Return to

Disable windows 10 spying on a router level


Dear L1T!

I have no idea if this is a good place to ask for a video, but if you read this, PLEASE create a video on how to disable windows 10 telemetry on a router level (DD-WRT, OpenWRT, etc).

I know it involves address blocking etc. but after seeing the creators update privacy issues, I would feel much better if experts came together and discussed a potential solution and published it.

Thank you all in advance :slight_smile:


While this is a good idea in theory it can be very hard to put into practice, Microsoft have a lot of IPs and blocking them all would be fairly easy, however a blanket blocking of Microsoft's servers will also prevent Windows Update and a lot of other stuff from working, also quite a few of the telemetry IPs also serve Windows Update so if you were selective it could still cause issues.

The approach to take with this is incremental as there will be a lot of false positives at first and Microsoft can also change which of those IPs have telemetry on them so you'll have to keep up with them.


I agree, and that is why I asked for a comprehensive guide/list of what does what and what can we disable with what consequence. Presented in a video is just an added bonus.

Also I suppose we can not identify them by the information contained in the packets captured on a network?


I'm just highlighting that any network blocking mechanism isn't fool proof and very hard to implement and keep track of, and no not necessarily, Microsoft encrypts those packets so you can't see whats inside which is probably also a good thing because you don't want other people snooping on the data Microsoft has on you.


I am sure someone has a great idea for a fix, but other thank blocking I do not have a better idea. What do you think? :slight_smile:


Aside from disabling the telemetry on a software level not really, packet blocking is pretty much the only other valid solution but it isn't really a fix and more of a band aid because Microsoft will continue with the tracking and will change their tactics in the future.


Install Linux, Unplug the Ethernet cable.

This gets to be a very tough question if you cannot trust your OS. Aggressive firewall and something like esxi, type 1 hypervisor, to wrap your untrusted is seems like a start BUT in practice you have very little chance of success if your OS is essentially a root kit.


Exactly, anything short of blocking all traffic isn't going to completely stop them from sending telemetry, you are to a degree at the mercy of Microsoft, there are still legitimate reasons to use Windows but its hard to find a solution if you still have to use it for certain tasks and are worried by the tracking, best you can do is minimise what they can track and use a more secure OS for all your sensitive stuff.


The only way to completely do this is to completely shut off the workstation from the internet sadly. There are too many variables and ways that MS can get data through.

The only way I could really think to do it and it be only slightly waterproof is a stringent whitelist where you have a rule that allows ports 80/443 to only designated website destinations.


Blocking everything, and working my way backwards seems like a really time consuming, but potentially effective solution to me. But that is not an universal solution sadly. Different people need different ports.


It's called explicit whitelisting, and yeah it's a pain in the ass. It's secure as hell though.


Maybe that Windows 10 CE (China Edition :D) will be more "private", and hopefully if we can get a hold of it, it won't share our pictures in underwear back to China :confused:


There are alternatives. I've moved all of my static, meaning file servers etc, windows machines at home to linux machines hosted on ESXI. My daily driver is still Windows but I virtualize linux on top of it to use as a desktop OS. Could also dual boot.


As a file server, print server etc. I use Linux too, but can't really change from Windows as main OS.


It's tricky and as has been said already you can't block everything without also breaking windows update. You can't really block it at the IP level as there are so many servers, CDNs, and caching servers that you can't maintain a list of all the IPs. You have to do it on your dns server but you also have to block all other dns traffic because windows will try to resolve the names itself (this is why editing the hosts file doesn't work). There are lists of all the domains associated with telemetry so you can set up your dns server to send those to nowhere, but it will break a bunch of Microsoft stuff you may actually want.


These vids were already made +/- 18 months ago, when the tracking issue first blew up. The lists contain probably 150 domains and IP addresses. It is a simple concept, but very time consuming. The safest approach, not just for Microsoft, but for security in general is to implement a default deny firewall policy. It is simple to do, but again, it's rather time consuming:

a) Lock down the firewall and then observe the firewall log to see what traffic is being dropped.
b) Perform a Who Is lookup on the IP addresses.
c) If you are OK with the traffic, add a firewall exception (AKA white list it); if not OK then allow the firewall to continue to block same.
You will capture MANY Microsoft IP addresses, so when performing your Who Is lookups, note that they will indicate the entire network block that the individual IP is part of. You can block entire networks at once with a single firewall rule.

The problem, as has already been mentioned, is that you will also end up blocking Windows Defender updates, as well as the OS system updates, as well as other MS services that you may wish to use.

You'll end up with a sorta chicken and egg situation: It's not safe to go online due to the spying, but if you don't go online you can't get security updates, without security updates, it's not safe to go on line, etc., etc., etc. ...

The bottom line is that if you can no longer trust your OS, then it is time to move on and get a different OS. Keep in mind that even if W10 is contained within a VM, so long as it has Internet connectivity, it will still dutifully report on all of your activities as well as any data that it can observe/access.

Using W10 is a Faustian bargain.


I just had an idea... I wonder if you could make a virtual windows site on a box in linux and just have all windows stuff route to that, instead? It would interesting to see the traffic the box would get.


Might I recommend just burning it to the ground?

But really. If you're willing to put in the massive time and effort needed to "lock down" your Windows install, why not instead just come hang out over here in Penguin-land? The Linux is great this time of year.


I agree. Disable windows 10 spying on the OS level.
By kicking windows first in the nuts and then in the trash.

What applications do you use on windows? What do you need?
Maybe there are more options than you think.


You don't need a separate firewall box to do all of this stuff, if you run Windows virtualized under KVM, you can do SPI(Stateful packet inspection) with something like Snort on your virtual NIC from linux, you can also block some of the nasty stuff with netfilter/IPtables, have you tried running Windows virtualized with linux being your host os?

I'm not sure If I understand you correctly, but yeah if you run Wireshark on that virtual NIC you can sniff all the traffic