
Windows 10 Enterprise ignores various privacy settings - tmkbry
https://twitter.com/m8urnett/status/866353982217699328
======
DonkeyChan
MS Support consistently and repeatedly told me that enterprise allowed me to
disable this stuff. If I can't control the egress then I can't verify PCI
compliance. I've already had to revert a client to Win 7 because they failed a
PCI compliance audit using Win 10 Enterprise. Which, by the way, is very
expensive for small businesses. Win 10 Enterprise isn't viable for business. I
have a bunch of small business clients and I've had to use a whitelist
firewall to pass PCI compliance, someone said here that a whitelist firewall
is borderline unusable. I've sunk so much time into that solution and I can
attest, it's not viable.

~~~
fl0wenol
Use LTSB. Microsoft tries to scare you into not using it because it doesn't
support the Windows store or Edge or have telemetry or any of that fun stuff.

But they keep coming out with respins of it to otherwise keep feature parity
with CB Enterprise. A 2017 LTSB based on 1703 should be out soon.

~~~
flukus
> Microsoft tries to scare you into not using it because it doesn't support
> the Windows store or Edge or have telemetry or any of that fun stuff.

Scare me? It sounds like those awesome stripped down versions of XP that
pirates removed all the cruft from back in the day.

~~~
jmkni
You were able to do it yourself with nLite.

Memories!

------
oridecon
Since the first release of W10 several registry keys and policies have changed
in very confusing ways. I can't remember what exactly but I had to change my
personal scripts several times based on the changelog of other tools. Privacy
and settings like default apps were also reverted (reset to default) when you
updated. They installed some apps like Candy Crush Saga on Enterprise. I don't
see that much of a problem here, it's understandable since they are letting go
of legacy stuff, bugs happens (even more after you cut your QA department).
Now it's time to stop with all the excuses. Get your shit together.

From: [https://technet.microsoft.com/en-
us/itpro/windows/manage/con...](https://technet.microsoft.com/en-
us/itpro/windows/manage/configure-windows-telemetry-in-your-organization)

> Security. Information that’s required to help keep Windows, Windows Server,
> and System Center secure, including data about the Connected User Experience
> and Telemetry component settings, the Malicious Software Removal Tool, and
> Windows Defender.

I have all the possible settings configured, from registry to policies and I
still see random connections everywhere. But it's ok because it's not
telemetry, right?

> What is NOT telemetry?

> Telemetry can sometimes be confused with functional data.

Is anyone taking legal actions against Microsoft about all of this? Does
anyone care? Not everybody can switch all their machines to Linux/VMs, this
whole situation makes me angry.

~~~
DonkeyChan
I can't agree with this more. A client straight up failed a PCI compliance
audit, replete with daily fines, for using 10 Enterprise. They decided to
pursue legal measures against MS for false claims. I really hope this gets
elevated because reverting to win 7 is a solution with a short life span. The
other solution is to rebuild infrastructure on top of a different platform but
that's prohibitively expensive.

~~~
flukus
> The other solution is to rebuild infrastructure on top of a different
> platform but that's prohibitively expensive.

I really don't have a lot of sympathy for companies that lock themselves in to
a proprietary platform.

~~~
mikegerwitz
To preface to avoid what might otherwise seem like a bias toward defending use
of Windows: I'm a free software activist, a GNU maintainer, and do extensive
volunteer work for GNU and the FSF.

It's not fair blame. Many companies simply go for what works and throw money
at the problem. Windows historically has excellent support from a large number
of third parties.

The other problem is third-party software. I work for an insurance company.
The system that they use for managing everything---policies, accounting,
brokers, etc---is tied to Windows. This is a specialized program---there are
only a few of them that exist, and none as sophisticated as the one this
company uses. This system has been responsible for not only tying the office
to Windows, but holding us back from upgrading---for the longest time we
couldn't even get off of IE6 because it didn't support anything higher.

I'm able to do 99% of my work within a GNU/Linux VM. But on rare occasion, I
need to use that system, and it requires Windows. Everyone else in the office
---the majority of the company---requires Windows. This is a system that the
company has invested many millions of dollars into.

