Tinfoil hat time: Mark Burnett says that, even with every spying thing turned off, Win10 Enterprise snoops too much

Topic

New Reply

Mark Burnett, writing on the Xato blog, took Win10 Enterprise to task. Even after a very clean install of Win10 Enterprise inside a VirtualBox VM, a r
[See the full post at: Tinfoil hat time: Mark Burnett says that, even with every spying thing turned off, Win10 Enterprise snoops too much]

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Replies

The two GP Editor screenshots Burnett gives are indeed confusing, but not for the reason he gives. He says that the top one is set wrong, while the bottom one is set correctly.

However, the first shot is named “Allow Telemetry” while the second one is named “Configure Windows Defender SmartScreen.” So they’re not the same item. And in BOTH of them, the radio button for “Disabled” is selected. So it’s not at all clear to me what about these settings is “wrong” for the first one but “right” in the second one.

The only difference I can find is in the description of what to do: for the first policy, enable the policy first and then disable it; and for the second policy, just disable it. Is that what he’s saying? In that case, the screenshots don’t help.

Which brings up another issue: how in heaven’s name is one supposed to know (or even to find out) that you have to “enable, then disable” for some policies, but “disable in the first place” for other policies???

Looks like there’s a penguin in my future.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

After my Vista systems reached EOL in April I had them fitted for tuxedos.  I couldn’t be happier.  After getting settled in I installed Win10 in a VirtualBox VM and tried to find my way through the Microsoft Maze in order to identify and disable telemetry.  Life is too short.  I deleted the VM.

1 user thanked author for this post.

HiFlyer

Reply | Quote

May I ask which tuxedo you decided on? So many choices. I’d love to have a penguin of my own.

I’ve been playing with Mint (Cinnamon and KDE), but I know there are many other options.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Early on it became clear to me that the direction Microsoft had taken after Win7 was not to my liking.  I evaluated a number of Linux distros including Ubuntu, Debian, Mint, CentOS, openSUSE, Mageia and Gentoo.    I installed each of the distros in a VM and ran it for a time to see how it handled ordinary chores like email, browsing, updates, backup, system configuration, etc. The process also gave me an opportunity to see how i could find support for any issues or questions that arose during my testing.   In the end, I decided to go with Mint 18.1

2 users thanked author for this post.

Elly, Cybertooth

Reply | Quote

@ anonymous#118523

Depends on your machine. If you have an old machine that has only 2GB RAM and 80GB HDD or less, you should go for a lightweight Linux distro, eg Lubuntu 16.04(= a 900MB iso file). Otherwise, go for a heavyweight or full-featured Linux distro, eg Linux Mint 18.1 Cinnamon(= a 1.6GB iso file).
In comparison, the sumo-heavyweight or bloated Win 10 iso file is a gargantuan 3GB plus.

Reply | Quote

As far as lightweight distros go I have a small Acer netbook (1GB and Atom cpu) that was purchased many years ago with XP Home edition.  When XP reached EOL I installed Lubuntu.  It has worked out just fine and the netbook is still humming along.

Reply | Quote

I settled on Xubuntu — 32-bit for my old computer and 64-bit for my new computer.

Xubuntu is a somewhat stripped-down version of Ubuntu, so it should run all of the Ubuntu software (there’s lots out there); there’s also lots of Ubuntu help out there which will apply to Xubuntu.

I tried Lubuntu, but I didn’t like it because it seemed rough around the edges. Xubuntu is also “light weight” (like Lubuntu), but it is much more polished than Lubuntu. Xubuntu runs well on both of my computers. It occasionally crashes on my old computer, so I restart and am back in business.

I’ve never tried Mint or any other Linux distro, so I can’t comment on them.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Two other distros worth looking at for new Linux users are Linux Lite (XFCE based, current version 3.4) and Peppermint OS (LXDE or XFCE, current version 8.0). Easy to install/use, both are based on LTS (Long term support), both are great on resources (you can put them on older equipment). Both have excellent support forums as well, so you can get started easily.

Reply | Quote

Cybertooth, see my post/reply to your question a few posts below.  Seems I did something wrong with the reply / quote functions of the forum, sorry for any inconvenience!

Reply | Quote

Although I’m a diehard windows 7 pro user, there will come a time (after I use win 8.1 from 2020 to 2023 – maybe…) that I’ll have to install win10 on a few of my machines.  Sooo, riddle me this: What happens if, after the initial install & authentication, I were to never let a win 10 machine access the internet again?  How long would it last before issuing the ultimatum “go online or else I stop working!” – a few months, 6 months, 1 year ?  My plan is to have windows machines on a private LAN with no access to the outside world; web facing stuff would be done on a Linux machine.

Of course, my idea here is to give the ultimate finger to windows 10 telemetry, info gathering, adverts, unwanted updates, attacks, etc.

3 users thanked author for this post.

Elly, Cybertooth, Cascadian

Reply | Quote

Had first read you before your addition, but can still certainly understand the sentiment.

This is an extremely interesting scenario, I had not considered. I don’t have anything to add as an answer. But am extremely interested to find out if there is information. Tracing the theory though, while I type: the semi-rolling distribution model coupled with WaaS, likely means you would lose functionality on some timeline of 6mos. or less, theoretically.

Does anyone have a more firm empirical stance?

Reply | Quote

>How long would it last before issuing the ultimatum “go online or else I stop working!”

I haven’t seen any indication or report that it would do ever that and it’s been almost two years now. I’m pretty sure I’ve had some offline W10 install in a VM for more than 6 months myself…

Also, if you’re not interested in (feature) updates it might make sense to install LTSB.

2 users thanked author for this post.

