Privacy in Windows 10

Hi,
I’m thinking of upgrading to Windows 10. There are few applications I need to use that are not released for Linux and I’d like to do my best not to just give up my privacy to Microsoft.

Is there a way to stop Windows 10 from collecting data? Can it all be effectively turned off in Windows settings?
Is it possible to deny Windows internet access completely without unplugging the cable?

1 Like

I think you can buy their Long Term Servicing Branch but its hard to find legitimate sources for it. Its supposed to not have telemetry and updates are completely pausable (vs the lack of control in Pro and Home versions).

You could try to put it in a virtual machine and use it like that in order to block stuff from the inside going out. But it requires intimate knowledge of Linux and motherboard virtualization (that I have yet to dabble into). If you have the time to learn and the inclination to it, I’d say go for it. Unless you want to do online competitive multiplayer games in a Win10 VM. Those get banned for “cheating”.

For thorse, it may be desirable to have a completely separate disk and dual boot, but it is fiddly if you switch a lot.

Alternatively you could just put the computer behind a pfSense router and just whitelist goodlist things that you need specifically.

1 Like

Which applications do you need?

Even after tweaking settings Windows will still collect lots of data. Microsoft is making it harder to change those settings and at this point it’s probably impossible to stop Windows spyware.

1 Like

Thanks guys for reply.

I believe to qualify for that I would have to be something like a hospital or lawyer’s office.

My knowledge of Linux is basic at best and I don’t even know what motherboard virtualization is.

I don’t have a pfSense router but I have OpenWRT, could that be set up to block Windows traffic?

Mostly Photoshop.

https://www.majorgeeks.com/files/details/destroy_windows_10_spying.html

i have never try it

1 Like

We dont have anything as good and as refined as Photoshop, sadly. You could learn GIMP, at the very least, you are not paying for it. Dont think of it as a Photoshop clone. Think of it as a separate product and you need a different mindset and workflow from Photoshop. There is also Krita and Inkscape but it is nearer to Illustrator than Photoshop.


The easiest path is to use Virtualbox. I find the UI intuitive enough to understand but it will be slow, especially if your project’s file size gets big enough or if the image you are processing has several layers.

If you have time to learn (which I dont have much time to learn), they say virt-manager/QEMU is better but it involves a bit of coding (but human readable enough). The advantage is that you can passthrough whole videocards, USBs, etc. into the system as if it has its own dedicated video card and peripherals at a speed that is near total imperceptible level, as if it is installed in the baremetal of your computer.

I havent dabled long enough in OpenWRT to figure this out yet. The pandemic really has me shackled down in work.


Maybe you know IT people from those industries. You can ask permission/buy a copy/sublicense for yourself.

1 Like

It’s obnoxious what Windows 10 collects. Even a simple game of Solitair turns out to be a surveillance nightmare…

There is the Windows 10 Section on the PTIO site, which highly recommends W10Privacy, they have good instructions and explain everything the program does in detail.

There’s also an open source application firewall called Portmaster, that helps you monitor & block connections, so you can forbid specific domains/apps to access the Internet. Disclaimer: I’m part of the team. It’s still in alpha, but feel free to check it out. Might be valuable to you if you upgrade.

I don’t often make plugs, but thought it fitted here. If it is unfit, I’m happy to remove the “self shoutout”

1 Like

What I would really like to see on privacytools.io: An up to date list of addresses, both domains and IPs, that are related to Windows telemetry. That way one could block them in the router firewall and DNS server.

This site (posted above) contains a list of domains but not IPs:
https://www.majorgeeks.com/files/details/destroy_windows_10_spying.html

1 Like

I would advise against blocking IPs. In todays’ Internet landscape IPs are very volatile. It’s much better to focus on the domains coded into the software, as these won’t change (as quickly).

If you check out another interesting project - WindowsSpyBlocker - you will see that they have problems with blocking IP addresses (example).

A much better way to go about this is to deny IP-based communication dynamically. The Portmaster, as mentioned by @davegson before, can do this in an elegant way: Connections to IPs to which no domain name was resolved are denied. This means that a process that wants to communicate with a server, must resolve a domain to that IP first. This feature is not yet enabled by default because it does break applications that depend on direct “P2P” communciation. But this will be enabled for Windows as soon as community sourced app settings are rolled out next year. Until then, you can enable this setting for Windows services manually.
Disclaimer at this point: I am the Lead Dev of the Portmaster.

We do currently import the “spy” domain blocklist from WindowsSpyBlocker - here is the result of the domains you posted: (enabled Portmaster list categories: TRAC, MAL, BAD, BADC)

