Block surveillance by Windows 10 is very difficult, says a security specialist

A week ago, Mark Burnett, an independent security professional, published the results of a small, incorrect investigation of security settings in Windows 10 Enterprise. The system is installed in his Linux virtual machine solely for research purposes, with a minimal set of software and all default Windows Store applications removed.

These results caused a heated discussion on Twitter, because they make it clear that the OS seems to ignore some of the settings set by the user - and still connects to various monitoring servers and sends some data there. The first test of Burnett with the results published on Twitter, was conducted with errors. In fact, there is a better way to limit telemetry. But to completely get rid of data collection in Windows 10 is impossible at all.

Mark Burnett is a hacker and researcher, not a Microsoft system engineer, although he wrote a book on security ASP.NET, received the title Most Valuable Professional (MVP) from Microsoft seven times, was engaged in Windows tech support and exclusively used this OS on the desktop for about 25 years, until Windows 10 came out with a drastic change in the Microsoft policy for the massive collection of users' personal data.
')
You can refer to the official Microsoft management of connections management in Windows 10 , but still the opinion of Burnett can not be called unqualified. In fact, with Group Policy Windows 10 is not so simple.

The first screenshot shows that SmartScreen is disabled in the system, but Windows 10 still connects to Microsoft's SmartScreen servers. Turning off telemetry in Windows 10 is also not so easy. Just changing the two group policies is not enough. The screenshot shows that the OS is still sending data to Microsoft, despite the obvious two-fold indication that this is not done in group policies and a couple of changes in the registry.



All connections were blocked by the router's firewall, the screenshots show only blocked attempts by Windows 10 to connect to various hosts. Therefore, it is not known what packages she could send there. For example, in the case of telemetry, etc.

The same with the synchronization settings that involve a connection with Microsoft servers. In group policies, all related policies are disabled, but Windows 10 still connects. The same goes for error message settings, online account validation (AVS) policies in the Key Management Service (KMS) client.

The specialist tried to change all the system settings in order to block any connection with Microsoft servers, except for receiving updates, but still registered a lot of connections to servers that clearly have advertising and tracking purposes.

Which is typical, according to the Glasswire firewall , all these advertising hosts belong to the Microsoft system processes, so you cannot use them on third-party software (by the way, this is a really good Windows and Android firewall, free and convenient to use).

Mark Burnett concludes that Windows 10 does not seem to respect its own group policies. Probably, some types of connections can be blocked using registry changes — of course, these are undocumented keys in the registry. That is, it is impossible to guarantee that you will find all the necessary keys, without exception.

Burnett himself admits that the first test was not completely clean. In a subsequent blog post, he told about a more thorough test and explained the testing methodology. The repeated test still showed the unpleasant activity of Windows 10, albeit in a smaller amount. For example, it turned out that to block SmartScreen you need to change not two settings, as Burnett did, but more:



There are a number of applications that help cope with espionage on the part of Microsoft and block connections, which Windows 10 establishes with remote servers bypassing system settings and which cannot or is very difficult to block by other means. Actually, the fact of the presence of such applications already indicates the existence of a problem. People would not create such programs and would not use them if surveillance in Windows 10 was turned off by trivial methods. As an example of an antispyware program that “plugs” unnecessary connections in Windows 10, we can recommend ShutUp 10 . Burnett himself also used it on a test machine. But apparently, even antispyware software does not help.

PS Some experts recommend to disable telemetry in group policies not to stop the service, as Burnett did, but to start the service with parameter 0, in this way:



This may seem counterintuitive, but it may indeed be possible to block connections with Microsoft monitoring servers that are not blocked during the usual stop of the telemetry service.

Burnett believes that some of the different Windows 10 group policies for surveillance are implemented in different ways, and are disabled in different ways. Accidentally or on purpose, but this makes it difficult to turn them off. Microsoft's recommended way to disable telemetry via Windows Restricted Traffic Limited Functionality Baseline causes a lot of problems. In addition, telemetry collected. NET, Office, Windows Error Reporting, Windows DRM, other applications and components. And for many users, the default Microsoft data collection settings are set to maximum.