Windows 11 privacy: a full list of what it sends and to whom

Windows 11 is the most widely used desktop operating system in the world, and it is also one of the most aggressive data collection platforms in consumer software history. The data Windows sends to Microsoft is not incidental or necessary for the OS to function — it is a deliberate, layered system of telemetry, advertising infrastructure, and cloud service integration that operates regardless of your preferences and cannot be fully disabled. This article documents what Windows 11 actually sends, to whom, and what can and cannot be done about it.

Recall: an AI that screenshots everything you do

Microsoft introduced Recall in 2024 as a feature for Copilot+ PCs — laptops with dedicated NPU (neural processing unit) hardware. Recall takes a screenshot every few seconds as you work, runs the screenshots through an on-device AI model, and builds a searchable index of everything you've ever seen on your screen: documents, web pages, emails, passwords visible in browser autofill, financial information, personal photos, medical data.

After significant criticism from security researchers and privacy advocates across Europe and the United States, Microsoft paused the rollout and announced Recall would be opt-in rather than opt-out. As of early 2026, Recall is available on Copilot+ PCs as an opt-in feature. "Opt-in" on a Microsoft platform is meaningful only if you trust that the toggle actually disables all data processing — a trust that Microsoft's track record does not fully support.

The security implications are independent of whether screenshots leave the device: a searchable database of everything you've ever seen on your screen is an extraordinarily high-value target for any attacker who compromises your machine.

Telemetry levels: what "Basic" actually sends

Windows 11 sends telemetry to Microsoft through the DiagTrack service (Connected User Experiences and Telemetry). Microsoft describes four levels: Security, Basic, Enhanced, and Full. In practice:

• Security level: available only on Windows Enterprise and Education editions. Consumer versions of Windows 11 cannot be set below Basic.
• Basic (level 1): this is the minimum for Windows 11 Home and Pro. It sends device information (hardware ID, OS version, BIOS data), crash reports, compatibility data, and — despite Microsoft's documentation — a meaningful amount of usage data including app launch events and certain user behaviour metrics. Independent research by privacy organisations including Exodus Privacy has documented telemetry calls at Basic level that go beyond what Microsoft's official documentation describes.
• Enhanced (level 2): adds browsing activity, application usage, and inking and typing data to the baseline.
• Full (level 3): adds memory dumps and more detailed diagnostic data.

The DiagTrack service connects to Microsoft endpoints including v10.events.data.microsoft.com, settings-win.data.microsoft.com, and dozens of others. Network-level blocking of these endpoints is possible but creates instability, as Windows Update and other core functions use overlapping infrastructure.

Advertising ID and tracking

Windows 11 assigns every installation an Advertising ID — a persistent identifier that advertisers can use to track your behaviour across apps. This is enabled by default and exposed to any app that requests it through the Windows API. Going to Settings → Privacy & Security → General allows you to toggle this off, but the underlying identifier persists; only its exposure to third-party apps is reduced.

Microsoft's own apps — including the Microsoft Store, Edge, and Xbox services — can access usage and identity data through separate APIs that are not governed by the Advertising ID toggle.

Copilot integration

Copilot in Windows 11 integrates with Bing, Microsoft 365 (if signed in), and Edge. Queries sent to Copilot are processed by Microsoft's cloud infrastructure. Microsoft's privacy statement allows use of Copilot interactions to improve AI models, subject to regional controls. The integration means that text selected in any application can be sent directly to Microsoft's servers with a keyboard shortcut.

Microsoft account requirement

Windows 11 Home requires a Microsoft account for installation and setup by default. It is possible to bypass this using offline account workarounds (Shift+F10 at setup, OOBE commands), but Microsoft has periodically closed these workarounds in updates. A Microsoft account ties your device to Microsoft's cloud, enables OneDrive sync of personal files, and provides Microsoft with a persistent identity for your telemetry data.

Bing in search and the Start menu

The Windows 11 Start menu search sends queries to Bing by default. Every time you type in the search bar — including when looking for local files or apps — the query is sent to Microsoft's servers. This can be partially disabled through Settings → Privacy & Security → Search permissions, but the setting does not disable all search-related telemetry.

What can be partially mitigated

Tools like O&O ShutUp10++ and WPD (Windows Privacy Dashboard) provide registry-level controls that go further than the standard Settings UI. They can disable many telemetry services, the Advertising ID, Bing search integration, and other data collection features. Third-party firewall rules can block many Microsoft telemetry endpoints.

These tools provide meaningful improvement. However, they do not constitute a complete solution:

• Windows Updates regularly re-enable disabled settings
• Core telemetry at Basic level cannot be fully disabled on Home and Pro editions
• Windows Update itself generates telemetry that cannot be separated from the update function
• Event Log data is periodically uploaded through channels that cannot be fully blocked without breaking OS functions
• Microsoft account integration, if used, provides a persistent identity layer that no local tool can sever

The alternative: Linux with no telemetry by design

Linux distributions — Fedora, Ubuntu, Debian, and others — collect no telemetry by default. There is no DiagTrack equivalent, no Advertising ID, no AI indexing of your activity, no Microsoft account requirement. What you install is what runs. Network analysis of a fresh Fedora installation reveals no unexpected outbound connections.

The tradeoff is software compatibility: Windows-native applications don't run natively on Linux. For most professional workflows — document editing, development, communication, research — Linux is fully capable. For Windows-specific software, virtualisation or compatibility layers like Wine handle many cases.

Norypt Encrypted Laptops ship with privacy-hardened Linux pre-installed — full-disk LUKS2 encryption, no telemetry, no advertising infrastructure, and no features that screenshot your screen and index your activity. The choice is not between convenience and privacy; it's between an OS designed with your data as the product and one that isn't.