Noel Carboni, John in Mtl

Reply | Quote

anonymous wrote:

I haven’t seen any indication or report that it would do ever that and it’s been almost two years now. I’m pretty sure I’ve had some offline W10 install in a VM for more than 6 months myself…

The phrase that comes to mind is:

“Past results are no guarantee of future performance.”

However, it’s all we have to go on. Thank you for sharing that.

-Noel

Reply | Quote

Very interesting indeed. I hadn’t considered just keeping it restricted to the LAN. I only use my Win 10 system for offline gaming.

What if one used a “Group B” approach and downloaded the cumulative updates separately from the Microsoft Update Catalog, saved them to a USB drive, and then installed them manually on the Win 10 system? That way it wouldn’t have to touch the ‘net, but it still could get security and bug fixes.

Reply | Quote

You can do online gaming with such a system too without much trouble (and without the chatter to Microsoft).  It’s quite difficult to block all of the many URLs or IPs Windows 10 chats with, and it’s likely those addresses will change from time to time.  The assumption with this (the blacklist or “allow most”) system is that other than the bad addresses, the computer has to have broad access to the WAN to be able to perform its tasks.  For most of us doing general-purpose computing, this is true.

Gaming, though, is different.  Most games now (as I understand) consist of a client-server model, with relatively little peer-to-peer stuff anymore.  This makes it easy to use a whitelist (block most) system, where everything is blocked except the IPs associated with the game itself.  You don’t have to worry about figuring out which addresses MS is using this month, because everything but your gaming server addresses is blocked.

Even if you do need to do some peer-to-peer stuff, it’s possible to restrict the communications to the ports used by that game only, which will also block any attempts Windows makes to communicate with the mother ship unless it happens to use those same port numbers.  Unless MS codes Windows to start trying random port numbers for outgoing communications (after a certain time of seeing them blocked), this would be effective as long as the destination ports are not the same.

This could be accomplished in a few ways.  The built-in Windows firewall is one of them… while it seems on the surface to be silly to rely on a Microsoft firewall to block Microsoft traffic from Microsoft Windows, it has worked so far, and I would expect it to keep doing so in the future.  It’s much more likely that MS would build updates to secretly add “allow” rules to the firewall than to secretly bypass it completely for certain IPs.

Another way would be to use an aftermarket software firewall, like Zone Alarm Free.

If neither of those makes you happy, there’s always the router.  It’s easy enough with most router firmware to restrict a given MAC (say that of your Win 10 PC’s NIC) to allow only the gaming addresses.  The other devices on the LAN would be unaffected (unless you wanted the entire LAN to follow the blocklist, of course).

The hard part is getting Windows 10 blocked for the blabbing but still usable for general-purpose work.  If you already know the range of IPs you need to communicate with, it makes it simple to lock it down.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I have been using a few Windows 10 1511 offline for more than a year without issue. The only issue I had was a freezing every week due to a new weird clock synchro in Windows 10 that would reset the clock to the last time the computer went online when it tries to synchronize time. It can be fixed permanently with
Resyncing the time service client with the server:
Net stop w32time
W32tm /unregister
W32tm /register
Net start w32time
W32tm /resync /force

And setting the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits]
“SecureTimeConfidence”=dword:00000000

However, you must be aware that since Microsoft doesn’t support any normal version for more than a few months, if you need to update to 7-8 versions later from an old one in a few years, the update might have unexpected consequences. If you don’t mind a clean install once in a while just to be current before putting it offline again, I don’t see a problem.

 

2 users thanked author for this post.

BobbyB, Noel Carboni

Reply | Quote

If you are not going to allow the PCs in question to access the WAN, why not keep using 7 or 8.1?  If you don’t need something that’s specifically Windows 10 (DX12, UWP, etc.), the older versions will still work, and if they are not allowed WAN access, their lack of security updates should not make any difference.  Of course, they would still be vulnerable to any malware that makes it past the perimeter (those machines that do have full WAN access, which I am guessing would be Linux or Mac, since in your example the W10 machines would be cut off), so that isn’t likely.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

John in Mtl wrote:

Of course, my idea here is to give the ultimate finger to windows 10 telemetry, info gathering, adverts, unwanted updates, attacks, etc.

An interesting “have cake and eat it too” possibility would be a custom firewall configuration that would allow some online access, but block the “cloud integration”. That’s what I’ve been trying to achieve. But it may just be that they’re headed toward a “let us have free access or we just stop updating your system” arrangement. Updates have been very balky for me lately.

-Noel

Reply | Quote

Cybertooth wrote:

Which brings up another issue: how in heaven’s name is one supposed to know (or even to find out) that you have to “enable, then disable” for some policies, but “disable in the first place” for other policies??? Looks like there’s a penguin in my future.

I dont know if you are refering to this aspect of using GP:  Out of the box, most policies start out as “not defined” so they are kind of like “not enabled”.  Of course, “not defined” is defined or described somewhere in a long list of “defaults”; maybe in an MS document or online help file.  So, for simplicity’s sake, let’s say “not defined” = “not enabled”.  So, if you want to enforce a particular policy setting, you first have to put it out of its undefined state, thereby “enabling” it; then depending on what the policy does you have to enable or disable the action/behaviour of the policy.

Reply | Quote

John in Mtl, maybe you’re right. I took it to mean that “enabling” the setting meant clicking on the “Enabled” radio button.  But the shots Mark Burnett showed, had both settings selected to “Disabled,” where the first one (he said) was wrongly first enabled and then disabled, while the second one (he said) should be just disabled… and yet both of the screenshots showed identical settings.

Very confusing, and obscure as all heck.

