Microsoft 365 Privacy Controls: Setup, Policies, and Admin Configuration Guide 2026
Why Microsoft 365 Privacy Controls Cause So Much Confusion
I've seen this exact scenario play out on dozens of enterprise deployments: an IT admin gets a ticket saying "Office is sending data somewhere and we don't know what," or a compliance officer asks whether connected experiences are feeding user documents into Microsoft's machine learning pipeline. The panic is real. The error messages , when there are any , are vague. And Microsoft's own settings UI buries the answers three menus deep.
Here's what's actually going on. Starting with Microsoft 365 Apps for enterprise Version 1904, Microsoft introduced a significantly revamped set of privacy controls that affect two distinct areas: diagnostic data (telemetry sent back to Microsoft about how Office is running on your devices) and connected experiences (cloud-powered features inside Office apps like real-time translation, design suggestions, and online template downloads). Before version 1904, admins had limited visibility and even more limited control. Now you have granular policy settings, but only if you know where to look.
The confusion multiplies fast when you realize that the Microsoft 365 privacy settings behave differently depending on how users are signed in. If someone logs into Word with a personal Microsoft account, they see different options than someone using a work or school account. Users on organizational credentials, the typical enterprise scenario, cannot change diagnostic data levels themselves. That control belongs entirely to the admin. So when a user calls saying they can't find a setting, the answer isn't "look harder." The setting has been deliberately locked at the policy level, and only you can change it.
Common scenarios I hear about constantly:
- Admins trying to set diagnostic data to Neither for a high-security environment and then wondering why required service data is still flowing to Microsoft (spoiler: it always does, by design)
- Users getting grayed-out ribbon buttons for PowerPoint Designer or the Translator feature after a new Group Policy was pushed
- Compliance teams discovering that the "optional connected experiences" setting and the "connected experiences that analyze content" setting are two entirely separate policy knobs, missing one leaves a gap
- Orgs on Microsoft 365 E3 or E5 that didn't realize version currency matters, machines running Office 2019 or an older perpetual license don't get the same privacy control architecture at all
I know this is frustrating, especially when audit season hits and you need documentation that proves your diagnostic data posture. This guide walks you through every layer of the Microsoft 365 privacy controls framework, from the three diagnostic data levels to connected experience policies to Group Policy Object (GPO) deployment and verification with the Diagnostic Data Viewer. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If you're here because users are suddenly seeing grayed-out features or you need to quickly adjust your org's telemetry posture without touching Group Policy, here's the fastest path that covers the majority of single-machine situations.
Open any Microsoft 365 app, Word, Excel, or Outlook all work. Go to File → Account → Manage Settings. This opens the Privacy Settings dialog. On a non-domain-joined machine where no admin policy has been applied, you'll see sliders and checkboxes covering diagnostic data and connected experiences. This is your immediate control panel.
For diagnostic data, you'll see three choices clearly labeled. "Required" sends only what Microsoft needs to keep the app stable, version info, crash signals, device configuration. "Optional" adds richer usage telemetry that Microsoft uses for product improvement and, notably, for training machine learning features like text predictions and recommended actions. "Neither" stops diagnostic data collection but, and this is important, it does not stop required service data. Required service data is the minimum traffic that keeps your license active, delivers security updates, and authenticates your subscription. That channel stays open regardless of your diagnostic setting, and no admin policy can shut it off.
For connected experiences, you'll find toggle options for experiences that analyze your content (PowerPoint Designer, Editor suggestions, data insights) and experiences that download online content (templates, stock images, 3D models, PowerPoint QuickStarter). Turn off what your policy requires. Save. Done.
On a domain-joined machine with existing GPOs, many of these controls will already be grayed out. That means your Group Policy is already overriding user-level settings. Skip ahead to the Advanced Troubleshooting section to work at the policy layer instead.
gpresult /h gpresult.html from an elevated command prompt on the affected machine and open the HTML report. Search for "Privacy", this instantly shows you which existing GPOs are already controlling your Office privacy settings and which OU they're coming from. I've seen admins create conflicting policies because they didn't know a legacy GPO was already in place.
