Is it possible to use Windows without getting spied on?

Years ago when I used Windows, I made a lot of registry tweaks, changed group policies, modified my hosts file and tried several different privacy tools etc… all with the goal to disable telemetry and keep Microsoft from spying on me.
But every few weeks or months I found that somehow my settings (at least some of them) were reset and it got worse and worse to the point that I found (by scanning the machine externally using Wireshark) that Windows was now bypassing the hosts file to keep spying on me.
So I have MAJOR trust issues with Microsoft.
But I really want to use a specific application that only runs on Windows and ocasionally needs an Internet connection to some not-Microsoft servers.

Two questions:

• Is there any tool or modified Windows 10 version that actually disables the spying reliably and permanently?
• Are there any simple solutions to prevent the PC from spying even if it magically enables itself to so so again?

One idea I had: Add some sort of hardware-based firewall between the PC and my router (maybe using a Rapsberry Pi) and have a white list of domains that I can manually allow.
Then have Windows updates downloaded as offline installers by the Pi and send them to the PC so that the PC can have security patches without ever sending data back to Microsoft again.
I would want something that’s reasonalby automated though.

FYI:

• I need Internet ocasionally.
• I need security patches.
• I can’t run my application in a VM or on ReacOS or on Linux with Wine or whatever.

I had this image in my head, but sadly not enough time to make it all work.

Basically have Hypervisor that runs the Windows as client with PCIE passthrough for GPU and USB controller. Run second client that runs something like a PFsense. Then configure Windows client to go through the virtual switch that connects through the PFSense. Then do the firewalling on the pfsense.

Use an external firewall to block your Windows machine from the Internet.

It will become angry with you eventually. I don’t know what effects that would have.

Pretty much nope.

You could make a custom iso and strip as much stuff out as possible.
But it will be allot of work with in the end very little effort.
Allot of the base telemetry like user experience etc can be disabled.
There are ways to block allot of the telemetry sending.
By controlling your network.
However it will likely always be able to send out something.
And not all the telemetry it´s sending is bad persé.
the average smart phone or other smart devices now days,
all send telemetry.

That’s what I would do, although I’d put it on an isolated vlan and use the same firewall as the rest of the network.

You don’t need to trust Windows if you can control the network.

Not really, however i’ve come to the conclusion that all i use windows for is games and activities for my employer.

Anything personal to me doesn’t touch it.

I have a Windows 10 pro airgaped for cctv. 2 month for now, no issues.
Hopefully it will stay like that

Do they use the provided dns now that they bypass the host files? Nothing stop them to use encrypted dns over 443 for stuff like that

If you have a proper license and activation it shouldn’t get angry. I’ve only seen Windows get angry when you’re on any of the Insider rings and don’t have an actual license (because then just being in the Insider ring IS the license, even without activation) and either cut it from calling to MS, or not updating for a long time. In that case Windows will start nagging and eventually BSOD (well technically GSOD) for it.

hahaha;p (sorry couldn’t resist)

Is it possible to use Windows without getting spied on?

Maybe? Reliably, no. MS likes their telemetry too much. Your best bet is to put any firewall between the internet and the windows PC then, pretty much whitelist/allowlist the things only as necessary.

One easy way is to do Raspberry Pi+PiHole to act as a DNS filter.

In the long run, MS will find a way to defeat your workaround simply because the company is very much hungry for telemetry, user metadata and analytics.

There is a way by using the Windows 10 ameliorated edition but since it doesnt have Windows Defender, you are pretty much naked security wise (Windows Defender alone is sufficient to defend you from common internet malware). Installing any antivirus software defeats the whole point of it because you are simply trading OS level telemetry for antivirus telemetry and user metadata harvesting.

These telemetry stuff is there to improve the OS for their actual clients, the Enterprise Edition users. If you haven’t realized yet, you are doing betatesting and A-B testing for the enterprise clients.

In the end, you can keep fighting MS for your privacy, but only in vain. Windows is not your OS, its Microsoft’s.

Since windows doesn’t spy on you, no.

As for telemetry, you can turn most of it off. Windows collects a small amount of data that you can view and review yourself.

Not sure what your trust issues are but I expect you’ve been spending a lot of time doing things you didn’t need to do. Your idea while interesting doesn’t seem to serve any purpose.

What threat are you trying to protect yourself from?

@oxbird I love the idea. I really wish I knew more about Linux networking to make something like this work. But unfortunately my application won’t run properly in a VM.

@zlynx I have all my devices connected to my pfSense router, but I’m scared that Windows will spoof the IP address or even the MAC address, so I’d have to set extremely strict rules on pfSense which I don’t want. I only want to restrict my Windows machine.

@MisteryAngel But how do I know that I stripped out all the evil stuff from the iso? And as long as I install updates in order to get security patches, Microsoft will probably keep messing with my settings add things back that I already deleted. I remember at some point I deleted some binaries that were responsible for some of the spying and after updating they were there again.

@oO.o How would that work? What exactly does VLAN do? First of all I need to buy a managed switch for that, right? My pfSense router only has one LAN input which is connected to my switch, so could this even solve my problem? Is pfSense somehow aware of the VLANs and can set different rules for each VLAN of my switch?

@vlycop I definitely wouldn’t trust them using the specified DNS. I simply want to block everything and then carefully whitelist domains or IPs that I trust.