Tthe bottom line for me is that even Windows 10 Enterprise won’t get rid of all the telemetry. There has been talk of a subscription-based Windows Enterprise edition where supposedly you could get it for some monthly or annual payment, and I was hoping that maybe I could eventually get that and set telemetry to 0. (Yeah, I would consider a Windows subscription model if it came with no telemetry.) But if Burnett is right, then even that idea is out.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

John in Mtl

Reply | Quote

@John in Mtl,

that’s exactly what I’ve been doing with my dual boot Windows 7/Linux Mint 17.3 – not allowing Windows 7 any online access (Network Adapter disabled in Control Panel) and using Linux for all online activities.

I have a new build ready to put together here – a Gigabyte B250M-D3H motherboard with an Intel i5 7th generation processor which I assume will be blocked from Windows Update even if I manage to install Windows 7. The driver disc that comes with the motherboard only has drivers for 6th generation processors but not 7th like the one I have (which further reinforces my opinion that MS and Intel have ‘got together’ to deliberately force people with new processors onto Windows 10).

Well, if I can’t install and run Windows 7 on this new build, then I guess I’ll have to install Windows 10. But, I’ll be doing the same thing you’ve done – offline Windows 10 (after activation) and online Linux Mint.

Carl D.

Reply | Quote

Post back here in the Section on Linux for Windows Geeks on how that motherboard works for you.

In case you were not aware, this site: http://phoronix.com does a lot of Linux hardware testing including 7th Gen boards and Ryzen.

I am also dong a Linux build. Just doing distro shopping now (I really want Ubuntu 18 LTS, but may go Mint until it is ready.) Good luck. I want to take advantage of the M.2 drive speed.

Reply | Quote

Bill C. wrote:

Post back here in the Section on Linux for Windows Geeks on how that motherboard works for you.

I installed Ubuntu 16.04 on a Skylake + H110 mobo combo last month and there were absolutely no problems hardware-wise.

The only problem is I can’t get rid of UEFI boot entry that Ubuntu has left (I didn’t like it and uninstalled) – I just disabled it in BIOS.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

1 user thanked author for this post.

Bill C.

Reply | Quote

I’m waiting for someone to take a look at the Chinese Enterprise version of W10. Their complaint was the telemetry, so Microsoft scrubbed it clean for them. The Chinese had a lot of say in the final product – they were not given access to the source code so they would have been limited to what they could identify as off limits. I wonder what they used to identify the offensive bits.

2 users thanked author for this post.

NetDef, BobbyB

Reply | Quote

You must have a psychic ability there @anonymous Just sat here thinking about that myself. You can bet the telemetry won’t be heading states side probably somwhere behind the “Great firewall of China” and of course there will be certain topics/words or phrases that will be strictly “taboo”. It would be interesting to see just where the “snooping” goes to. As my Chinese character recognition only goes as far as “exit” and I suspect many other folk as well. It’s probable we’ll never know.

PS any typo’s forgive me just trying out this iPad “Thinggy” change seldom comes quick round here lol

Reply | Quote

If you want privacy stay off the Internet.  By the way stay off your cell phone.  If its not the government spying on you its your ISP.  If its not your ISP then its a hacker watching what keystrokes you are typing into your laptop.

Instead of shopping at Amazon get up and get out and go into stores at your local mall.

1984 is here.  For those of you who don’t know what that means, its a book by George Orwell called 1984.  I suggest you read it.  Spying will only get worse not better.

Remember if you want to read 1984 don”t go on Amazon go to your local bookstore or library.

Sam

 

1 user thanked author for this post.

Bill C.

Reply | Quote

anonymous wrote:

Remember if you want to read 1984 don”t go on Amazon go to your local bookstore or library.

Of course, you would have to find a bookstore or library without security cameras, and then pay in cash at the bookstore without using any membership card or just read the book in the library, assuming that the book is available.  Any other way would leave records… And if you are so very much not wanting the government to see what you are doing, then the library is out, since it is a government facility after all.  Oh, and don’t post here about this, since you don’t know who else is monitoring here, some of us could even be government employees (looks at county library pay stub)…

(Yes, I do recognize that there are some serious online privacy issues that people should be aware of.  However, should your level of concern be on the same level as the previous poster, please actually think through the actions you advise others to take so that people don’t poke holes in your plans.  Also, if anyone wants a more recently written book with similar themes, you can try The Giver by Lois Lowry.)

Reply | Quote

Up through v1607 (Anniversary) I had achieved a Windows 10 configuration that was made silent online with regard to sending in telemetry or making unwanted contacts with Microsoft or other sites. This came with baggage unacceptable to some – notably I had to eliminate all Apps. But it was serviceable and ran long-term without faults. It was even fairly efficient.

With v1703 (Creator’s) that changed. I was able to create the same no-App configuration, and even make it silent BUT… It became unserviceable. Windows Update began to fail. I have been fighting with this problem for a week now trying to find out what, specifically, I tweaked that Windows Update doesn’t like.

I’ve narrowed it down to the App removal. I’ve yet to achieve a “no Apps” configuration of Windows 10 v1703 that can succeed a Windows Update.

