If you are using a managed router (ddwrt, tomato, pfsense, security onion or any of the enterprise solutions you can pick up second hand off ebay), you can block it all on the network level. Multiple projects exist to find all the call home points including https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist
You might be able to add that listing your your host file (c:\windows\system32\drivers\etc\hosts) with the loopback address (127.0.0.1), effectively causing a sink hole for it all. It will run, but try to send to your own machine.
I personally use NTLite to remove anything I don’t want at the image level, integrate the latest update into my image and tweak settings. There is NO telemetry, NO store or anything left in my Windows. I use LTSC so I only get security updates but I do not have some features that someone else may want. Everything works for me, anti cheat systems never said anything about my OS, so I can’t confirm any concerns about that.
A physically different box doing your firewall is the only way to deal with this product - if you’re actually wanting to lock it down.
If you don’t trust the OS/vendor (and by attempting to remove the telemetry, clearly not) then why do you think you can trust the network stack on it? The host based firewall only sees what the OS lets it see.
Nope. If you’re going to go firewalling stuff, do it on your edge router or a seperate physical appliance.
However, the problem you’ll have there is that
Microsoft’s list of IPs they use for this stuff likely also includes large parts of the internet you care about - so difficult to block (and be sure it will stay blocked) via IP addresses (which are updated and hard-coded inside of the product and used independently of DNS).
its all encrypted and a large amount of it over port 443, so you can’t just block it by protocol either without breaking most of the internet.
This is why I rely on the “organic firewall” (myself) and don’t store any personal information that I want secret on Windows machines.
I do use one drive for KeePass out of necessity, but that is encrypted.
I also use Windows for work - but that’s the company’s data, not mine.
Use Shutup10 on windows 10 pro (for more group policies) enable everything except DRM internet access, app access to microphone and user access to microphone, and WiFi ms server access, otherwise those related services will break .
Then just run power shell as admin and enter these commands to batch remove, and also prevent from being reinstalled; all the BS bloatware Microsoft apps like Xbox and MS store that nobody uses (IMO):
Might also want to go to “windows features” and disable SMB1.0 protocol per Wendell’s instructions. You’ll have a fairly secure straightforward experience from there on.
heard some negatives about O&O windows shut up. im not saying they are true but its reputation aint stellar.
also im pretty sure what your describing is called a back door.
and i dont think OTHER corporate/governments around the world would be happy with that, even if it is just for telemetry on whats breaking.
your poking holes in the security, and i dont care who you are you dont have that right.
even if a law you bought says so.
thats like a mechanic setting up a wifi cameras in your home to make sure your car doesnt break down sometime in the next 5 years. oh the one in the bathroom. ignore that one its never on and wont show up on your network, its just so i can monitor your car without you having to turn your other apliences on… DONT WORRY ABOUT IT!, IM A GOOD GUY to allow you on my personal feed.
you know for safety sake.
oh that camera in your daughters room.
yeah no problem its off too TRUST ME!..
im a mechanic.
ERM YOU CAN! **** OFF ON THAT ONE MATE! would be my reply.
as would yours as would every one else.
now im not saying your wrong. but im not sure even MS would be able to live it down if there own backdoor becomes a default attack vector for the badguys.
Interesting any sources in regards to this?
Because till now from most people that i know recommend it allot.
The toolbox that Chris Titus made which mentioned earlier in this topic,
also uses shut up 10 as part of the toolbox.
And that said user is somebody i would consider a pretty reputable source.
So if there are any concerns in regards to O&O shut up 10,
then it would be nice if you could provide some information on that said application.
It is kinda true that certain applications in regards to windows10 privacy are shady.
And some could even contain malware.
But O&O shutup10 is not one of those that i’m aware off.
Spybot anti-beacon maybe? It adds microsoft’s (and more) domain names in the hosts file with an unaddressable IP address (0.0.0.0) and maybe does more. However, it borks windows update (because it blocks MS’s update server). I never actually opened it, I just removed it whenever I saw it to allow Windows to update ('cuz, security patches and stuff).
If you are more advanced, then just do a home DNS using Pi-Hole, or preferably NoTrack and grab some blacklists for Microsoft’s telemetry servers (you need to keep those updated though).
nope your right you have to remove antibeacons immunization before you do an ms update.
it wont bawk all the time but often enough to be a pain in the ass if you dont disable its protections first.
that reminds me you may have just solved another problem a user is having…
Anything relying on host file or DNS blocking isn’t going to work properly, as microsoft embed a number of IPs elsewhere in the OS and it doesn’t need DNS to work.