Before touching any policy, confirm you're actually working with a version that has the updated privacy controls architecture. The full diagnostic data level controls and connected experience policies were introduced in Microsoft 365 Apps for enterprise Version 1904. Running anything older means you're looking at a different, and less granular, control surface.
Open Word, go to File → Account, and look at the "About Word" section. You'll see something like "Version 2403 (Build 17425.20176 Click-to-Run)". The four-digit version number is what matters. If it reads 1904 or higher, you're in the right place. If you see a version like 1808 or 1902, you need to update before the privacy controls in this guide apply.
For enterprise-wide checking, run this PowerShell one-liner against a list of machines:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" `
-Name VersionToReport | Select-Object VersionToReportThis reads the Click-to-Run registry key and returns the exact build string. Compare the first four digits of the version against 1904. Anything below that on a production machine is a version currency problem, not a privacy controls problem, and you'll need to address update channel configuration before the rest of this guide applies.
Also confirm the product type. The full privacy control policy set applies to Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus). Office 2019 perpetual licenses and Microsoft 365 Apps for business have different, and in some cases, more limited, policy availability. The label in File → Account under "Product Information" will tell you exactly which SKU you're working with.
If everything checks out, version 1904+, Microsoft 365 Apps for enterprise, proceed to the next step. You've confirmed the foundation is in place.
Even if you plan to manage everything through Group Policy, start by looking at what the current per-machine state looks like at the user level. This gives you a baseline before you push any policies, and it's the fastest way to confirm whether existing GPOs are already doing something.
In any Office app, navigate to File → Options → Trust Center → Trust Center Settings → Privacy Options. This is slightly different from the File → Account → Manage Settings path, this one gives you the full Trust Center view, where you can see all connected experience toggles in one place, not just the quick-access panel.
Look at each setting carefully:
- Diagnostic data: Is the radio button set to Required, Optional, or Neither? Is it grayed out? Grayed out means a policy is controlling it.
- Connected experiences that analyze content: Is the checkbox checked and editable?
- Connected experiences that download online content: Same question.
- All connected experiences: There's a master toggle that disables everything including document coauthoring and online file storage. Note that even with this master toggle off, certain functionality stays active, Outlook mail sync, Teams, Skype for Business, and what Microsoft calls "essential services" continue to run.
Document what you see before making changes. Take a screenshot. If you're troubleshooting a compliance audit, you want a before/after record. If everything is grayed out, note that too, it tells you a GPO is already in play and you need to find it before adding a new policy that might conflict.
When the settings are correctly configured and editable, users signed in with a personal Microsoft account can adjust them. Users signed in with organizational credentials, your typical work accounts, cannot change these settings. The IT admin owns this configuration entirely for org-managed accounts.
This is where you get org-wide control. To manage Microsoft 365 Apps privacy settings through Group Policy, you first need the correct ADMX templates installed on your Domain Controller or central policy store. Download the Microsoft 365 Apps Administrative Templates (admintemplates_x64.exe or x86, depending on your architecture) from the Microsoft Download Center. Extract them and copy the ADMX files to %SystemRoot%\PolicyDefinitions and the ADML language files to the appropriate locale folder (e.g., en-US).
Open Group Policy Management Console (GPMC). Create or edit a GPO linked to the OU containing your Office users. Navigate to:
User Configuration
└─ Administrative Templates
└─ Microsoft Office 2016
└─ Privacy
└─ Trust CenterThe key policy setting for diagnostic data is "Configure the level of client software diagnostic data sent by Office to Microsoft". Double-click it. Set it to Enabled, then choose the level from the dropdown:
- 0, Neither (no diagnostic data, but required service data still flows)
- 1, Required only
- 2, Optional (includes Required; this is the default if no policy is set)
The equivalent registry value that this policy writes is:
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy
Value name: sendtelemetry
Type: REG_DWORD
Data: 0 (Neither) | 1 (Required) | 2 (Optional)After applying the GPO, run gpupdate /force on a test machine, then reopen Word and check File → Options → Trust Center → Trust Center Settings → Privacy Options. The diagnostic data control should now be grayed out and showing your selected level, confirming the policy took effect.