In the past couple of days I’ve installed a new Windows 10 setup afresh, and have been trying to quiet it down with the Apps still in place. I’m not all the way there yet, though I’ve gotten it a helluva lot quieter than it was. For example, I booted it up this morning without having yet installed the Sphinx firewall package I usually use, and I observed these contacts:

[29-May-17 09:22:20] Client 192.168.2.26, store-images.s-microsoft.com A resolved from Forwarding Server as 23.14.187.21
[29-May-17 09:22:21] Client 192.168.2.26, arc.msn.com A resolved from Forwarding Server as 65.52.108.103
[29-May-17 09:22:21] Client 192.168.2.26, store-images.microsoft.com A resolved from Forwarding Server as 23.75.64.200
[29-May-17 09:22:21] Client 192.168.2.26, fe2.update.microsoft.com A resolved from Forwarding Server as 134.170.165.251
[29-May-17 09:22:22] Client 192.168.2.26, sci2-1.am.microsoft.com A resolved from Forwarding Server as 23.75.65.235
[29-May-17 09:22:22] Client 192.168.2.26, sci1-1.am.microsoft.com A resolved from Forwarding Server as 23.75.65.235
[29-May-17 09:22:22] Client 192.168.2.26, tsfe.trafficshaping.dsp.mp.microsoft.com A resolved from Forwarding Server as 40.77.232.95
[29-May-17 09:22:22] Client 192.168.2.26, fe3.delivery.mp.microsoft.com A resolved from Forwarding Server as 64.4.54.18
[29-May-17 09:22:23] Client 192.168.2.26, ris.api.iris.microsoft.com A resolved from Forwarding Server as 40.77.229.148
[29-May-17 09:22:24] Client 192.168.2.26, g.msn.com A not found (1) --- blacklisted by DNS proxy ---
[29-May-17 09:22:25] Client 192.168.2.26, 7.dl.delivery.mp.microsoft.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 09:22:26] Client 192.168.2.26, 7.tlu.dl.delivery.mp.microsoft.com A resolved from Forwarding Server as 13.107.4.50

The difference is that I’m that “IT Department” Mark describes, and I am willing to cut as deeply as I know how to regain complete control over Windows. It MAY mean that I will still end up with a system with no App running capacity (even though they are still installed), or I may ultimately discover the specific tweak that Windows Update is unwilling to accept and get back to having no Apps installed.

Stay tuned.

-Noel

Update: I’ve installed the firewall and found Windows just sitting idle tried so far since this morning to contact these sites:

[29-May-17 09:49:33] Client 192.168.2.26, time.windows.com A resolved from Forwarding Server as 52.173.193.166
[29-May-17 09:49:50] Client 192.168.2.26, fe2.update.microsoft.com A resolved from Forwarding Server as 134.170.53.29
[29-May-17 09:50:26] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 10:10:26] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 10:30:26] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 10:50:26] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 8.253.135.112
[29-May-17 11:10:26] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 11:30:26] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 11:50:22] Client 192.168.2.26, sls.update.microsoft.com A resolved from Forwarding Server as 134.170.115.56
[29-May-17 11:50:23] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 8.249.67.254
[29-May-17 12:10:23] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 12:30:23] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50
[29-May-17 12:50:23] Client 192.168.2.26, au.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50

I’ve not gotten there yet, but I still have much to do. Stay tuned.

3 users thanked author for this post.

Elly, woody, John in Mtl

Reply | Quote

I was hoping that you would chime in here, Noel, as I’ve been following your experiments and evaluations of win10 for a good while now.  Contrary to what you are doing, I now have absolutely no interest in “digging into” this beast and silence it.  That’s why I’m taking the easy way out: no internet access for win10.  Of course, I might have to “cheat” once in a while on account of some periodic software license checks, but I can live with that.

I’ve been around computers since the days of Altair and Imsai, CP/M and DOS 1.0. I used to wait impatiently for the next iteration of CP/M and later Windows; always interested in what was under the hood, configuring and tweaking to no end.  Nowadays with the direction windows is heading in, and with everything they have added into the OS, the excitement just isn’t there anymore. Or maybe i’m just getting old LOL.

5 users thanked author for this post.

Ascaris, Elly, HiFlyer, Noel Carboni, Cybertooth

Reply | Quote

Noel Carboni wrote:

With v1703 (Creator’s) that changed. I was able to create the same no-App configuration, and even make it silent BUT… It became unserviceable. Windows Update began to fail. I have been fighting with this problem for a week now trying to find out what, specifically, I tweaked that Windows Update doesn’t like. I’ve narrowed it down to the App removal. I’ve yet to achieve a “no Apps” configuration of Windows 10 v1703 that can succeed a Windows Update.

Not surprised. I expect that Microsoft will keep making it harder and harder to run Windows 10 “silently,” as you put it. Sooner or later it’ll be impossible to run it without constantly phoning home.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Noel Carboni

Reply | Quote

From May 25. next year Microsoft must reveal exactly what they collect, where it’s stored, to whom it is shared with… and best of all: before they collect even a minute bit, they must have my written consent.

I’m aware, the US laws has “sold out” and allows all kind of snooping and selling on customer information, but the EU citizens are from an EU point of view not “customers” but individuals with privacy rights.

As I see it, EU is the human race’s last hope in the fight for user rights (to put it a bit dramatic  ) and I for one certainly look forward to the upcoming fight with microSoft a.o. when it comes to data collecting and handling…

I know, who will win and who will obey, and maybe then I want to continue as a microSoft user. It will however not be until then that I can even legally use Win10, since I in current state can’t guarentee my clients confidential data aren’t being collected and shared…

Hmm… didn’t I recently type that rant?

11 users thanked author for this post.

Cascadian, Elly, David F, BobbyB, woody, ebrke, Alice, HiFlyer, Bill C., satrow, Noel Carboni

Reply | Quote

Yes, and European authorities are increasingly concerned about their own vulnerabilities as well. To quote a recent statement by the Investigate Europe group:

The single biggest problem is that Europe runs on technology it doesn’t control. The fact that it’s being controlled by foreign entities, corporate or governments, is becoming a strategic issue. We’re basically living under a foreign killswitch. We would never accept this in other areas of our infrastructure.

1 user thanked author for this post.

Jan K.

