromium it’s pretty much identical to browsers like Chrome or modern versions of Opera. If you want the vanilla browser experience or are on a device running Windows Go and forced to use Edge then here is how I would configure it if I were using it.

Configuration:

On the home page, click the gear icon and disable sponsored shortcuts - no point in seeing more ads. You can also turn off “content” at the very bottom of the menu to not be bombarded with articles and recommended content.

After that, moving on to settings there are a few things that I would highly recommend changing:

  • Settings/Accounts: You can sign out of your account if you do not want to sync, or sign into an account if you created a local Windows account but want to sync your data.
  • Settings/Privacy, Search, and Services:
    • Set tracking protection to strict - rarely do things break, but if you notice a lot of broken sites you can always set it back to balanced.
    • Optionally, set some or all browsing data to clear on exit. I prefer to have my browsers clear everything on exit, but you may or may not want that. Luckily, you can fine-tune it to clear or not clear whatever you choose.
    • Turn on do not track, it never hurts to ask and won’t do any harm.
    • Turn off the option to allow sites to check if you have payment information stored if you don’t intend to store payment info in your browser.
    • Turn off optional diagnostic data, search and service improvement, and personalization & advertising. There is no value in having these on.
    • Turn off “Shopping in Microsoft Edge” unless you use the feature.
    • Turn off “Notifications of related things” unless you’re a fan of the feature.
  • Settings/Privacy, Search, and Serves/Address bar and search:
    • Turn off search suggestions using typed characters - no point in leaking things you typed elsewhere into search engines.
    • Turn off the option to show search suggestions with your favorites, history, and other data unless you find it useful. Again, less random data that you expect to be private suddenly being leaked into search engines.
    • Change the search engine. I mean seriously, who wants to use Bing? Brave or DuckDuckGo are great and can be manually added in, instructions here if you do not get a prompt to add them to your browser when visiting. A more private search engine can be great for privacy, but if you have issues with inaccurate results you can always change it back to Google or cough Bing.
  • Settings/Sidebar: You may want to turn off the personalize my sidebar option and turn off the option to have apps notify you on the sidebar. Keep your sanity and stop Microsoft from sending you notifications about using their services instead of what you’re using.
  • Settings/System and Performance: Turn off startup boost and the option to have edge always run in the background. No point in wasting resources.

Firefox:

If you are going to install a browser on Windows the two browsers I would personally recommend would be Firefox and Brave. Of the two, I would probably recommend Firefox over Brave: it counts against Google’s monopoly better and will likely run slightly faster. The trade-offs here are Firefox takes some more configuring and may have compatibility issues with sites once in a blue moon.

If you install Firefox, here are the settings you will probably want to change:

  • Settings/General: Turn on play DRM content if you want to watch paid streaming services.
  • Settings/Home: Disable sponsored links and recommended by pocket. No point in seeing ads when you don’t have to.
  • Settings/Search: Set your preferred search engine. Again, as mentioned above in Edge, Brave and DuckDuckGo are more private - or you can leave it as Google.
  • Settings/Privacy & Security:
    • Set tracking protection to strict. Again, things rarely ever break and if they do you can always set it back to standard.
    • Enable the “do not track” request.
    • Optionally, tell Firefox to delete cookies when closing and to never remember history. Just beware clearing cookies will sign you out of everything when you close the browser.
    • In the address bar section, turn off suggestions from sponsors. No point in getting ads when you don’t have to.
    • In the Firefox data collection and use section turn off everything. It’s better for privacy and will otherwise have no effect on your experience.

Once settings have been configured, the final optional step is to rid ourselves of pocket forever. Assuming you don’t use it, enter “about:config” in your address bar, accept the disclaimer, and search “pocket” in the search bar. In the extentions.pocket.enabled option double click the “true” value to change it to false. You can then close the tab.

Brave

Brave, the other browser I would recommend using, is based on Chromium - albeit a heavily modified fork of Chromium. Setting aside ideological interests in Chromium, the trade-offs here again are ever so slight performance decrease, but avoiding the rare compatibility issues in Firefox and avoiding manually updating Ublock filters. One thing I do have to hand to Brave, though, is configuration out of the box. If you didn’t know or want to configure anything, Brave would offer a fine experience. If you told me I had to live with the default settings in Firefox without extensions I would probably quit the internet and become a hermit.

After installing Brave, I would recommend:

  • On first setup turn off insights. Crash reports can be left on.
  • On the home page select customize, wallpaper options, scroll to the bottom, and un-check “show sponsored images”.
  • In Settings/Search Engine: You may want to change the default search engine.
  • On the History tab at the top of the settings page you can click the clear browsing data button and optionally set it to clear some or all browsing data on exit.

Finally, you will probably want to either hide the Brave rewards icon near the address bar so it stops bothering you about it or set it up. Brave rewards shows you ads paid for in Bat and then provides you with a small percentage of what the advertiser paid (Bat - basic attention token - is the cryptocurrency platform Brave built their ad network with). It’s disabled by default, and I personally would prefer it stay off, but if you want to use it then you can set it up.

Ublock Origin

Ublock is an ad block plugin for browsers that I think is absolutely necessary, unless you’re on Brave with it’s built in ad-block that works about as well.

Installing Ublock on different Browsers

Adding on Edge: Go to the menu button (three dots at the top right), click extensions, and then search for Ublock Origin.

Adding on Firefox: Go to the menu button (three lines at the top right), click add-ons and themes, and search for Ublock Origin in the search bar at the top.

Adding on Brave: Go to the menu button (three lines at the top right), click extensions, click on the web store link on the extensions page, and then search for Ublock Origin. If you choose to use Ublock on Brave you should probably turn off Brave Shields in settings since they do about the same thing.

With Ublock installed it will work out of the box without any need to configure it besides updating filters occasionally. In order to do so, or to further configure it, click the extensions icon, click on Ublock, and then the gear icon to go to Ublock settings. There you can update the filters or add additional filters such as blocking cookie banners.

Further, if you click on the Ublock icon, the “more” drop-down menu, the “</>” button, and then the lock icon that appears you can permanently disable Javascript for a particular site. This is great for getting around paywalls or popups, and in my opinion, absolutely necessary for any news website.

Bitlocker

Bitlocker is Microsoft’s tool to encrypt your device’s storage. Without encrypting storage anybody who gets physical access to your computer can read or modify files without needing to know your login credentials. While I believe encryption is important for any computer, it’s vitally important if you are using a laptop that you often bring with you away from your home. To turn Bitlocker on, just search “Bitlocker” on the start menu and it will walk you through setting it up.

Bitlocker is locked behind the Pro version of Windows, which is why I would always recommend selecting the Pro version if possible.

Wrap Up

As always, locating the nearest river and throwing your computer into it is always an option to consider.

Assuming you don’t throw it into a river, however, the above is what I believe to be the most de-bloated and privacy-respecting Windows 11 setup template to get without using any custom tools or third-party software, both of which bring in a whole host of potential risks.

Anyway, if you use Windows 11 you hopefully found at least some of this useful in getting a clean version of Windows 11 setup or cleaning up an existing Windows 11 installation.