@mihawk90 I have a proper license and that definitely doesn’t keep them from constantly resetting telemetry settings and bypassing the hosts file etc. I’m not the first one to have noticed that behaviour btw.
As I said, I need Internet access occasionally, so I need my security updates, but I want to manage them myself, rather than letting Windows Update handle it automatically. Ideally I set up a Raspberry Pi which downloads new updates once a day and copies them to a folder on the Windows machine and the Windows machine has a batch script running checking for new update files in that folder, installing them when needed.

@regulareel Microsoft could easily bypass the DNS filter using IP adresses directly and the probably already do this.
I will look into “Windows 10 ameliorated edition” and I agree with pretty much all you said, but I don’t need antivirus software, I just need general security patches. I could write a virus that doesn’t get detected by any antivirus in less than a minute. Most programmers could. Antivirus software is kind of pointless imo as it only protects against known malware that has been reported and reviewed. Protection against known remote execution vulnerabilities and the like are much more important, as that attack vector isn’t based on a dumb user downloading the malware payload in the first place. But I agree that antivirus software is basically spyware itself because of its own telemetry.
I also very much agree on your stance that the average user of Windows is essentially a beta tester. I wonder if you could somehow identify how safe each update would be to install. Maybe there is a company reviewing the updates, publishing a list of updates they consider to be safe to install.

@Eden Sorry, I personally define Microsoft Windows’ automatic WiFi password sharing, telemetry etc as spying, especially since Microsoft added a keylogger to the telemetry service. So whenever I say spying, I’m just talking about that, even if you could argue that it’s not actually spying.
As I already said, I have repeatedly turned off telemetry, but it keeps coming back. This is not me doing it wrong, other people have experience the exact same thing. Even Wendell has talked about this issue multiple times. The problem is that most people don’t notice this, as it initially works.
I don’t need a specific thread to protect my data. I simply live by the principle that everything you share will be used against you, sooner or later. Be it by insurance companies, corrupted governments or things no one has even thought about before. So I try keep it at a minimum.

That’s not what either me or @zlynx were referring to though.
Windows will complain if it can’t access the MS servers and/or is not activated properly.
As I said, with a proper license and activation it will not. This is completely unrelated to settings.

Okay, i don’t really care about Windows complaining. I suppose this can be disabled as well. I don’t remember this being an issue a few years ago. maybe because I disabled MS Update and downloaded updates manually?

More or less…

Yep

vlans isolate hosts into separate networks. On the router vlans are treated as virtual interfaces and you are able to configure firewall rules between them. Multiple vlans can be trunked over a single physical interface.

In your case, if you are not familiar with vlans and do not have a managed switch, using a raspberry pi as a packet filter between Windows and the rest of your network is the simpler solution, provided you understand how to configure the pi to achieve what you want.

You need to turn this on

For typing data to improve your personal dictionary etc. You need to turn this on

I suspect this is an issue with your OS setup specifically. I’ve not seen this happen on 100~ systems.

I’m not sure you understand what data is shared, but then you can’t used windows, frankly it’s that simple.

If this is really the
concern that you’re worried about it, then windows isn’t an option. Nor is the internet honestly, but that’s a separate issue.

One application isn’t worth it. That’s my assessment based on your perceived risk.

There is no information anyone can give you that would secure you against the threats that you perceive, anything suggested here will be inadequate.

To put it simply, you’ll be putting a door up with no walls. But you’ll be oblivious to the fact that you have no walls believing the door is protecting you.

I’ve seen this occur after updates where settings are set back to their default state when that aspect of the OS receives a patch.

That said I have little issue with it since shutup10 catches it and reverts the changes. Its really easy to manage updates when you want and only enable certain aspects of ‘telemetry’. Though I’m not sure what OP constitutes as telemetry really.

@oO.o Thanks for the VLAN explaination. Sounds simple enough, I’ll get a managed switch.

@Eden Are we having a discussion or are you trying to promote Windows? You do understand how firewalls work, right? I don’t see any problems using Windows if I can configure an external firewall to only allow requests to servers that I trust.
And I’m perfectly aware what data is being shared with MS and I’m also aware that Microsoft could change Windows at any point to share even more data. I’m not sure you understand the implications of a keylogger sending everything you type to Microsoft and to the NSA since MS is part of the PRISM program. And we all know it’s just a matter of time before either of these companies leak that data.

And yes, I really try hard not to share any data if there is no major benefit. I never said I don’t want to share any of my data and you know that.

I wouldn’t consider using Windows if the benefits for having this one application wouldn’t be absolutely tremendous.

And just FYI, I’ve seen it happening on literally hundreds of machines in one case in an enterprise environment. Besides that I’ve seen it on at least a dozen different non-enterprise machines. Not to mention that Wendell, Adubs and at thousands of other people on the Internent have seen it happen. But I’m sure you know better and we’re all just doing it wrong.

@Adubs shutup10 sounds interesting. Have you verified that it actually works and that Windows doesn’t ocasionally sneek out data unexpectedly or something? I’m not sure if I like the idea of a closed-source tool managing my privacy. It only takes one NSL.
But I guess it doesn’t really matter if I go with the VLAN to my pfSense firewall option.

Shutup10 doesn’t do anything you can’t do in windows already, it’s just a unified interface. As for it’s effectiveness. It appears to work as intended though I’m not endlessly checking it. YMMV.