Reply | Quote

It’s certainly not amusing — and, of course, illegal in quite a few countries –, that Microsoft collects details (MAC, IPv4/IPv6 addresses, proxies, gateways [and other personally identifiable information], online time, connection speed, bandwidth usage, name it) from hardware connected to and software running on the computer, but one should be even more concerned about what data Web sites collect…

Woody, Any idea why tracking protection at my end has blocked content from 99 services on this site? Thank you!

Reply | Quote

Sorry I’m slow getting back to you. I’m on the road….

Not sure why you’re getting so many services. As I understand it, there’s a connection made to Gravatr, to retrieve posters’ avatars, plus any links associated with the ads.

Are you seeing something different?

Reply | Quote

Indeed, you are right! It’s Gravatar, which is blocked here. Thanks for pointing that out!

Reply | Quote

Hello, I know that Woody wanted people to try and stop telemetry with regular manual methods like Group Policy or Registry/Scheduled task disabling, but has anyone done a good study on SpyBot Anti-Beacon 1.6? It seems just too simple to run that program and be done. Has anyone confirmed ist functionality in success or failure?

Reply | Quote

The question is not whether third-party tools like that are effective or not.
The problem arises, because you don’t know exactly what they do, you don’t know how to reverse the changes they make if you have a problem.

4 users thanked author for this post.

AlexEiffel, ch100, woody, Cascadian

Reply | Quote

Right, never let third-party programs mess with the registry or the file system if you didn’t code the programs yourself! All those registry/file system cleaners do more harm than good. And… it really doesn’t hurt performance if the registry/file system contains tens of thousand orphaned items.. Of course, if you count nanoseconds.. The registry and the file system are designed to keep loads of junk without affecting performance…

Reply | Quote

Hello, I am sorry but I can not go with the idea that a 3rd party anti spying program must be dismissed without question. Spybot has been around for over a decade and I can tell you my friends and relatives are NOT GOING TO EDIT THE REGISTRY! I have used Spybot S&D for 12+ years and they try hard to do good IMO. My relatives are on Spybot Anti-Beacon and if needed I will too if we go to Windows 10. I see NoelC is finding URLs for the Hosts file. Spybot AB already has them in the Host file after you immunize.

Having privacy is to important to worry about to say no to a program without even investigating it, unless you are a coder, know how to do it, want to do it, and want to spend the time. I asked that it be investigated, and I would like WOODY to look into Spybot AB. Thank you.

Reply | Quote

I understand your frustration. I too would like a tool to just disable everything everybody knows they don’t want with a button, even if I am a power user. I would like a law that simply states nobody can take any information I don’t want to send and not package a global yes-or-you-can’t-use-your-computer setting either. I don’t want to spend time researching an issue that shouldn’t be there in the first place and be responsible for doing a good enough job about it, plus keep up with all the changes I need to reverse before applying a feature upgrade and the ones I need to add after the feature upgrade. The new Windows as an elusive target is a very unappealing proposition. I though I would be able to keep up in a minimal manner without going crazy, but the more days passes, the more angry I get.

Just hearing Noel having issues with updates on CU after his tweaks and him having to try real hard to find which one is problematic is scary to all others who are not nearly as devoted to controlling the beast as him. I did a tweaker retweaker like him and I didn’t try it on CU yet, but now it got me quite depressed when I read about his issues.

I am the kind of user that got very mad when I was using ZoneAlarm firewall and started noticing all those processes from Microsoft trying to access the Internet without my permission a long time ago, not even knowing what each was used for, when it was still considered optional for software to use the Internet. The world has changed and it was part of the deal with Windows 7 to allow many processes from Microsoft for most people as it wasn’t practical to try to control that. The implicit deal was Microsoft respects my privacy enough and I trust them to a certain point. They were not an ad based money machine.

When I got an Iphone, I felt like I saw the future, I understand how the world was different on those device and I understand what good it could provide in terms of customer experience, so I understand why MS wants to go that way. However, the good it can bring doesn’t necessarily need all the bad it brings too and most of it should be optional. I got the Iphone, tuned it to my liking, and kept the desktop for a lot of things I find more sensitive. My use of the Iphone is limited to some very specific things. This need is what MS don’t understand or don’t care about, maybe because a lot of users prefers convenience and don’t mind the sharing that much. The desktop has been that safer haven and now it is going in another direction with no respect for what it has been in the past, not even a no thanks switch like if you don’t want Siri on the Iphone.

On 10, I’ve done lots of things manually, then I scanned using a few of those tools to see what I might have missed or what they do. I think it was Spybot, but I am not sure, but one of them wasn’t updated for a while and I was running AU while the tool was developed during 1511 if my memory is good, so it was quite out of date and applied settings that were not relevant anymore and didn’t apply some settings that were needed. I felt more comfortable not using the tools to apply anything. The problem with all these tools is that they must know about every change MS does to Windows and keep up with all of them, plus analyze which version you have to do the appropriate changes and only those. You also don’t know if anything they do will break an eventual forced update either, so you are putting your reliability at risk while probably not covering enough in terms of shutting down what is sent. If you are a power user and you know what tweaks you did, you can always test and revert more easily, but if you are a normal user, the problem is you are now on your own with issues. I know it is bad and I would like to give you a better answer. I also understand Spybot has been around a long time and in that sense could be trusted to do a good job, but for these tools to be safe, they need to constantly be updated and I don’t see how they can know for sure they won’t cause issue since they don’t have access, just like you and me, to what secret thing Microsoft is doing with all the settings or feature it puts there that will be required for some Windows functionality.

So when you embark on this journey, you are effectively putting your reliability at risk. It is something you might find better than leaving everything to on, or be like Noel and try to control everything and bend the computer to your liking if you have the knowledge, but for most people that just wants a reliable experience, it might not be worth it. It might be best to just use the GUI, read the options, and turn everything to the most private setting Microsoft allows, while avoiding anything from the store and everything that seems to go the direction you don’t like Microsoft is taking, hoping that the market, the businesses and some government or potential lawsuits make them adjust course later.

