I’m writing this guide for Anon’s that want to install Windows 10 on either thei

1. I’m writing this guide for Anon’s that want to install Windows 10 on either their machines, dual boot, or VM. The following steps have been pulled from various guides that Microsoft has released for corporations to use when configuring W10 computers in there network. The Department of Defense also have their own guides called STIG that are the same as MS, but go even further in locking down administrative machines within the military. I’ll be linking to some of these at the end of the post. I’ll also be including some extra steps not found on either source, but found from blogs and forums where people have taken further steps in stripping W10 of telemetry, cortana, and bloatware.
2.  
3. This will pertain to Windows 10 Enterprise, and Windows 10 Enterprise LTSB. Those two versions are the only ones that allow this level of customization. The difference between these is that LTSB is stripped of the Windows store, and apps. This one also only gets security updates. This version was made for companies that will be running mission critical devices that don’t need the above.
4.  
5. To obtain a copy of these, you’ll either need to get evaluation copies, torrent them, or if you work in IT and have access to MSDN (Microsoft Developer Network) account and can get ISO’s of any version.
6.  
7. Tools needed,
8.  
9. KMSPico
10. EC Menu
11.  
12. Initial installation,
13.  
14. When you first set-up the machine, it’ll ask you if you want to go with express settings or customized. It will also ash you to familiarize yourself with Cortana. It doesn’t matter which you choose, you’ll need to go into registry, group policy, and use the command line to remove it.
15.  
16. The installation will also ask you for an MS account (Outlook, hotmail, etc.), you can skip this and use a local account as before in W7 and earlier. Once it’s done, you’ll be taken to the desktop. You can play around with it to familiarize yourself with the new environment, however you won’t be able to make much changes until you activate windows.
17.  
18. To accomplish this, you’ll need to either have a legitimate key, which you can obtain off eBay or wherever., or using the KMSPico tool. It’s a simple toolset developed to fool windows products to activate itself. However, you must only obtain this program from the original source found here,
19.  
20. https://forums.mydigitallife.info/threads/65739-KMSpico-Official-Thread
21.  
22. Any other source you find for this toolset could potentially be loaded with malware.
23.  
24. Once this is done, you can start work on locking down the OS.
25.  
26. Step 1: To remove telemetry,
27.  
28. Go into search and type gpedit,
29. 1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
30. 2. Double-click Allow Telemetry.
31. 3. In the Options box, select level ‘0’, and then click OK.
32. This sets telemetry level to Security. This level is only available on the Enterprise edition of 10, and is described in the following by MS,
33. >>Security. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
34. To turn off Windows Update telemetry, you have to turn off Windows Update. This can be done under services, which I will describe later in disabling Windows Updates. Below are some other Group Policies to further turn off telemetry.
35. Turn off Windows Defender Cloud-based Protection and Automatic sample submission in Settings > Update & security > Windows Defender.
36. Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article 891716.
37. Turn off Linguistic Data Collection in Settings > Privacy. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
38. You can also set the telemetry level using Registry Editor to manually set the registry level on each device, or write a script to edit the registry.
39. 1. Open Registry Editor, and go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection.
40. 2. Right-click DataCollection, click New, and then click DWORD (32-bit) Value.
41. 3. Type AllowTelemetry, and then press ENTER.
42. 4. Double-click AllowTelemetry, set the desired value from the table above, and then click OK.
43. 5. Click File > Export, and then save the file as a .reg file, such as C:\AllowTelemetry.reg. You can run this file from a script on each device in your organization.
44. Now even at this level, the system will still send some telemetry data as posted above. However, MS did give companies the web address’ of each so that organizations can block access to them on their network. You can add these to your firewall’s block list. Don’t bother doing it on the HOSTS file as the OS will ignore it for these functionalities.
45.  
46. If you have a hardware firewall that’s been flashed with DD-WRT, if has a HOSTS functionality called IP tables that lets you do this. Others have done it with software firewalls.
47.  
