Windows 10 privacy observations

1. This file is subject to revision. It was last revised on 05-09-15.
2.  
3.  
4. There's been a lot of fuss about Windows 10's excessive amount of spying on the end users, and disagreement over exactly what is going on. A lot of this is just speculation fueled by a suspiciously vague EULA - as it fairly common in the world of licenses, Microsoft has attempted to keep their options open by reserving for themselves permission to do things far more outragious than they actually intend to do. A few people have been gathering more precise information on exactly what Windows does - subject to the condition that any observed behavior may change in future updates.
5.  
6. I've been studying Windows 10 with a packet sniffer, and I can confirm a few things:
7. - By default, anything typed at the start menu will be queried to Bing. This can be changed. If it is changed, typing anything from the start menu will still initiate a connection to Bing - but without the query. The purpose of this connection is unknown. It contains some sort of identifier
8. - Every opening and closing of any app using the new interface and API is tracked and immediately reported to Microsoft - specifically to licensing.md.mp.microsoft.com. This happens regardless of settings, and includes those apps which might be regarded as trivial such as the image viewer and calculator.
9. - By default several tiles are included on the start menu. Updates will be fetched for these tiles - by HTTP, rather than HTTPS. Even if these tiles are disabled and removed, updates are still fetched. The content for these tiles comes from various subdomains of bing.com and msn.com.
10. - By default, the browser reports all sites visited to Microsoft as part of their anti-phishing system. This behavior can be disabled.
11. - Error reports are collected and transmitted transparently by default. There is an option to disable this, but I cannot confirm if it works. If it is disabled, occasional connections may still be observed.
12. - Windows 10, even when configured to use only a local account with no ties to Microsoft's online accounts, attempts to access login.live.com. Purpose unknown.
13. - Windows 10 will connect to nexus.officeapps.live.com even when Office is not installed, but only rarely. Purpose unknown.
14. - All login events are reported to Microsoft, even if using only local accounts with no ties to Microsoft's online accounts.
15. - Bringing up a network interface also downloads a file from Microsoft, though this appears to be only as a connection test rather than intentional information gathering and has been a feature since Windows XP.
16.  
17. In order to gather information for blocking this I have monitored a freshly installed Windows 10, build 10240, with all obvious privacy options set private and any feature that communicates with Microsoft turned off where possible. I've compiled a list of all the Microsoft-registered IP ranges it communicates with, and all Microsoft-owned domain names queried for. I've also supplied it with an IPv6 address, but did not observe any communication with Microsoft over IPv6.
18.  
19. This document describes the measures I have devised and tested in order to disable this monitoring. Not only does this reclaim your privacy, but it also saves you a significent amount of traffic. I do not describe how to block Windows updates, as I have no desire to block these - and I can verify that even with all the blocks I describe below in place, Windows update still work as normal. If you apply all of these measures then you can use Windows Ten almost entirely free of Microsoft's information gathering - though at the expense of also losing access to online services such as onedrive and cortana.
20.  
21.  
22.  
23. Now, on to the blocking!
24. There are three main means I have found to disable the features of Windows 10 that communicate back to Microsoft. None of these work on their own, but they do appear to be effective in combination.
25. First, there are the settings. These are a lot of these, but they are not all in one place - they are burried in many obscure sections all over both the new settings app and the old control panel. Configuring all of these for improved privacy reduces the spying, but certainly does not eliminate it. Most notably the app usage tracking cannot be disabled, and I still observed a significent amount of 'mystery' TLS traffic to many hosts of uncertain purpose including settings-win.data.microsoft.com, telecommand.telemetry.microsoft.com and officeclient.microsoft.com.
26. Second, there is the firewall. Windows 10, to it's credit, does have a very capable firewall. It can be configured with rules by application, interface, IP address or protocol. The obvious idea would be to block all Microsoft IP addresses. However, this does not fully work - at least some system services are exempt from the firewall, regardless of rules. This means can block some of the spying, but not all. It can go some way to reduce the amount of wasteful traffic too.
27. Third, there is the hosts file. This still works - but some addresses are hard-coded exceptions and will always resolve via DNS, never hosts. This is probably an anti-malware feature, as many forms of malware attempt to block updates.
28.  
29.  
30.  
31. ----------
32. 1. The Settings.
33. There are settings to change, but they are all over the place. Exhaustive lists are difficult to compile, but there are a few obscure ones you'll want to be sure to get:
34. Set 'manual' startup for the services 'diagnostic policy' and 'diagnostic tracking.'
35. disable autoplay (Not strictly privacy, but basic common sense)
36. Edge->settings->advanced, turn search suggestions off.
37. Remove the office trial if you have it. It comes standard on a lot of OEM installs.
38. control panel->security and maintenance, turn off smartscreen. You're smart enough not to run dodgy executables from sites that spell every word with a Z.