Or else, at some point, you need two computers. One for the essential Windows stuff, and one for the rest. You need to realize Microsoft have control here and nobody else has really as much control as they would like. Here, I kind of agree with ch100 that if you are not happy, there is not much you can reasonably do beside trying something else when you are not a power user and maybe even then. I don’t say it is right. It is infuriating to feel held hostage like that. Yes, we fight, but it is a loosing battle in the long run and the only way to reverse that is if they loose more money than they make or run into some legal issue and it might take a while for them to realize that. This is certainly not something you tame with a software.

If it bothers you that much, maybe just install Windows 8.1 and stick with it until 2023. I bet in the years 2020-2023, this is where we will see a lot more clear with all these issues, as businesses will be forced to leave Windows 7 and will likely use Windows 10, so they will have to deal with it. Some of them have good tools to manage it, smaller ones not so much.

 

3 users thanked author for this post.

Cybertooth, HiFlyer, Noel Carboni

Reply | Quote

Well said.

AlexEiffel wrote:

You need to realize Microsoft have control here and nobody else has really as much control as they would like.

Whenever I start to wonder about giving in, I remind myself never to forget who owns the hardware running the software, and who pays for the electricity and Internet access.

Being forced to allow one’s own devices to send information about oneself to others is adding insult to injury.

My comforting fallback, if I ultimately can’t tame Windows 10’s latest releases is to continue to run earlier releases (quite possibly Win 8.1 or even 7) for some years.

It’s all about balancing value against risk.

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

Current challenge:

Background Task Host (backgroundTaskHost.exe) occasionally tries to contact sites like:

• arc.msn.com
• ris.api.iris.microsoft.com

At this point it’s blocked by the firewall. I presume it could be trying to update things in the Start Menu or something along those lines (anyone else find it irritating that stuff like Candy Crush gets added in there automatically in the default configuration?). My challenge is to get to know what it’s needed for – or decide that it’s not needed at all and disable it from running. I don’t even know how it starts yet, but I know it didn’t start in my App-removed configuration (in my best Terminator voice: “I have detailed files”).

Anyone know what backgroundTaskHost.exe is good for?

-Noel

2 users thanked author for this post.

HiFlyer, Cascadian

Reply | Quote

Did you remove programs the synchronize with online services?

Reply | Quote

Presuming you mean “that” instead of “the”, I have deconfigured as much as I can. I completely removed OneDrive and disabled the services that support it, for example (yet I can still access OneDrive storage via a web browser).

At this point I have disabled quite a few more scheduled tasks and services, and I’m very happy to say that it’s really settled down. I haven’t seen an unexpected communication in a few hours now.

Best of all: Even with all the trimming and tweaking I was still able to complete a Windows Update just now to bring it up to build 15063.332. And it passes both SFC and DISM checks.

Having given up on having Apps to be able to run – again – I’ve even got the idle desktop process count back down to the mid 70s.

I’ve only got one error in the System Event Log to research and try to eliminate at this point:

Service Control Manager:
The CldFlt service failed to start due to the following error:
The request is not supported.

I just found an online solution for the above. It may indeed just be a matter of changing the service startup setting. I love disabling new junkware services I can do without (“Cloud Files Mini Filter Driver” in this case).

Of course it will take some time monitoring this system before I’m sure whether I have it quieted down, and whether it runs everything I need.

Oh, and by the way: It DOESN’T suffer from some of the problems described by Mr. Burnett – for example during the time I had reconfigured it to allow Windows Update it successfully contacted several certification authorities. I’m once again confident that it is possible to have a private Windows 10 configuration AND maintain serviceability. Woohoo!

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

Yep it was an oversight, congratulations on quelling 1703’s leaks.

Reply | Quote

Noel Carboni wrote:

I’m once again confident that it is possible to have a private Windows 10 configuration AND maintain serviceability. Woohoo! -Noel

Now MS make it out-of-the-box default, sort out the interface and I’m ready to install W10 :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

1 user thanked author for this post.

Ascaris

Reply | Quote

Sad to say, the system didn’t remain serviceable in the above configuration. I’ve had to drop back and try some other approaches.

-Noel

Reply | Quote

I am beginning to suspect that there is a core version of Windows 10 that is not publicized – and in fact may be secret.  (Hey, the title of this thread does contain the words “tinfoil hat!”)

First there are rumors in the news about a special version that the DOD and US-MIL is deploying. Then there’s a so-called HIPAA compliant baseline, a special template of settings like the Windows Restricted Traffic Limited Functionality Baseline. Then we find out the Chinese are getting a special version that frees them of telemetry among other security features that we can’t get here.  And don’t forget the upcoming EU deadline for privacy requirements and consent . . .

Surely Microsoft is not committing resources to all these different editions that are not on the marketing lists?  I would bet that there is a core version that meets all these security needs that is released in private to organizations that demand it.

And I want a legal copy for myself.

~ Group "Weekend" ~

3 users thanked author for this post.

HiFlyer, AlexEiffel, Elly

Reply | Quote

It certainly does make you wonder… The Chinese version has my snooping sniffers all atwitter.

Reply | Quote

Honestly, if MS really wanted to make some money, all they would have to do is make a version where all telemetry would be opt-in only.  Assuming that such a version was shown to work correctly, I think those who care about this would be willing to pay a reasonable price.  After all, with all of the blocking those who would be interested in such a version are doing now, they aren’t making as much money off of us now.

1 user thanked author for this post.