48. Service Endpoint
49. Connected User Experience and Telemetry component:
50. v10.vortex-win.data.microsoft.com
51. settings-win.data.microsoft.com
52.  
53. Windows Error Reporting:
54. watson.telemetry.microsoft.com
55.  
56. Online Crash Analysis:
57. oca.telemetry.microsoft.com
58.  
59. OneDrive app for Windows 10:
60. vortex.data.microsoft.com/collect/v1
61.  
62. Now you’ll need to disabled some services related to telemety and remove some components.
63.  
64. 1. Type cmd in search, right click on cmd.exe and choose Run as Administrator.
65. 2. Type sc.exe and hit enter
66. 3. sc stop DiagTrack
67. 4. sc stop dmwappushservice
68. 5. sc delete dmwappushsvc
69. 6. sc delete diagtrack
70.  
71. Now you will need to restrict the access to the autologger logs on the system. Open a new command prompt as admin, and do the following steps,
72.  
73. A) cd C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger
74. B) echo "" > AutoLogger-Diagtrack-Listener.etl
75. C) cacls AutoLogger-Diagtrack-Listener.etl /d SYSTEM
76.  
77. Now the OS will no longer have access to save anything to this file.
78.  
79. After you have removed these services, open the Task Scheduler, navigate to “Task Scheduler Library” → “Microsoft” → “Windows” and delete the following items:
80.  
81. Everything under “Application Experience”
82. Everything under “Autochk”
83. Everything under “Customer Experience Improvement Program”
84. Under “Disk Diagnostic”, delete only the “Microsoft-Windows-DiskDiagnosticDataCollector”
85. Disable “Maintenance” → “WinSAT” and everything under “Media Center”
86.  
87. If these seem familiar to you, these are the steps that Hotwheels posted years back in removing telemetry from Windows 7. You can still find it here,
88.  
89. https://8ch.net/tech/w7tele.html
90.  
91. Now here’s some additional privacy settings to enable,
92.  
93. To turn off Let apps use my advertising ID for experiences across apps (turning this off will reset your ID):
94.  
95. Turn off the feature in the UI.
96. -or-
97. Apply the Group Policy: Computer Configuration > Administrative Templates > System > User Profiles > Turn off the advertising ID.
98. -or-
99. Create a REG_DWORD registry setting called Enabled in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo, with a value of 0 (zero).
100. To turn off Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use:
101. Turn off the feature in the UI.
102. -or-
103. Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Configure SmartScreen Filter.
104. Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows SmartScreen.
105. -or-
106. Create a REG_DWORD registry setting called EnableWebContentEvaluation in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost, with a value of 0 (zero).
107. To turn off Send Microsoft info about how I write to help us improve typing and writing in the future:
108. Note
109. If the telemetry level is set to either Basic or Security, this is turned off automatically.
110. Turn off the feature in the UI.
111.  
112. To turn off Let websites provide locally relevant content by accessing my language list:
113. Turn off the feature in the UI.
114. -or-
115. Create a new REG_DWORD registry setting called HttpAcceptLanguageOptOut in HKEY_CURRENT_USER\Control Panel\International\User Profile, with a value of 1.
116. To turn off Let apps on my other devices open apps and continue experiences on this devices:
117. Turn off the feature in the UI.
118. -or-
119. Disable the Group Policy: Computer Configuration > Administrative Templates > System > Group Policy > Continue experiences on this device.
120. To turn off Let apps on my other devices use Bluetooth to open apps and continue experiences on this device:
121. Turn off the feature in the UI.
122. Camera
123. In the Camera area, you can choose which apps can access a device's camera.
124. To turn off Let apps use my camera:
125. Turn off the feature in the UI.
126. -or-
127. Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the camera
128. Set the Select a setting box to Force Deny.
129.  