So while we can do our best to inform others, perhaps before they make these
critical business decisions, it ultimately comes down to practicality for most
businesses. Yes, they may pay for it. Yes, they're taken advantage of, have
issues with vendor lockin, etc, but unless you travel upstream and liberate
those systems or provide suitable replacements _that the business is confident
will have support for years to come_, there's not much to do.

I'm not defending the situation; it's terrible. But sympathy _should_ be had,
because there's much to lament, and much room to help.

~~~
flukus
> Many companies simply go for what works and throw money at the problem

So they went with the easiest option and now they are locked in due to lack of
forward planning. Their own short term planning is to blame.

With the third party software you mentioned, how long have the relied on it
and have they don't absolutely anything to mitigate this reliance? My guess is
that they've done nothing or worse, written a bunch of integration points on
top of the software that makes it even harder to replace.

One day the company providing that software will jack up the price and you'll
be forced to pay it. Again I'll have no sympathy because the company has done
nothing to unlock themselves.

------
ddevault
The switch to Linux or other free operating systems is long overdue. If your
excuse is hardware support, then (1) your hardware is probably supported these
days and (2) you should not buy hardware that is incompatible with the
operating system you plan to use. If your excuse is editing MS Office files,
LibreOffice supports the formats and works great, and MS Office on Wine is an
option. If your excuse is games, then know that with Steam and Wine combined
your potential gaming library is HUGE. If your excuse is laziness or
resistance to change, then I thank you for being honest, and urge you to
overcome it.

Proprietary operating systems work against your interests. Stop using them.

~~~
dingo_bat
> If your excuse is editing MS Office files, LibreOffice supports the formats
> and works

For very small values of "works". I've found that even high school projects
turn out to be a bit too much for libre office.

~~~
Sir_Cmpwn
Well, my definition of "works" is that you can read it. Authoring new
documents should use ODF. And again, MS Office works on Wine, so you can use
that in the worst case.

~~~
skrebbel
You're really undermining your own argument here, even though you started out
very well.

If I send an ODF to my lawyer, investor or accountant they're going to panic.

~~~
dijit
That's disingenuous. Word has supported odt and odf for both read and write,
for nearly a decade already. (2008 version supported it from preliminary
checking)

------
withinrafael
Most of his configuration is invalid, due to his misconfiguration of group
policy. For example, he disabled the Teredo policy. But here's the help text
for that policy: "If you disable or do not configure this policy setting, the
local host settings are used."

He made this error countless times, rendering the entire experiment a failure.

Oops.

~~~
PhantomGremlin
_Most of his configuration is invalid, due to his misconfiguration of group
policy._

Yeah, it's his fault that he didn't properly navigate the Kafkaesque nightmare
that Microsoft has created in order to thwart people from disabling all this
spyware.

~~~
brainfire
It's pretty basic Windows GPO knowledge. Lots of them work this way.

~~~
mjevans
It's a pretty broken configuration system that makes it needlessly difficult
to do things the correct way.

~~~
cwyers
It's a pretty shoddy security researcher that doesn't read the documentation
before posting a lot of falsehoods to Twitter.

~~~
mysterypie
> _pretty shoddy security researcher that doesn 't read the documentation_

What an unnecessary insult. If you can read the incredibly confusing Microsoft
documentation better than him (or any of us), then please post the definitive
step-by-step instructions for turning off all telemetry and privacy-invasive
connections in Windows 10.

Then we'll see if your insult was warranted.

~~~
cwyers
So, I search for "teredo group policy" and here's the second link I find, a
TechNet article with detailed screenshots about how to disable IPv6 via Group
Policy, which is one of the things he talks about:

[https://social.technet.microsoft.com/wiki/contents/articles/...](https://social.technet.microsoft.com/wiki/contents/articles/5927.how-
to-disable-ipv6-through-group-policy.aspx)

It shows how there's an Explain box that describes what the various settings
do.

~~~
mysterypie
That's 1 item[ * ]. I'd still like to see your definitive step-by-step
instructions for turning off _all_ telemetry and privacy-invasive connections
in Windows 10 -- which is what the OP was attempting to do.

[ * ] How do you know that it even works? Plenty of times I've followed
instructions from Microsoft's TechNet that didn't solve the problem it
purported to solve.