Here's where a lot of admins miss something critical: diagnostic data and connected experiences are controlled by separate policy settings. Locking down diagnostic data doesn't touch connected experiences, and vice versa. You need to configure both independently if your compliance posture requires it.
In the same GPO, still under User Configuration → Administrative Templates → Microsoft Office 2016 → Privacy → Trust Center, you'll find these connected experience policies:
- "Allow the use of connected experiences in Office that analyze content", Controls features like PowerPoint Designer, Editor grammar and style suggestions, Excel data insights, and Translator. Set to Disabled to prevent these features from running.
- "Allow the use of connected experiences in Office that download online content", Controls access to online templates, stock images, 3D models from the online library, and PowerPoint QuickStarter. Set to Disabled to block these.
- "Allow the use of additional optional connected experiences in Office", This covers optional connected experiences not included in your organization's commercial agreement with Microsoft, like the 3D Maps feature in Excel (which uses Bing). These are governed by separate terms and conditions from the main Microsoft 365 agreement. Setting this to Disabled prevents users from accessing them with their organizational account.
- "Allow the use of connected experiences in Office", This is the master switch. Disabling it turns off all connected experiences at once, including document coauthoring and online file storage. Be careful: this has a wide blast radius and will confuse users who suddenly can't co-author a SharePoint document.
The corresponding registry paths follow the pattern:
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy
Value: connectededitingservices (content analysis experiences)
Value: connecteddataservices (online content download experiences)
Value: optionalconnectedexperiences
Value: disconnectedstate (master off switch: 2 = all connected off)After applying, test by opening PowerPoint on a managed machine. Try inserting a Designer suggestion (Design tab → Design Ideas). If the connected experience for content analysis is disabled, the Designer panel either won't appear or will show a message explaining it's been disabled by your organization. That's the confirmation you want.
Policy applied. Registry values confirmed. Now verify that what Microsoft is actually receiving matches what you configured. The Diagnostic Data Viewer is a free tool from Microsoft, available in the Microsoft Store, that shows you a real-time stream of exactly what diagnostic data Office is sending from a given machine. I consider this step non-negotiable for any compliance-sensitive deployment.
Install it from the Microsoft Store by searching "Diagnostic Data Viewer" or using the Store link from the Microsoft Privacy settings page. Once installed, you need to enable the data stream first, it doesn't log retroactively. Open the app, click Enable Diagnostic Data Viewer. Then go use Office for a few minutes: open a document, save it, close it. Come back to the viewer.
What you'll see depends on your configured level:
- On Required: You'll see events like
Office.System.SystemHealthMetadata, crash reports, and performance signals. You won't see usage-pattern telemetry. - On Optional: Additional events appear, including feature usage signals and timing data (like how long a save operation took). These are labeled with their category in the viewer's left panel.
- On Neither: The diagnostic data stream should be essentially empty, but you'll likely still see some required service data events. This is expected and documented behavior. Those events are not controlled by the diagnostic data level setting.
Use the search bar in the Diagnostic Data Viewer to filter by event name or category. If you're trying to prove to an auditor that no optional telemetry is leaving the machine, filter for events categorized as "Optional", if your policy is correct, nothing should appear in that category.
One thing I want to be direct about: even on the "Neither" setting, some data flows. Microsoft's documentation is explicit that required service data, the traffic needed to keep your subscription authenticated and your apps receiving security updates, continues regardless of your diagnostic data choice. This is not a misconfiguration. It is by design. If your compliance requirement is truly zero-data, you're looking at network-level controls, not Office policy settings, and that's a much bigger architectural conversation.
Advanced Troubleshooting for Microsoft 365 Privacy Controls
Group Policy Not Applying, Diagnosing the Gap
The most common enterprise issue: you pushed a GPO, but the privacy settings on user machines aren't changing. Start with gpresult /h C:\Temp\gpresult.html /f on the affected machine (run as the affected user, not as admin, user configuration policies apply in user context). Open the HTML file and search for your GPO name. If it shows under "Denied GPOs" with a reason like "Empty," the GPO exists but has no settings targeting that machine or user. If it's missing entirely from both applied and denied lists, there's a link or WMI filter issue.