Elly

Reply | Quote

I can assure you that every serious business implementing Windows 10 use Windows 10 Enterprise, the same edition which is made available to the public.
There are guidelines for different purposes as it was mentioned in few places on this forum. This is nothing unusual and there were guidelines before for Windows 7 and any other desktop operating system.
One such public guideline is here:

https://www.stigviewer.com/stig/windows_10/
The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems.

There is not much scope to make it more secure than what is presented in those guidelines, while maintaining reasonable functionality.

Reply | Quote

The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.

Wow! A Windows 10 Enterprise China Government Edition or Win 10 Ent CGE, a special Telemetry-free and non-mandatory-update edition of Win 10 made available to the China government by Microsoft.
This proves that lately M$ like to collaborate with governments, ie tailor-make Windows to fulfil government requirements or “lawful” demands.

Hopefully, Win 10 Ent CGE will also be publicly leaked into the wild, eg by Shadow Brokers.

Reply | Quote

@NetDef & @Woody its probably reasonable to figure that any future “N” Ver of Win 10 could be “Snoop” free, or relatively “Snoop” free should the result go badly for M$ in the European Court of Justice.
Most of you will already know that the “N” version was released over a little legal “Spat” Involving Windows Media Player which was stripped from Win 7, 8.1, 10 for the European market.
M$ being the M$ we all know and love duely made a download of windows media player availble to circumvent the Judgement should you have been the unlucky recipient of the “N” Version.
So as this the defacto “Tin Foil Hat” topic its likely in the event it goes badly for M$ theyll find a way to get theyre snooping by “Hook or by Crook”.
You really got to think that advertising and “data mining” of our details and habits online will probably come close to actually paying for this whole Win10 episode.
Must have broke Sataya’s heart having to provide a Telemetry free version for the Chinese Govt. market and/or probably not getting a good snooping “foothold” on a potential market of well over a billion users. Not to mention the Espionage Market (well you did say “Tin Foil Hat”) but after the latest WannaCry exploit and many more to come I am sure theyll find a way lol

Reply | Quote

“spying” and “snooping” why do people use those terms? They tell you that they’re collecting data.

Reply | Quote

Many are simply uncomfortable living their lives with their big sister taking notes to tell when daddy gets home. They know their machines in a very personal way, and remember when they served the user only, and asked very politely before making any contact outside the box.

‘spying’ and ‘snooping’ are pejorative, certainly. But they express the frustration of a user without choice.

It is equally strange that you cannot recognize that.

5 users thanked author for this post.

Elly, David F, windows7wasthebest, HiFlyer, AlexEiffel

Reply | Quote

Has anyone figured out what the registry settings are that can only be set through the Group Policy Editor in Win 10 Enterprise, and whether configuring those same settings manually through regedit can work on Pro? I still need to investigate whether that’s what programs like O&O ShutUp10 or Win10Privacy tweak.

Unlike ch100 above, I suggest that serious small businesses are considering using Win 10 Pro simply because of the impenetrable and mysterious morass of licensing gobbledygook surrounding getting the Enterprise edition for just a few seats. I know I am. I’ve heard there’s a monthly rental version, but no, it’s a LIMITED Enterprise edition as compared to the FULL Enterprise edition that big businesses get. That kind of stuff screws with your mind.

The funny thing is I’d pay handsomely for one or two licenses of an OS that’s completely controllable by me. I always have in the past! I don’t want ad-supported garbageware, yet here I am spending my time bending the Pro edition to my will…

My hat is machined titanium, I’m not stupid, and somehow I don’t think I’m alone.

-Noel

4 users thanked author for this post.

HiFlyer, Cybertooth, Cascadian, Elly

Reply | Quote

Yes there are small businesses using Windows 10 Professional now for business operations.

Reply | Quote

:with humor

Titanium has admirable qualities, but it may not block the EM waves sufficiently. I would add a cupriferrous liner, and change from time to time, for added protection and airing out. Wear the green smudges on your temples with pride, safe in the knowledge you have been well protected. I do. Gold of course is superior to all, I just can’t afford it.

:resume stoicism

1 user thanked author for this post.

HiFlyer

Reply | Quote

@ Noel Carboni

According to https://community.spiceworks.com/topic/1894182-windows-10-enterprise-e3-where-to-buy,
you have to register with M$ as a business/corporation with an Enterprise Agreement before you are allowed to subscribe/lease Win 10 Ent E3 or E5 through a CSP or 3rd-party reseller. The minimum is 1 seat, which also depends on the CSP. The subscription cost for E3 or E5 is US$84 or US$168 per year per seat respectively.

For outright purchase of Win 10 Ent E3 or E5 Volume Licenses by businesses/corporations, the minimum purchase is 5 licenses (eg for SMBs) and requires the additional purchase of the 3-year term Software Assurance or Insurance for a minimum of at least once.
Only the twice-as-costly Win 10 Ent E5 VL can be converted to LTSB, ie the subscribed Win 10 Ent E5 cannot be converted to LTSB.

3 users thanked author for this post.

Elly, Cybertooth, HiFlyer

Reply | Quote

@ Noel Carboni

Also, (the degradation of Win 10 Pro by M$) …
https://www.petri.com/microsoft-cuts-features-windows-10-pro-push-businesses-enterprise-edition
https://www.theinquirer.net/inquirer/news/2464022/microsoft-wants-to-push-biz-users-onto-windows-10-enterprise-edition-with-anniversary-update

Reply | Quote

Noel Carboni wrote:

Has anyone figured out what the registry settings are that can only be set through the Group Policy Editor in Win 10 Enterprise, and whether configuring those same settings manually through regedit can work on Pro? I still need to investigate whether that’s what programs like O&O ShutUp10 or Win10Privacy tweak.