And by the way, that's a helluva lot of steps to disable IPv6. Multiply that
by a hundred other things you need to do, and probably a hundred you don't
know about, and changes that get undone by updates, and you have a nightmare
trying to create a privacy-respecting Windows 10.

~~~
cwyers
IPv6 isn't even part of telemetry per say, it's an IETF standard that can be
used to connect with any server that supports it. Yes, some OS-level services
require IPv6. Shutting off IPv6 as a way of disabling those services is
like... using leeches for bloodletting but for IT practices. If you want to
disable telemetry and you're on a supported Windows SKU for Group Policy,
here's Microsoft's directions on what you can configure:

[https://docs.microsoft.com/en-
us/windows/configuration/confi...](https://docs.microsoft.com/en-
us/windows/configuration/configure-windows-telemetry-in-your-organization)

------
hendersoon
That's surprising. I would expect the Enterprise edition to perform as
advertised. It's a major revenue source and this violates all kinds of
security policies.

I find the author's point about people using third-party programs to stop
Windows spying, and potentially impairing their security, very telling. He's
absolutely correct.

I use programs called Shutup10 and WinAero Tweaker to stop the telemetry
myself, and both of these programs have settings that would potentially impair
your security, primarily by stopping Windows Updates entirely.

So the real question is this-- is this debacle the consumer's fault or
Microsoft's? I know which side I'm on.

------
makecheck
Frankly, “settings” in an OS don’t fill me with any more confidence than
“settings” on Facebook: software has bugs, and other reasons for not working
as advertised. A toggle switch coded with the best of intentions may still not
be consulted everywhere that it should, and even software that is correct
today can be wrong in 3 months when somebody important quits or a feature is
added and nobody thought to check the setting for that new feature.

If this is important to you, demand more open and peer-reviewed source code,
and demand that things run behind carefully-controlled walls like sandboxes
and limited host files. Don’t just run your organization by trusting one
software vendor.

------
blibble
every few weeks Microsoft validate my decision to move my (declining) use of
Windows entirely into VMs

if gaming is the problem you can run Windows in a VM at 97% native speed with
GFX passthrough, been doing this for almost 2 years now without any problems

the vfio subreddit has a lot of info:
[https://www.reddit.com/r/VFIO/](https://www.reddit.com/r/VFIO/)

MS are then free to spy on me playing starcraft as much as they want

~~~
Sephr
It doesn't help that Nvidia's drivers intentionally stop working when they
detect a consumer card functioning through VT-D in a virtualized environment.

~~~
blibble
you can patch the driver, and next time you upgrade don't purchase an nvidia
product

------
mrmondo
Scary indeed, I've noticed that a Windows 10 'Pro' VM I have at times seems to
reset or change privacy / security settings. A first I blamed myself for doing
something silly without realising it affected these settings or installing
some software that changed them (which is a little scary in itself) but then I
realised it was after windows update had run, every few months privacy or
security behaviour would change.

------
allears
This is a little chilling. As a home user on Win7, I've avoided Win10, but
thought I'd eventually upgrade, just to enjoy newer hardware. I'd thought I
could just invest in Enterprise, about $100 these days, and be able to control
the more intrusive aspects. Guess not. On a semi-related note, I'm using
uMatrix, and it never ceases to amaze me how promiscuous every single web site
is these days. It's not just in Soviet Russia. You don't use the internet. The
internet uses you.

~~~
nol13
Well ya still chilling I guess, but so obviously expected it kind of takes
away some of the chill factor.

If you want to control your software, run software that you control.

------
blitmap
I always use Linux as my preferred OS and a "Just Works" OS like macOS or
Windows.

I run Linux as a dual-boot and I run it in a VM from Windows/mac.

It's frustrating because Apple has fallen far behind on hardware I want. I
need 3840x2160, a touchscreen, a card reader, both USB 3.0 and 3.1, 16GB of
RAM, and full-size HDMI. They've jumped too far ahead into their
'revolutionary' view of the future. I can find better hardware for much
cheaper. Dell XPS 13, HP Envy 2-in-1, Toshiba Radius 12... the build quality
on the Toshiba is pretty bad, but it out-performs a would-be Macbook. I'm not
spending 2 -fucking- thousand dollars for sub-standard hardware simply because
I like the OS better than Windows. Apple spies on its users, but at least when
you turn it off it's actually off.