Check ADMX template health. Open GPMC, right-click your GPO, select Edit. Navigate to User Configuration → Administrative Templates → Microsoft Office 2016 → Privacy → Trust Center. If you see "Extra Registry Settings" instead of named policies, your ADMX templates aren't installed correctly on the machine running GPMC. Copy the ADMX files again and refresh.
Event Viewer Analysis for Privacy-Related Issues
Office logs policy application events. Open Event Viewer and navigate to Applications and Services Logs → Microsoft → Office 16 → None. Look for Event ID 2012 (policy applied successfully) and Event ID 2017 (policy application failed). Event ID 3090 can appear when a connected experience is blocked by policy, useful for confirming your content analysis or online content policies are actively enforcing.
Registry Verification Without Group Policy
In non-domain-joined environments or for testing, you can write the registry values directly to confirm behavior before building a GPO. Open regedit as administrator and navigate to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacyCreate this key path if it doesn't exist. Add a DWORD value named sendtelemetry and set it to 1 (Required). Restart Office and check File → Options → Trust Center → Trust Center Settings → Privacy Options, the diagnostic data control should now be grayed out at Required. This is the exact same value that Group Policy writes, so behavior is identical. Don't leave manual registry edits on production machines, this is for testing only.
Handling Office for Mac, iOS, and Android
The Group Policy paths above are Windows-specific. Office for Mac uses managed preference files (PLIST files) deployed via an MDM solution like Jamf or Microsoft Intune. The preference domain is com.microsoft.office and the key names mirror the Group Policy settings, for example, DiagnosticDataTypePreference controls the diagnostic data level with values of BasicDiagnosticData, FullDiagnosticData, or ZeroDiagnosticData. iOS and Android privacy controls are managed through Intune App Protection Policies (APP) and device configuration profiles, the policy surface is different but the conceptual framework (diagnostic levels + connected experience controls) is the same.
Prevention & Best Practices for Microsoft 365 Privacy Controls
Getting your Microsoft 365 privacy controls configured correctly once is great. Keeping them correctly configured as your org grows, as Office updates roll out, and as Microsoft adds new connected experience features, that's the ongoing work. Here's how to stay ahead of it.
Document your policy decisions in writing. For every privacy control setting you choose, diagnostic level, connected experience toggles, write down why you chose it and which compliance requirement it maps to (GDPR, HIPAA, ISO 27001, internal policy). When an auditor asks in 18 months, you want a decision log, not a memory exercise. Store this alongside your GPO documentation.
Test privacy policy changes in a pilot OU before broad rollout. Connected experience policies in particular have visible user-facing effects, a grayed-out Designer button or a missing template gallery will generate helpdesk tickets immediately. Create a "Pilot-Privacy" OU, test your new GPO there for one week, monitor helpdesk volume, then expand. Thirty minutes of staged rollout planning prevents a hundred tickets.
Subscribe to the Microsoft 365 message center. Microsoft adds new connected experiences with product updates. When a new AI-powered feature ships, like a new content-analysis capability, it may not automatically fall under your existing GPO unless you review and update your policy settings. The message center (admin.microsoft.com → Health → Message center) announces these changes. Filter by "Privacy" to catch relevant ones.
Re-run Diagnostic Data Viewer audits after major Office version updates. After a channel update moves your org from, say, version 2402 to 2406, spot-check a few machines with the Diagnostic Data Viewer to confirm your diagnostic data level is still correctly enforced. Policy continuity through version updates is generally reliable, but version jumps occasionally reset specific sub-settings, especially on machines that had hybrid policy states.
- Run
gpresult /h gpresult.htmlon a sample machine monthly to catch policy drift before it becomes a compliance gap - Use Microsoft Intune's compliance policy reporting to get org-wide visibility into which machines have which privacy settings applied, far faster than spot-checking individual machines
- Set up a Conditional Access policy that blocks access from machines that fall below your minimum Office version threshold, this prevents pre-1904 clients from re-entering the fleet without proper privacy controls
- Keep the Diagnostic Data Viewer installed on at least one IT admin machine per site as a permanent audit tool, not just a one-time verification step
Frequently Asked Questions
If I set diagnostic data to "Neither," does Microsoft still get any data from my Office installation?
