If you want to block telemetry, allowing microsoft to update your system with more hidden spyware is not a very good idea. In fact 3 of the patches in august enables spyware inside old services.
Can anyone help me with my email program, "Eudora" ? (from Qualcomm, but now public domain) I added it, but it can't connect to the mail server. The error message tells me 68.6.19.2:110 is blocked. I can't figure out how to add that IP and port to the rules (whitelist). I've never used a MS mail program, ever. But if you say that is what I have to do, I'll consider it.
As someone who also put together a thread that didn't promise a solution to block EVERYTHING, but just the "bad" things can tell you, it ain't so simple! Hosts files, firewalls, it's all so 1990! The threats including MS privacy invasion are all circa 2015! There are solutions that are keeping up that include a robust firewall as a part of their "hardening" solution, but its only a part. It seems--and I'll heartily admit I'm far from being an expert--leaning on any one solution is not enough anymore. I have faith in the MDL community to come up with a complete MS telemetry security solution, but I think its still early days. And when I say early days, I mean early days in trying to arrive at a solution. MS has been subversively spying on us for who knows how many years. An interesting story for some tech journalist to investigate--rather than all the rah-rah, yeah MS crap(!) or boo-boo, screw MS crap(!)--is why are they admitting to it now? Is it the Europeans driving this? Did some MS lawyer finally say "Hey, you got to come clean about your spying practices or the Germans are going drag us out into the sunlight and embarrass the crap out of us?" I suppose "the why" doesn't really matter, but I am a bit curious non-the-less.
I personally gave up on trying to get WU to work. There are two reasons - first it's too time consuming to find all possible IP ranges to allow it, and second they could push an update that does some questionable things whenever they wanted. This way I can test any updates thoroughly in VM before applying them in production. Also with Win10 all updates are cumulative so it's pretty easy to just download latest .msu and install it manually. I must say after testing this setup in VMware over the last week I'm pretty satisfied with results so I decided to install LTSB Enterprise again to test it live. So far I am more confident in this setup compared to "lazy" setup in Windows 7 and 8 (wha tmost people have - default settings, auto updates, no outbound firewall). I tried to write very specific rules for all Windows components - like only allow DNS for specific servers (opendns) etc. to really lock down any possible leaks (if they decided to use standard services to spy). These are my current rules if anyone is interested: i.imgur.com/dIlaxuD.png
Just a thought, how about running something like XP as a VM on an isolated 10.0.0.0 subnet using NAT to access external resources on the Internet. The Win10 firewall could then be configured to allow only the VM traffic.
Can someone please elaborate on how to implement the blocking of the Diagnostic Tracking Service using WFC. I have enabled the shell option in WFC, but when I RC on svchost.exe in a file manager the only optiions I see are block or allow the exe and no reference to any services. Do you have to run the Windows advanced firewall configuration, and if so do you specify the program as "C:\Windows\System32\svchost.exe -k utcsvc" or alternatively, as svchost.exe and then select the DiagTrack service option? Also, on 64-bit systems, is there a 64-bit version of svchost? I have tried blocking the service using the advanced firewall configuration, but get a Windows pop-up warning, is that OK?
You can select the services like this: imgur.com/a/UChpF In WFC, you need to click "Create blank rule" and then: i.imgur.com/9UBbb5V.png (I can't post direct links yet)
Thanks for the quick response and detailed info. I shall have another go at configuring the firewall this evening.
If your IP address (for Mexico) turn into CIDR - IP, they are good for the entire region and beyond, not only for Mexico.