I can't continue using Windows because it's clearly hostile to users, and I
can't go with Apple because the hardware sucks.

Linux requires so much involvement to keep it running "well".

Just argh.

~~~
slazaro
We just need a billionaire benevolent dictator to fund a distribution of Linux
and relevant programs that turns it into something stable and user friendly.

~~~
kogepathic
_> We just need a billionaire benevolent dictator to fund a distribution of
Linux_

I might be missing the joke here, is this a jab at Mark Shuttleworth?

~~~
slazaro
Not intended, but I do think Ubuntu was a missed opportunity by trying to
innovate instead of focusing on stability, familiarity, and user-friendliness.

~~~
madez
I think Ubuntu did a lot of good to the community. Debian was rougher before
Ubuntu was a thing.

------
gub09
The "Year of the Linux Desktop" has been a running joke for a long time, but
perhaps it's no longer a joke. Not wanting to lose control as far as updates
and privacy is concerned, I switched to Linux when Windows 10 came out.

Running Debian Testing with Gnome has been a joy. In my opinion the user
experience is easier and better than that of Windows 7 or 8. Office staff
could quite easily be trained to click on the Start key or the drop-down
Activities menu or move the mouse to the top-left corner to start a program.
Office software is quite good. Program-switching keyboard combinations are
excellent. The Evolution mail client is very good. Browser software is the
same as on Windows or a Mac. Problems with bad fonts, poorly designed UI,
lacking drivers etc. are things of the past (with the notable exception of
very new hardware).

This may not be possible due to the necessity of using specific proprietary
programs that run only on Windows, for example. On the other hand, the level
of tech support required is perhaps not significantly greater than what is
necessary for installing and maintaining Windows on a bunch of machines.

On the plus side, everything is very fast, tasks like backing up files or
systems are simple with GUI or terminal interface, and if you want to learn
iptables and set up that router/firewall you can do that too. Everything you
learn is an investment instead of an annoyance. Nobody is going through your
company or personal files to serve you ads.

There's no reason any more, besides defaults and inertia, why Linux should
have 2% desktop market share instead of 10% of somewhat technical people or
even 20 or 30% of the general population.

------
tjalfi
The connections in the first screenshot[0] aren't necessarily from Microsoft.
This screenshot shows a DNS lookup for google-analytics.com followed by an
attempt to use Teredo. If Chrome is installed then this could be from the
Google Update service. It seems unlikely that Microsoft would send usage
information to a Google site.

[0]
[https://twitter.com/m8urnett/status/866353982217699328](https://twitter.com/m8urnett/status/866353982217699328)

Edited to omit needless words

~~~
wildrhythms
Chrome is not installed according to this tweet:

"Also note this is a system with minimal software install, all default windows
store apps removed, and nothing running on it."

[https://twitter.com/m8urnett/status/866354381012189184](https://twitter.com/m8urnett/status/866354381012189184)

~~~
tjalfi
I saw that tweet but I still doubt that any Windows 10 service would connect
to analytics.google.com. It seems more likely that he has a Google application
installed.

Edited to reword the second sentence.

~~~
benjaminjackman
Doesn't have to be a user installed google app. Google analytics use is
ubiquitous for mobile and web apps could easily be something Microsoft bundled
into their os like for example candy crush (not implying that's the culprit)
or something that carries over that pervasive track every click and mousemove
type mentality.

------
STRML
If this test was correct, this smells like a class-action. Enterprise users
(and home users, for that matter), have a right to control egress.

------
danielcberman
Has anyone done an analysis of MacOS and Chrome OS using similar
methodologies? I would be curious as to the extent of the information being
sent back to each of the "Mother Ships" in a side by side comparison, if
that's even possible.

~~~
kalleboo
Little Snitch is a popular bit of software on the Mac, and pretty much
everyone who uses thst goes through the first week of googling "so what's this
weird background process do?"

~~~
jmnicolas
A software firewall is useless, the OS can hide from it. You need something
external to your machine to be sure.

------
thr0waway1239
This might actually be a pretty huge opportunity for a company which can hand
hold the transitioning from Windows to Linux in an enterprise. After all, if
the new Windows OS is provably non-compliant, shouldn't the enterprise
customers be very willing to investigate this option? Are there already
companies which do this?

------
quickben
Another year of another decade; Microsoft as dishonorable as ever.

