No they were never in the script. I leave these Services alone because if you delete them it breaks something
Good morning. I have some questions, I appreciate if you can clarify. What does this logging do?:HKLM\SOFTHIVE\Policies\Microsoft\Windows\IPSec\ICFv4" /v "BypassFirewall" /t REG_DWORD /d "1 For tests that I am doing I wanted to keep the firewall enabled, would these two keys in state 1 be enough or do I have to do something else? HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD Even having a valid key to activate win10 enterprise cannot be activated because some necessary service is missing, I try this but it is not enough: slmgr.vbs /ipk xxxxx- xxxxx- xxxxx- xxxxx- xxxxx , being that I try to do digital activation, but I only get a kms activation of 180 days. How should I do it? And on the other hand, the issue of antivirus and firewall is a matter of trust, I understand that you trust the Symantec product, I am somewhat distrustful of all products in general, but there is no choice but to use one and probably try Symantec. Since it does not exist individually, only in the firewall version, I will try endpoint protection (firewall + antivirus). Grateful for your contribution. Sorry for the English translation. Greetings.
Code: reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows\IPSec\ICFv4" /v "BypassFirewall" /t REG_DWORD /d "1" /f This bypasses Windows Firewall authenticator (IPSec) Why would you still need Windows Firewall (to monitor and log) your outbound and inbound traffic if you will be using another Internet Security? If you are concerned about Telemetry why use Digital License activation (HWID)? To enable Windows Firewall remove these lines from the script Code: reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows\IPSec\ICFv4" /v "BypassFirewall" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" /v "LogDroppedPackets" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" /v "LogSuccessfulConnections" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging" /v "LogDroppedPackets" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging" /v "LogSuccessfulConnections" /t REG_DWORD /d "0" /f Store needs to be enabled for Digital License activation (HWID). Remove these lines from the script to enable Store Code: rem == disable windows store == reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsStore" /v "DisableStoreApps" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d "2" /f reg add "HKLM\SOFTHIVE\Policies\Microsoft\WindowsStore" /v "RemoveWindowsStore" /t REG_DWORD /d "1" /f Symantec Endpoint Protection is a personal choice of mine. You can use an Internet Security of your choice To "disable" Telemetry in Symantec this is how I configure it Spoiler After setup is complete
Block it with your router . Usualy theres either / and / or an IP blocker or parental controls with an IP blocker in routers ..
My thought is to continue using the Windows firewall temporarily until I choose a different one. They are right about trying to avoid telemetry if at the same time I am going to connect to activate the operating system, but I don't see another option to leave it activated, and then execute those registry keys.
The file in question is /windows/system32/dnsapi.dll You can view the contents with a hex editor but you need to decompile the contents to be able to view the addresses.
Telemetry/data collection is the new gold and Microsoft carries the biggest pickaxe. Suspicious is the silence on the subject from MS. Their actions shows again and again they really want your data and unique ID on file. Imagine the amounts of data going through MS' pipes just by stealing private information from unknowing people or companies. I'm on a Windows 10 Enterprise LTSC that is stripped down to the bare-minimum and its taken so much time and testing. NVIDIA telemetry crap as well. VS, VS Code telemetry. It's barely bareable to use even when heavily customized. And with TPM + DRM with MS' wet dream of full control it's looking bleak for Windows users and personal computing in general. We have Linux but I like Windows. When getting asked by someone if I'm a Windows user I'll just nod and look down at my shoes. I used to be a vocal fan now I'll listen to Microsoft carefully, and do the complete opposite. Microsoft says 'something', 'some version' is unsupported? I support it myself, thank you. Microsoft wants to run an executable or service on its own will and it wants internet connection access? I destroy that service or replace the whole executable with decoy files Microsoft says something is security risk? I'll find a way to micropatch that DLL in memory up myself even if it takes 500 hours. F*** off. When W10 is on its death bed I'm bailing. Whatever. They have given up on everything that has to do with trusted computing and data integrity. Sad.
Is following the original post a comprehensive approach to turning off all the telemetry? I have enterprise LTSC running with priv10 and sledgehammer currently. Sometimes some of the priv10 settings get switched off, though. So I am wondering if priv10 is necessary after seeing the OP of this thread. I want the simplest, low resource yet comprehensive approach if possible. Would that be my current setup or better to block ip addresses via router and run the script from the OP. OR Is a combination of these things necessary?