BLOCKED  vortex.data.microsoft.com
  OK     vortex-win.data.microsoft.com
BLOCKED  telecommand.telemetry.microsoft.com
BLOCKED  telecommand.telemetry.microsoft.com.nsatc.net
  OK     oca.telemetry.microsoft.com
BLOCKED  oca.telemetry.microsoft.com.nsatc.net
BLOCKED  sqm.telemetry.microsoft.com
  OK     sqm.telemetry.microsoft.com.nsatc.net
BLOCKED  watson.telemetry.microsoft.com
BLOCKED  watson.telemetry.microsoft.com.nsatc.net
  OK     redir.metaservices.microsoft.com
  OK     choice.microsoft.com
  OK     choice.microsoft.com.nsatc.net
  OK     df.telemetry.microsoft.com
BLOCKED  reports.wes.df.telemetry.microsoft.com
BLOCKED  wes.df.telemetry.microsoft.com
BLOCKED  services.wes.df.telemetry.microsoft.com
  OK     sqm.df.telemetry.microsoft.com
  OK     telemetry.microsoft.com
  OK     watson.ppe.telemetry.microsoft.com
BLOCKED  telemetry.appex.bing.net
  OK     telemetry.urs.microsoft.com
BLOCKED  telemetry.appex.bing.net
  OK     settings-sandbox.data.microsoft.com
  OK     vortex-sandbox.data.microsoft.com
  OK     survey.watson.microsoft.com
  OK     watson.live.com
  OK     watson.microsoft.com
BLOCKED  statsfe2.ws.microsoft.com
  OK     corpext.msitadfs.glbdns2.microsoft.com
BLOCKED  compatexchange.cloudapp.net
  OK     cs1.wpc.v0cdn.net
  OK     a-0001.a-msedge.net
BLOCKED  statsfe2.update.microsoft.com.akadns.net
  OK     sls.update.microsoft.com.akadns.net
  OK     fe2.update.microsoft.com.akadns.net
  OK     diagnostics.support.microsoft.com
  OK     corp.sts.microsoft.com
  OK     statsfe1.ws.microsoft.com
  OK     pre.footprintpredict.com
  OK     i1.services.social.microsoft.com
BLOCKED  i1.services.social.microsoft.com.nsatc.net
  OK     feedback.windows.com
BLOCKED  feedback.microsoft-hohm.com
  OK     feedback.search.microsoft.com
BLOCKED  rad.msn.com
BLOCKED  preview.msn.com
BLOCKED  ad.doubleclick.net
BLOCKED  ads.msn.com
BLOCKED  ads1.msads.net
BLOCKED  ads1.msn.com
BLOCKED  a.ads1.msn.com
BLOCKED  a.ads2.msn.com
BLOCKED  adnexus.net
BLOCKED  adnxs.com
BLOCKED  az361816.vo.msecnd.net
BLOCKED  az512334.vo.msecnd.net

To be honest, I didn’t think that so many domains would make it through. I will look into that in the coming weeks. Effectively blocking Windows telemetry and privacy intruding “services” is important to us.
What sometimes makes this difficult are false-positives, which impact user experience - things start to seemingly break at random.

1 Like

Unfortunately at this point, I don’t know about any substitute that I could use with comparable level of efficiency.

Not someone I’d feel comfortable to bother with this.

The Virtual box idea actually sounds pretty complex to me. Could you elaborate a little what kind of advantages, how much control it would give me compared to if I just installed it as regular dualboot with Linux? Would that allow me to hide hardware and devices like integrated Wifi and Bluetooth?
I assume that one of the disadvantages is lag and less stability?

Is it even possible in principle to block all Windows snooping, while being able to use the internet? I believe even on older Windows versions svchost must be allowed to call somewhere before the OS lets anything else through.

Thanks, I’ll check it out!

You could specify how many cores you lend to the virtual machine, the same with RAM.

You could block or allow the virtual machine to connect to whatever you network your actual computer is connected into.

Mouse and keyboard works seamless.

You could share a directory with the VM, as well as copy-paste functionality.

The only potential fiddling you need is to enable virtualization in your BIOS, which is of course motherboard dependent.

@Daniel I agree that blocking raw IP addresses can be problematic. I thought about it because I remember that Windows 10 telemetry was once updated to bypass hosts file blocking. I don’t remember if it used raw IP addresses or if it resolved the domain name manually instead of using the system name resolution. But in any case, it could be adjusted to bypass most traditional DNS based blocking solutions.

Portmaster approach looks interesting. Breaking P2P applications can be a problem but it could be resolved with exception rules.

Blocking all snooping can be difficult and I think it has a high level of uncertainty. Microsoft could add snooping code to unexpected places and update it regularly. You can get pretty good results with various blocking methods but if you want to be sure, use Linux (or some BSD), and only use Windows 10 when you definitely need it (specific applications, gaming etc.)

“Internal” blocking methods that are applied inside the Windows system can do different things such as tweaking settings and disabling services. But I think that blocking network addresses gets a bit more effective when it’s done in a router or hardware firewall as it can’t be directly bypassed by Windows updates. (Unless Microsoft adds new addresses that are not yet blocked.)

2 Likes

It’s a cat and mouse game either way. Take the recent “unblockable” CNAME tracking which uBlock did handle in the end, but “they” always come up with new tricks.

Fighting on many fronts is the key fmpov.

Blocking all snooping can be difficult and I think it has a high level of uncertainty. Microsoft could add snooping code to unexpected places and update it regularly.

While you can, as you say, only achieve 100% certainty on the network level, the Portmaster uses a kernel extension to look at every packet going through the system. I doubt that they would go that far as to change behavior in the kernel itself. But it is of course, possible.

privacy is a bit issue with win10 and they keep changing it every update and every windows patch
O&O ShutUp10 seems to still work check it out

https://www.oo-software.com/en/shutup10

2 Likes