Unlike ch100 above, I suggest that serious small businesses are considering using Win 10 Pro simply because of the impenetrable and mysterious morass of licensing gobbledygook surrounding getting the Enterprise edition for just a few seats. I know I am. I’ve heard there’s a monthly rental version, but no, it’s a LIMITED Enterprise edition as compared to the FULL Enterprise edition that big businesses get. That kind of stuff screws with your mind.

The funny thing is I’d pay handsomely for one or two licenses of an OS that’s completely controllable by me. I always have in the past! I don’t want ad-supported garbageware, yet here I am spending my time bending the Pro edition to my will…

My hat is machined titanium, I’m not stupid, and somehow I don’t think I’m alone.

-Noel

As far as I know, the policies set through registry in Windows 10 Pro and which are documented not to work in that edition, do not work and this was tested a while ago. I think there are only a few of them and there is no easy solution for those on Pro.
You are certainly right in saying that those in small business or individuals with a limited number of licences available should use Pro not Enterprise for their production machines, due to licensing considerations.
There is a workaround for those associated with academic environments who can legally use Windows 10 Education which is essentially the Enterprise version with different out of the box default settings.
For those who are interested in trying or assessing Enterprise against Pro and the effect of various Group Policies and registry settings in each, there is a trial version offered on Microsoft’s site.

2 users thanked author for this post.

Noel Carboni, woody

Reply | Quote

Thanks. That’s as I understand it too, I was just wondering if there were any details that I’d missed.

I’m starting to think that if I were to decide I really needed Win 10 then I quite likely would have to settle for the system continually trying to contact some online sites without my being able to deconfigure those communication attempts, but having those contacts continually blocked by firewall configuration and DNS blacklisting. Assuming of course that it remains serviceable in this configuration. There’s a definite shift in the Creator’s update to where it’s much harder to regain control over what it does and who it tries to contact.

Ridiculous.

-Noel

3 users thanked author for this post.

Elly, Ascaris, HiFlyer

Reply | Quote

This “Windows Restricted Baseline” is pure evil.

2016 LTSB + may 2017 updates and this is why decent people can’t have their VirtualBox Guest Additions installed after Audit mode.

Reply | Quote

Oh, just remembered regarding to the above post (not related), there are just 2 services that are disgusting by their nature, therefore should be disabled, and will cause wreak havoc in a sysprepping heaven: “AppXSVC” and “ClipSVC”.

Reply | Quote

What do these two services do?

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

These services are visible in the Windows 10 Services management console.

The AppX Development Service will provide infrastructure for deploying Applications, it may also provide run-time support for them.

Client License Service provides infrastructure for the Store, it is for validating your applications at run time.

Reply | Quote

OK, I’m back to a path that will likely lead to success…

It’s a pretty different approach for me.

Specifically, I left Windows 10 entirely intact and installed all my software. I normally trim it down and tweak it for usability FIRST, then install all my applications, etc. However, I DID add the 3rd party firewall I use early on.

Basically my intent is to make it functional (runs my software, does what I need), keep it serviceable (capable of accepting Windows Updates) and ultimately minimizing/eliminating unwanted communications.

I figured the “hack and slash first” strategy wasn’t working so I changed approaches. I think I’m onto something that’ll work.

I fresh installed v1703 from the ISO, then instead of re-tweaking it first, I put in all my software first. At the moment I have it functional, already tweaked for better desktop usability, more efficient than out of the box (84 processes, 1.3 GB to support an idle desktop), and it still passes a Windows Update (and can install features like .NET 3.5 from Windows Update) when I reconfigure it to allow it.

Unwanted communications attempts are already reasonably scarce. The most recent ones I’ve seen are the following, the “geo” parts of which may imply there’s still something to do with the Maps App that still needs deconfiguring.

[31-May-17 11:43:04] Client 192.168.2.26, go.microsoft.com A resolved from Forwarding Server as 23.75.65.208
[31-May-17 11:45:02] Client 192.168.2.26, geover-prod.do.dsp.mp.microsoft.com A resolved from Forwarding Server as 23.0.87.30
[31-May-17 11:45:05] Client 192.168.2.26, geo-prod.do.dsp.mp.microsoft.com A resolved from Forwarding Server as 40.77.226.219

The firewall is blocking these comms, but now my task is to try to get to the bottom of why they are attempted in the first place.

Strategies I’m working, all the while watching like a hawk that the system remains serviceable:

• Finding specific overt settings that stop the attempts (this would be ideal).
• Finding registry tweaks that stop the attempts.
• Selective disabling or removal of components making the attempts.
• DNS resolution blocking of selected server names.
• hosts blocking of name resolution of selected server names.

I don’t like just blocking comms because that doesn’t address the real problem – that of components doing things I don’t want/need. Ultimately I need to get to a compromise that remains functional yet doesn’t do things I don’t want done.

But I’m still here to say there is hope. I WILL prevail!

-Noel

5 users thanked author for this post.

Elly, BobbyB, AlexEiffel, Cybertooth, HiFlyer

Reply | Quote

Keep up the good work

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I am glad there are people like you, Noel. Keep us informed!

2 users thanked author for this post.

Jan K., Noel Carboni

Reply | Quote

Muddying the water…

I thought maybe I had tweaked my Win 10 VM a bit too much when last night it started refusing to do a Windows Update successfully.

But it was late, so I left the Windows Update service on. By this morning it had retried, succeeded and reported “Your system is up to date”.

So just checking Windows Update for success/failure (which takes a while in itself) has become unreliable for determining that everything’s AOK with the configuration.

It would imply that the system has to be online all the time just so a screwed up (throttled? obfuscated? unreliable?) Windows Update process can succeed occasionally.

Trying to base business computing on this kind of performance is beyond ridiculous!

-Noel

1 user thanked author for this post.

mulletback

Reply | Quote