Hello coolshoes. You want to turn off all telemetry in a simple way and that's not possible. You can limit the amounts of data. We need to know exactly which version you're using. What do you mean by "get switched off" - by who and why? You have to monitor everything at all times so when these things happen you're able to verify (nevermind this if you turned it off yourself) If we're talking about a full disable be prepared for possible weird side-effects as a result. You need to do work and research on topics like: memory mapped files (rollback scripts), decompressing, kernel debugging, tracing, DLL dumps, ACL, lots of grep'ing and basically everything that has to do with ETW (sessions, providers, consumers, controllers) / AutoLoggers and general knowledge on Windows internals. If I were you here's where I'd start: dump diagtrack.dll (C:\Windows\System32) to a bin file you can open and look what hardcoded strings you can find there. Sort and categorize the strings you find like regex, references to executable files, registry keys, IP and/or domains etc. Diagtrack DLL has PE resources attached and under "4000" you can find "4100" and "4101" - dump these to text files. 4100 contains over 150 regex strings to directories/files where the Telemetry data is stored, for example: ^\\\\\?\\%localappdata%\\Packages\\Microsoft\.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\[^\\>/:?<|"]+\.{1}[^\\>/:?<|".]+$ ^\\\\\?\\%systemdrive%\\Data\\SystemData\\Temp\\CrashDumps\\[^\\>/:?<|"]+(\.dmp){1}$ ^\\\\\?\\%programdata%\\Microsoft\\Windows\\wlanreport\\(?!\\)(?![\s\S]*((\.\.|\s(\\|$))|[>/:?<|""]|\\\\)) ^\\\\\?\\%systemdrive%\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\RasPhone\.pbk$ ^\\\\\?\\%programdata%\\Microsoft\\Windows\\WFP\\(?!\\)(?![\s\S]*((\.\.|\s(\\|$))|[>/:?<|"]|\\\\)) 4101.txt contains the instructions for I believe references the .exe files (command line arguments) from system32 - to collect information that will be sent to MS (a MiniDump will also be sent, see dbghelp.dll and the function "MiniDumpWriteDump") if it can access the internet. It's not known to me which executables relate to normal Telemetry operation and which one is for remediation purpose. Then later you will automatically receive (again if it can connect and verify) a so called "Downloaded Scenario" conf which I believe can contain instructions for DiagTrack service to start the remediation. Unless you work in the spying department on Telemetry at MS it's not possible to know what these instructions/configurations will contain. It will only do this if it can verify the Microsoft Root Certificate, however. It looks for a key as evidenced in diagtrack.dll: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TestHooks" valuename "CheckCertForMicrosoftRoot" type "REG_DWORD" (0 = allow, 1 = disallow) The information sent contains extremely sensitive information and while the identitystring in fact is a randomly generated one, all the data collected still has PII attached to it. I do not understand the full picture of how this all relates together because I find it too complex, depressing and part of the information you'd need comes from MS internally anyway. It's important to make sure you fool diagtrack by hardlinking the executable, change its ImagePath in registry or decoy files. You could try to corrupt files (not recommended) if you're creative. Or a combination of these. Whatever it takes. Should be enough to disable telemetry if all connections to MS are blocked by a firewall (externally) and it can't remediate itself. You will not find a comprehensive guide to all this because not every version contains the same data. I haven't moved past Enterprise LTSC 1909 anyway. Keep in mind blocking telemetry by blocking internet vs. actually disabling all the relevant components are NOT the same thing. Also let's talk about SleepStudy. They pinpoint idling with great precision (if they wanted to they could know at what time you normally take a s**t) and can predict what time you're expected to return to your workstation or home computer. Look at the user-not-present and UserNotPresentSession' data you'll find sensitive information (directory paths, file listings and timestamps etc). To learn more research: SleepStudy.sys, UserNotPresentSession.etl, user-not-present-trace-<date>.etl, Modern Standby. This is the future of MS Telemetry collection. It's being forced on you under the guise of energy efficiency - which is true, SleepStudy is related to energy/power but MS are not very transparent in that the information will be sent via Telemetry - They would rather not talk about that part of it though. Here's how they manipulate and fool users: 1. Offer a new app or feature with actual useful features that the majority would want. 2. Collect Telemetry as "normal procedure" 3. Control narrative. Use certain buzzwords called loaded language that will appeal to the majority, for example: security, energy efficiency, supported/unsupported. The loaded language comes first from MS shills and Windows MVP (most valuable parrot). The non-critical thinker that reads forums/reddit/etc, unknowingly (they try to be helpful to others) will repeat the same loaded language to other users thereby slowly changing the public perception. If you challenge the narrative after the perceptions changed you will not succeed. Even if you're right plausible deniability, in the end, will work in MS' favor. If cornered they will blame it on occam's razor as a last resort. The average user know that security is important but they don't know the technical side of it. Use the word 'security' and you will convince many not having to do all the explaining. MS now believes your computer should be like a phone and collect the same amounts of data and constantly connect and check for notifications and/or Windows updates while you're asleep (source: WinHEC 2017 powerpoint by Technology Enablement PM @ MS). Windows the OS will eventually be a walled garden and they will accomplish this under the guise of security and other things. Local files? More like files in the cloud, hashed and scanned. New "Windows 1984: Orwellian Edition" coming soon. You will not own your system and you'll be happy (they'll say). I've done extensive research on MS' 2-Faced, manipulative language but some of this is an opinion, remember. I have nothing to promote or sell anyway. Pay close attention to their language, is all I'm encouraging.
Thx for the reply lakrispipe. I'm running Win 10 Enterprise LTSC 19044 currently. Until this yr I stayed with win 7 because compared to win 8 it just seemed lighter and cleaner, but with it being "unsupported" I was always wondering how safe it was to keep using. Then noticed someone running win 10 lately and thought it seemed alright and found this forum and it seemed that a lot of the undesirable parts of win10 had been "dealt" with. Sad that there's no comprehensive solution for this. I use linux as well but always liked windows as something that "just worked" for media and browsing, etc. I tried the private win10 program which seems to switch off a lot of the privacy issues/telemetry. Windows update medic service does not want to turn off and push service re-enables seemingly at random. I just assumed this was windows re-enabling or forcing things on. Are things like private win10 or the script in the OP not giving a "reasonable" level of privacy or lack of intrusive "features"? Just Private win10 has stopped the automatic updates atleast. Nothing annoying happening other then it notifying me that things have been re-enabled here and there. I don't want to have to constantly battle my OS just to have it run smoothly the way I want it to run so this does have me wondering where to from here. I did notice you said blocking telemetry via internet and disabling are not the same thing. Is one approach better than the other? or does combining aspects of both deal with "most" issues perhaps?
My best guess is root certificates. Even CMGE doesn't disable root certificate download for 2 reasons: 1. Disabling them breaks things like https validation. 2. It only downloads and never uploads. It's a get request instead of post.
freddie-o Hello. If you have time, can you give full instructions on how to add your script to the instal.wim image? Thank you.
freddie-o I find out that remove Defender service, will make problem later. and disable it its enough, to make it non functional. not think it good idea anymore.