~~~
brianwawok
But look, then allow you to run their database on Linux now!!

It's proven time and time again that if the entire org isn't behind something,
the good deeds of some get vastly overshadowed by these kind of games.

~~~
m_fayer
I really wish that the company that makes .net and azure could be split off
from the rest of msft.

------
10165
I read that Windows 10 uses peer-to-peer file sharing with any other Windows
hosts it locates on the same network.

This way each Windows computer does not have to connect to Microsoft to
download, e.g., the Windows 10 "upgrade". It seems like this could also be
used to evade attempts by users to block such downloads by blocking Microsoft
IP addresses.

Windows 10 could propagate itself through a network of Windows computers, like
a ...

Seriously, how does this work in pratice?

Windows 10 does peer-to-peer file sharing automatically without requiring any
user interaction?

~~~
hendersoon
Yes, this is called "delivery optimization" and it's on by default. By
default, Windows Enterprise/Education only pull updates from Microsoft and the
local domain, while Windows Home/Pro will also pull updates from other peers
on the internet.

You can turn it off, or disable pulling from internet peers, but given the OP,
who knows if MS actually respects that setting? I guess we have to roll the
dice now.

[https://privacy.microsoft.com/en-us/windows-10-windows-
updat...](https://privacy.microsoft.com/en-us/windows-10-windows-update-
delivery-optimization)

~~~
glenneroo
Maybe they changed it, but I just checked my fresh install of Pro build 1703
from MSDN and it was disabled.

~~~
hendersoon
Odd, their docs say it's on by default.

[https://docs.microsoft.com/en-
us/windows/deployment/update/w...](https://docs.microsoft.com/en-
us/windows/deployment/update/waas-delivery-optimization)

~~~
glenneroo
One of the handful of tools I installed from Ninite must have turned it off
then. After a quick look, I'm guessing it was Classic Start Menu.

------
davidgerard
This is the other reason WannaCry happened: 97% Windows 7 machines without
updates. Because _users can 't trust Microsoft not to mess them around_.

------
jmacpore
Does anyone know a good updated firewall whitelist to allow just Windows
Updates and nothing else?

~~~
jacquesm
Any reason why you believe it would respect those rules? Note the one example
where a rule was dynamically added to the firewall in the tweets listed here.

~~~
blacklistedfin
That doesn't matter if you're using a DNS blackhole or hardware firewall. Of
course, MS could hard-code some IP addresses, too.

~~~
protomyth
I was deeply tempted to setup a Windows 10 Enterprise machine at work, then
have my OpenBSD firewall add any IP the W10 machines tries to get to a block
list.

------
JumpCrisscross
I run Windows in a Parallels VM on my Mac. This VM needs to, on occasion,
connect to the Internet. Any way I can--from the outside, without needing to
trust Windows--be forced to whitelist what the VM is and isn't allowed connect
to?

~~~
nthcolumn
outside /etc/hosts redirect to 0.0.0.0 inside
(c:\Windows\System32\Drivers\etc\hosts) assuming it is being respected, but
how to find list? is very difficult I think, as can change by Redmond c&c
server at no notice,

~~~
rasz
microsoft hardcoded IPs of all its spy^^^value added services. As a matter of
a fact DNSCache is one of the services used for uploading telemetry.

------
proactivesvcs
Keeping in mind that Google and AdNexus have both been caught permitting
malicious advertisements on their ad networks. As well as Microsoft :-)

------
hilbert42
Frankly, I am fed up trying to block the "phone-home" connections between our
PCs and Microsoft and we're still only using Windows 7. There is absolutely no
way we would ever use Windows 10 unless we could guarantee that we could
totally sever all such connections permanently and not have to worry about
them again.

Moreover, for some years now we have considered our Windows operating systems
as 'hostile' privacy-busting code on our PCs and if there was some easy way we
could get rid of them then we would do so in an instant (please don't come at
me with the Linux bumph/argument because in many instances it's not a possible
option).

