The problem is that unless you’re willing to give up pretty much all Microsoft cloud services and a bunch of software built on the back of them (including, likely services hosted by third parties on azure - at which point, why are you even running Windows?), you’re likely to inadvertently permit telemetry anyway.
So this is why I take the other approach. I don’t use the Windows box for anything sensitive. Rather than firewall the info leaving the box, I organically firewall the info from getting onto it in the first place as much as practicable.
That might be the official line, but the problem is whether or not microsoft use it for that, microsoft (or their "trusted partners) may (and have, see solar winds) get hacked and then who knows who has it and what they’re likely to use it for.
The other problem I personally have with Microsoft telemetry is that the agreement has many, many pages of legalese covering in broad, non-specific terms what they collect and how they (or “trusted partners”) may use it. If you haven’t read the EULA for Windows recently, do so.
These terms aren’t clear enough and have holes you could drive a ship through allowing microsoft to basically do what they want with it. And to be honest, based on the past 35 years of their behaviour, I simply don’t trust them to do the right thing.
Really, I know this isn’t legally how things work, but these EULAs (Not just Microsoft’s; across the industry) need a 1 paragraph summary of INTENT that is legally binding. Or perhaps clarification of things that they WILL NOT do, as opposed to a hundred pages of what they MAY in legalese.
And the ability to opt out. When you have essentially a monopoly across various industries, you essentially have people signing off on the thing at virtual gunpoint, if they wish to keep their livelihood.
And also… more responsibility for the loss/disclosure of personal information. If big business actually faced proper penalties for disclosure, they wouldn’t be so damn keen on collecting every iota of metadata about you in the first place for fear of the repercussions of accidentally disclosing it.
I’ve gone through just about every possible thing and modified/removed/disabled it since my i5 4670k Haswell processor doesn’t support GPU pass through and as a result am forced to run windows 10 bare metal. I wrote myself a detailed guide I’ve been using for years on my own machines and close friends who want my setup:
unplug internet during install, use local account, install hosts file in [c:\windows\system32\drivers\etc\hosts]
Download ultimate windows tweaker 4, shutup10, autoruns, processexplorer, godmode, hide search and toolbars in taskbar
power shell - run as admin and enter:
“Get-AppxPackage -AllUsers”
“Get-AppXPackage | Remove-AppxPackage”
“Get-AppXProvisionedPackage -online | Remove-AppxProvisionedPackage -online”
make sure wifisense is off, turn off privacy crap
security and maintenance → turn off smartscreen
click file explorer on start menu → view → options → change to ‘this PC’. show hidden files and folders
notifications and actions settings → turn off all options
edit: removed outdated instruction bits
Also some major perchance improvements come from disabling windows GameDVR, there are tutorials on YouTube for the registry mods required but its worth it. Easily gain 20+ fps just disabling that garbage.
Game mode is meh, it causes OBS recording problems so I also turn that garbage off.
Run your Linux in an encrypted LVM volume or Zpool and keep all your personal things over there and I’d say its pretty damn private.
Also keep in mind that Microsoft also wants to implement DNS over HTTPS at OS level.
I´m not fully sure if they have already intergrated it in the latest 2010 build.
But i suppose with the addition of DoH at the OS base,
it might be even harder to block telemetry maybe.
Although with a good firewall you should be able to block allot.
Yeah, I think solving it in network really is the way to go. If your firewall is restrictive to the point of only allowing access to a few known servers, there’s really nothing Windows could do to bypass that.
Compare that to the complexity and uncertainty of modifying Windows in various ways…
At the end of the day, if you do not trust your OS vendor, you’re kinda boned. NO manner of tweaks or adjustments to the OS itself are reliable, your only option is isolation of the traffic on the network - via a third party device that you do trust.
And now, everything is over HTTPS, so its not like you can just say, block HTTPS to every IP that may potentially have anything to do with Microsoft or you’re cut off a lot of the internet. You’re kinda fighting against the tide - it’s not going to work.
Or… you just abandon the platform or not use it for things you care about.
@thro
I am absolutely not noing to waste time reading Microsoft EULA. Someone in the internet benchmarked EULA lengths and MS is the one that is absurdly long, like it literally takes hours to read the whole thing.
@DastardlyMuffin
They have already blocked that particular Host file method as a “security” feature since the last few months
Yeah, it was kinda rhetorical. No one reads it (including myself by the way, at least not in entirety); and even fewer comprehend it all - but I’ve read enough of it for it to raise enough red flags for me to dump the platform for anything I care about.
edit:
at least outside of the company I work for, which has decided that they are fine with microsoft products, or at least tolerant enough to accept the terms. so I manage that environment with a VM.
Also aside from that, I find forced advertisements in the start menu/software downloads that microsoft feel like pushing to be offensive.
DNS over HTTPS shouldn’t be a problem. I think you can change the DNS server im the settings and if MS decides to bypass that setting they won’t make it to the Internet because I won’t whitelist the IP address of that server. DNS over HTTPs also doesn’t keep me from blocking their IP addresses.
Its kinda weird, I hear about this all the time but I have not had a single ad in my start menu ever, and I’ve used Win10 since the second(?) Tech Preview until about 2 years ago…
Must be a regional thing or something, because I never saw any kind of setting regarding that either. My family is also not getting any of that.
It was my daily system for that entire time. I haven’t booted into Windows in the past 2 years tho. But these ads were a thing way before then already, so IDK.
My parents’ PCs/Laptops are online all the time though and they don’t get it either.
Did it not install the sortcuts to their office apps? I had tiles for “productivity” apps I did not own, and tiles for “news” as ads for websites.
Easy to remove, but there by default.
Oh, candy crush was the actual thing for an update, pretty early on.
But like Cortana, might have been restricted countries, maybe?
Pretty sure it was installed before I had enough of the steaming pile.
Would it be possible to configure pfSense in a way that it would send me a notification whenever it tries to access a new IP address that I haven’t specifically allowed or denied in the firewall?
I was thinking about writing a script that can receive these notifications and then wait for me to say yes or no and then add a permanent firewall rule for it. Maybe this could be done via ssh? And maybe if there is no notification system, I could “watch” a log for changes or something like that? This script of course wouldn’t run on the Windows machine.
Thinking about it, it would be pretty sick to get a push notification with the IP address (and domain) on my phone and then be offered 2 buttons “Allow” and “Deny” (maybe also “Allow Once” and “Deny Once”).
If this existed, I am sure this could quickly spam you into the ground…
You would have to be very careful to limit the number of notifications, and the frequency of the notifications, if it was possible.
Just thinking, a system might try and reach a location, and keep trying hundreds of times a second for years without stop if it was configured to.
We have a PiHole set as our DNS server on our network, and don’t allow DNS out through the firewall from any other address.
This stuffing more and more stuff into HTTP/HTTPS makes it harder and hard to control our networks though, and I bet it will end up being exploited in lots of ways.
@Trooper_ish Seems like an easy fix. Don’t send duplicated notifications and queue them instead of creating multiple notifications at the same time.
I’ve done this for years on Android (without external firewall). Although I used LineageOS without all the Google stuff and with open source apps only. If you browse random sites on the Internet, it becomes annoying quickly, but other than that it worked quite well for me.