130. To turn off Choose apps that can use your camera:
131. Turn off the feature in the UI for each app.
132. Microphone
133. In the Microphone area, you can choose which apps can access a device's microphone.
134. To turn off Let apps use my microphone:
135. Turn off the feature in the UI.
136. -or-
137. Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the microphone
138. Set the Select a setting box to Force Deny.
139. To turn off Choose apps that can use your microphone:
140. Turn off the feature in the UI for each app.
141. Wi-Fi Sense
142. Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
143. To turn off Connect to suggested open hotspots and Connect to networks shared by my contacts:
144. Turn off the feature in the UI.
145. -or-
146. Disable the Group Policy: Computer Configuration > Administrative Templates > Network > WLAN Service > WLAN Settings > Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services.
147. -or-
148. Create a new REG_DWORD registry setting called AutoConnectAllowedOEM in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config, with a value of 0 (zero).
149.  
150. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional.
151. Step 2: Removing Cortana,
152.  
153. Disabling cortana via Group Policies,
154.  
155. 1) Press Win + R keyboard accelerator to open Run dialog box.
156. 2) Type GPedit.msc and hit Enter or OK to open Local Group Policy Editor. Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Search.
157. 3) In the right pane, double click on policy named Allow Cortana.
158. 4) Select the Disabled radio button.
159. 5) In Allow search and Cortana to use location, select disabled.
160. 6) In Do not allow web search, select enabled.
161. 7) In Don't search the web or display web results in Search, select enabled.
162. 8) Restart the PC and Cortana and Bing Search will be disabled. (May work after signing out and in again)
163.  
164. To remove cortana completely for your system, Please have ec menu installed on your system, so that you can add Take Ownership to the right click menu.
165.  
166. 1) Add TakeOwn to the context menu or (use takeown from the command line).
167. 2) Navigate to C:\Windows
168. 3) Use Takeown to gain ownership of c:\windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy
169. 4) (Gain ownership of anything else you want to delete)
170. 5) When the "Permissions" pop-up appears, switch to Task Manager
171. 6) Kill SearchUI.exe process
172. 7) Switch back and give permission to delete the contents inside the folder
173.  
174. To prevent windows updates from restoring Cortana, deny access to the folder to the system,
175.  
176. Open elevated command prompt
177. Go to the dir,
178.  
179. Code:
180.  
181. cd C:\Windows\SystemApps\
182. cacls Microsoft.Windows.Cortana_cw5n1h2txyewy /d SYSTEM
183.  
184. Click Y to confirm
185.  
186. This will completely remove cortana and will no longer appear after a windows update. The system should now default back to windows old search function.
187.  
188. Step 3: Windows Updates,
189.  
190. You can turn off Windows Update by setting the following registry entries:
191. Add a REG_DWORD value called DoNotConnectToWindowsUpdateInternetLocations to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and set the value to 1.
192. -and-
193. Add a REG_DWORD value called DisableWindowsUpdateAccess to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and set the value to 1.
194. -and-
195. Add a REG_DWORD value called UseWUServer to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU and set the value to 1.
196. You can turn off automatic updates by doing one of the following. This is not recommended.
197. Add a REG_DWORD value called AutoDownload to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate and set the value to 5.
198. Doing the above should work, but others have said that windows still manages to update itself, so this next step will stop it completely.
199.  
200. Go into search and look for Services, open it, and you’ll be presented with a lot of running or disabled processes’. Look for Windows Update towards the bottom of the screen and double click it. It should be set to automatic. Stop the service using the stop button, and then set it to disabled. Hit apply and windows update will no longer be able to run. To verify, go into pc settings and to to update & security, when you click for check for updates, you’ll get an error message saying updates could not be found.
201.  
202. Now you can either run the system without any updates, or set it to manual and it will only run when asked for by the user or if a windows application needs an update on the windows store. You can also use an open source tool called WSUS offline, this downloads the windows updates to a folder and then can apply the updates offline.
203.  
204. Now your system is ready and any further customization can be done and searched for online, Below is the guides from MS I mentioned at the beginning,
205.  
206. https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization
207.  
208. https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
209.  
210. http://iase.disa.mil/stigs/os/windows/Pages/win10.aspx