This really is tiresome, why can't we just buy Windows/Microsoft busting
routers that have a big red button on them that says: _" Stop all Phone-home
to Microsoft"_ or alternatively ones that have easily updatable blocking
lists/text files that we can easily administer/download to them?

This ought to be an easy no-brainer but it isn't! Why is it that router
manufacturers, etc. aren't falling all over themselves to provide such
devices? I'm amazed that they're not, one would think there'd be dozens of
available by now; are manufactures that timid and afraid of Microsoft that
they're not game to make them?

Furthermore, it is not only a Microsoft Windows O/S problem, as these days
just about all software talks home without seeking the user's permission to do
so beforehand, and none of them tell you exactly what information is being
transmitting home. It seems to me that we users will never solve this "talk
home" problem until we have easy to use gateways that are external to our PCs,
phones etc. that automatically block all "phone-home" addresses.

BTW, anyone thinking of developing such a device needs to keep in mind that
for years Microsoft has hard-coded within Windows certain IP address that
bypass the hosts file irrespective of how it is set so that it is impossible
to block Windows completely from talking home. _Thus, there is no other option
other than to block these addresses by means that are external to the PC
/device!_

A final point: Microsoft could claim that as it has provided the upgrade to
Windows 10 free and that entitles it to sap the private life info out of its
users. I would counter that by saying that if alternatively I actually _buy
/pay for_ the operating system then I'm entitled to have complete control over
it—and that means no talkback to Microsoft by the OS.

Of course, none of this would be a problem now if the Microsoft monopoly had
been busted years ago (i.e. if our fearful democracies had been game enough to
use already existing law to thwart the monopoly early on).

~~~
boomboomsubban
Sometimes Linux may not be an answer, but with routers it. Buy a router, put
LEDE on it, and block the domains.

You didn't buy/pay for the operating system. You bought the rights to use the
operating system under the terms Microsoft stated.

------
awqrre
Microsoft went Google evil on this product...

------
partycoder
Just a reminder for Windows users: in most cases, you no longer need Windows.
All your pain is completely voluntary.

~~~
vkou
Your pain after you switch to Linux will be completely voluntary, too.

~~~
quickben
Windows pain costs few hundred $ more :)

~~~
epsylon
Only if your time is worthless.

~~~
iammyIP
That is quite a stupid argument which you seem to just rephrase without having
thought about it, as you could aswell say then that healthy eating takes some
more time and consideration than running to the next fast food burger, thus
you can only eat healthy if your time is worthless. Or how about developing
new energy sources if we can just burn all the oil much easier? Sometimes some
efforts have to be done to have nice things. See how dumb this 'Only if your
time is worthless' sounds now?

------
intoverflow2
Ignoring people who need to control what leaves their systems for legal
reasons I always find it odd how much the hardcore Windows users freak out
over stuff like this.

I mean you trust your entire digital life to this OS yet the idea of analytics
being sent back to the people who made the OS terrifies you? They also seem to
freak out and declare certain versions near unusable when I've recently
started using Win 10 after not using Windows since Win 2K and honestly it's
90% the same thing to me.

Also interested as to how many people freaking out over telemetry use Google
software.

------
MikusR
[https://docs.microsoft.com/lv-
lv/windows/configuration/manag...](https://docs.microsoft.com/lv-
lv/windows/configuration/manage-connections-from-windows-operating-system-
components-to-microsoft-services)

------
optikals
time to switch...

------
dingo_bat
I actually like this. Fuck the enterprises who degrade the experience for
their users. Disable this disable that. Install shit like McAfee. They just
need an excuse for their existence. And the users are the ones to suffer, and
the company loses precious productivity without knowing it.

I know companies that will pre install McAfee in the brand new MacBooks they
give out to employees! It's insane. Microsoft should just say, if you want to
use our OS, stop fucking with it.

------
yuhong
Notice at least two MS employees responded to this thread. I posted myself in
another one:
[https://twitter.com/yuhong2/status/863463634281746433](https://twitter.com/yuhong2/status/863463634281746433)

------
exodust
Twitter has this thing called "moments" for combining multiple tweets and
avoiding what this person has done.

I guess he's only an IT security analyst so perhaps isn't up to speed.

[https://support.twitter.com/articles/20174961#](https://support.twitter.com/articles/20174961#)