39. settings->network & internet->wi-fi->manage wi-fi settings, turn both settings off.
40. cortana and search settings, turn everything off! These are important.
41. settings->privacy->general, turn all the privacy-invading capabilities off.
42. settings->privacy->feedback and diagnostics, turn feedback off. Note that you cannot turn 'send your device data to microsoft' off entirely here. You'll have to block that by another means below.
43. settings->update and security->windows defender. You can't turn defender off, but you can turn off cloud-based protection and sample submission.
44.  
45.  
46. ----------
47. 2. The Firewall.
48.  
49.  
50. Windows 10 does have a sophisticated firewall, but some traffic is exempt - I don't know why, but suspect it may be that system processes are exempt. Many rules are also protected - permit rules for Microsoft products that can be deleted, but which will be recreated. I do not know the trigger for their recreation. Fortunately these permit rules can be overriden by deny rules: As is the general policy for Microsoft security policies, the ordering of rules is irrelivent and a deny will always overrule a permit.
51.  
52. The firewall rules can be configured through 'Windows Firewall with Advanced Security.' You can find it from the start menu. As denies overrule permits, you can apply the required change by adding just one rule to outgoing: Block, with the scope configured to block the following ranges:
53.  
54. 65.52.108.0/14 (licensing.md.mp.microsoft.com, v10.vortex-win.data.microsoft.com)
55. 104.40.0.0/13
56. 104.208.0.0/13 (nexus.officeapps.live.com)
57. 204.79.196.0/23 (Start menu searches.)
58. 23.93.0.0/13
59. 157.54.0.0/15
60. 157.60.0.0/16
61. 191.236.0.0/14
62. 207.46.0.0/16
63. 131.253.62.0/23
64. 131.253.64.0/18
65. 131.253.61.0/24 (login.live.com)
66. 131.253.128.0/17
67. 191.232.0.0/14 (settings-win.data.microsoft.com)
68. 64.4.0.0/18
69.  
70. You do not want to block 157.56.0.0/14 or 191.232.0.0/14. These contain servers essential to Windows update. Not that it actually makes much difference, as updates ignore the firewall anyway.
71. A warning, though: This is quite a harsh block. It'll stop a lot of the spying, but it'll also take out your access to OneDrive, and Office activation, and even Bing. Do this and you'll be largely cut off from all things Microsoft. I don't know what would happen if you tried to use a Microsoft account to log in, but probably nothing good.
72. I've also observed a lot of traffic to CDN servers, mostly Akami.
73.  
74.  
75.  
76. ----------
77. 3. The hosts File.
78. The hosts file is located in the unintuitive location of c:\windows\system32\drivers\etc. It can be edited using notepad, providing notepad is launched with administrative access. Take caution not to accidentally save with an extra .txt extension: Hosts is extensionless. In simple usage a block consists simply of 0.0.0.0, a tab or space character, and the domain to block. Blocking on wildcards is not possible.
79.  
80. You will want to block the following:
81. 0.0.0.0 cdn.content.prod.cms.msn.com
82. 0.0.0.0 telecommand.telemetry.microsoft.com
83. 0.0.0.0 v10.vortex-win.data.microsoft.com
84. 0.0.0.0 licensing.md.mp.microsoft.com
85. 0.0.0.0 en-gb.appex-rf.msn.com
86. 0.0.0.0 officeclient.microsoft.com
87. 0.0.0.0 settings-win.data.microsoft.com
88. 0.0.0.0 ssw.live.com
89. 0.0.0.0 login.live.com
90. 0.0.0.0 settings.data.microsoft.com
91. 0.0.0.0 watson.telemetry.microsoft.com
92. 0.0.0.0 static.bundles.hybrid.api.here.com
93. 0.0.0.0 foodanddrink.tile.appex.bing.com
94. 0.0.0.0 dmd.metaservices.microsoft.com
95. 0.0.0.0 nexus.officeapps.live.com
96. 0.0.0.0 sqm.telemetry.microsoft.com
97. 0.0.0.0 go.microsoft.com
98. 0.0.0.0 www.bing.com
99.  
100. It is noteworthy that www.bing.com will still be queried via DNS even with the hosts file entry in place and after a reboot. Most others appear to be blockable via this means. en-gb.appex-rf.msn.com is obviously a language-specific server, so you'll want to add your own corresponding server too.
101.  
102. While you're editing the file, you may want to block some non-microsoft tracking or advertising servers too.