Yes, and this surprises a lot of people. Setting the diagnostic level to "Neither" stops the collection of diagnostic telemetry about how Office is performing on your devices, but it does not stop what Microsoft calls required service data. Required service data is the minimum traffic needed to keep your subscription license authenticated, deliver security patches, and maintain core service functionality. Think of it as the heartbeat that keeps your Microsoft 365 subscription active. Microsoft's documentation is explicit that this data flows regardless of your diagnostic setting, and there is no policy setting that disables it. If your compliance requirement is truly zero outbound Microsoft traffic, you're looking at network firewall controls at the perimeter level, not Office privacy settings.
My users are getting a "This feature has been disabled by your administrator" message in PowerPoint Designer, how do I fix this without turning everything on?
PowerPoint Designer falls under the "connected experiences that analyze content" policy. If you've disabled that policy, Designer is intentionally blocked, your GPO is working as configured. To re-enable just Designer without turning on all content-analysis connected experiences, you can't do it at the individual feature level; the policy controls the entire category. Your options are: enable the content-analysis connected experiences policy org-wide, or create a separate OU for the teams that need Designer and apply a different GPO to that OU that allows content-analysis experiences. This is exactly why a segmented OU structure for Office policy is worth setting up early.
Can users override the privacy settings my GPO sets if they sign in with a personal Microsoft account?
No, and this is an important distinction. When users are signed into Office with their organizational credentials (a work or school account), the admin-configured privacy settings are enforced and the controls are grayed out in the UI. Users cannot override them regardless of what they do in their account settings. However, if someone installs a personal copy of Microsoft 365 on the same machine and signs in with a personal account, those privacy controls are user-adjustable. The GPO only controls the behavior of Office sessions running under organizational credentials, not personal Microsoft account sessions on the same device.
What's the difference between the "optional connected experiences" policy and the "connected experiences that analyze content" policy? They sound the same.
They control different things and it's genuinely confusing naming. "Connected experiences that analyze content" covers built-in Office features included in your Microsoft 365 subscription, things like PowerPoint Designer, Word Editor suggestions, and Translator. "Optional connected experiences" covers additional experiences that Microsoft offers but that are not part of your organization's commercial agreement, they're governed by separate terms and conditions. The 3D Maps feature in Excel (which calls Bing) is the canonical example. Both types of experiences require separate policy settings. Disabling one does not disable the other, so you need to check both if your goal is a fully controlled connected experience environment.
If I disable all connected experiences, will Outlook stop syncing email?
No, and Microsoft is explicit about this. Disabling the master "all connected experiences" policy setting does turn off a broad set of features including document coauthoring and online file storage. But certain functionality remains active regardless: Outlook mailbox synchronization, Teams, Skype for Business, and what Microsoft refers to as "essential services" all continue to function. These are considered core to the product's operation, not optional connected experiences in the policy sense. So you can safely disable all connected experiences from a privacy posture standpoint without breaking email, calendar sync, or Teams meetings. What you will break is things like co-authoring in SharePoint, online template galleries, and AI-powered content features, plan user communications accordingly.
The Diagnostic Data Viewer shows events even after I set diagnostics to "Neither", is my policy broken?
Probably not broken, this is almost certainly required service data, which flows regardless of your diagnostic level setting. Open the Diagnostic Data Viewer, look at the event categories in the left panel, and filter specifically for events labeled as "Optional" diagnostic data. If none appear, your policy is working correctly. The events you're seeing are required service data events, and Microsoft's documentation confirms these are expected even at the "Neither" level. If you're seeing events labeled as "Optional" after setting the level to "Neither" or "Required," that's worth investigating, check your registry value for sendtelemetry under the policies hive and confirm it wasn't written to the user hive instead of the policies hive, which would mean it can be overwritten.