278 lines
9.1 KiB
Plaintext
278 lines
9.1 KiB
Plaintext
|
## TBA, fix mess
|
||
|
|
||
|
### Relevant + newer repos found
|
||
|
# https://github.com/beerisgood/Windows11_Hardening - txt guide
|
||
|
# hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/
|
||
|
|
||
|
|
||
|
|
||
|
### ChatGPT Answer
|
||
|
|
||
|
Here's the answer in **Gitea Markdown** format:
|
||
|
|
||
|
```markdown
|
||
|
# Remove ALL Tracking from Windows 11
|
||
|
|
||
|
This guide provides commands and steps to remove all tracking from Windows 11. **Warning:** This will break some functionality, including Windows Updates, the Microsoft Store, Cortana, and other system features. Proceed with caution.
|
||
|
|
||
|
---
|
||
|
|
||
|
## 1. Disable Telemetry via Group Policy or Registry
|
||
|
|
||
|
### Group Policy Settings via PowerShell
|
||
|
```powershell
|
||
|
# Disable telemetry via Group Policy
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
|
||
|
```
|
||
|
|
||
|
### Block Data Collection via Services
|
||
|
```powershell
|
||
|
# Disable telemetry services
|
||
|
sc stop DiagTrack
|
||
|
sc delete DiagTrack
|
||
|
sc stop diagnosticshub.standardcollector.service
|
||
|
sc delete diagnosticshub.standardcollector.service
|
||
|
sc stop dmwappushservice
|
||
|
sc delete dmwappushservice
|
||
|
```
|
||
|
|
||
|
---
|
||
|
|
||
|
## 2. Disable Tracking Features
|
||
|
|
||
|
### Remove Pre-installed Apps
|
||
|
```powershell
|
||
|
# Remove all pre-installed apps
|
||
|
Get-AppxPackage -AllUsers | Remove-AppxPackage
|
||
|
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
|
||
|
```
|
||
|
|
||
|
### Disable Cortana
|
||
|
```powershell
|
||
|
# Disable Cortana
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
|
||
|
```
|
||
|
|
||
|
### Disable Feedback Requests
|
||
|
```powershell
|
||
|
# Turn off feedback requests
|
||
|
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
|
||
|
```
|
||
|
|
||
|
---
|
||
|
|
||
|
## 3. Block Microsoft Telemetry Domains
|
||
|
|
||
|
### Open HOSTS File
|
||
|
```powershell
|
||
|
notepad C:\Windows\System32\drivers\etc\hosts
|
||
|
```
|
||
|
|
||
|
### Add Telemetry Domains
|
||
|
Add the following lines to the `hosts` file:
|
||
|
```plaintext
|
||
|
127.0.0.1 vortex.data.microsoft.com
|
||
|
127.0.0.1 settings-win.data.microsoft.com
|
||
|
127.0.0.1 watson.telemetry.microsoft.com
|
||
|
127.0.0.1 feedback.windows.com
|
||
|
127.0.0.1 activity.windows.com
|
||
|
127.0.0.1 assets.onestore.microsoft.com
|
||
|
127.0.0.1 c1.microsoft.com
|
||
|
127.0.0.1 c2.microsoft.com
|
||
|
127.0.0.1 c3.microsoft.com
|
||
|
127.0.0.1 msftncsi.com
|
||
|
127.0.0.1 officeclient.microsoft.com
|
||
|
127.0.0.1 www.msftconnecttest.com
|
||
|
```
|
||
|
|
||
|
Save the file and reboot.
|
||
|
|
||
|
---
|
||
|
|
||
|
## 4. Disable Tracking Using PowerShell
|
||
|
|
||
|
### Disable Windows Defender (Tracking)
|
||
|
```powershell
|
||
|
# Disable Windows Defender
|
||
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
||
|
```
|
||
|
|
||
|
### Disable Data Sharing Features
|
||
|
```powershell
|
||
|
# Disable OneDrive
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f
|
||
|
|
||
|
# Disable Activity History
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
|
||
|
```
|
||
|
|
||
|
---
|
||
|
|
||
|
## 5. Disable Windows Update (Tracking)
|
||
|
Completely disable Windows Updates to stop telemetry-related data collection.
|
||
|
```powershell
|
||
|
# Disable Windows Update Service
|
||
|
sc config wuauserv start= disabled
|
||
|
sc stop wuauserv
|
||
|
```
|
||
|
|
||
|
---
|
||
|
|
||
|
## 6. Disable Telemetry via Firewall
|
||
|
|
||
|
### Block Telemetry Domains
|
||
|
```powershell
|
||
|
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
|
||
|
```
|
||
|
|
||
|
---
|
||
|
|
||
|
## 7. Use Advanced Privacy Tools
|
||
|
|
||
|
1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**.
|
||
|
- Apply all "Recommended" and "Recommended and somewhat recommended" settings.
|
||
|
2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking.
|
||
|
|
||
|
---
|
||
|
|
||
|
## 8. Disable Online Features
|
||
|
```powershell
|
||
|
# Disable online search in Start Menu
|
||
|
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
|
||
|
```
|
||
|
|
||
|
---
|
||
|
|
||
|
## 9. Use a Debloated ISO
|
||
|
|
||
|
For a fully stripped-down version of Windows 11, consider:
|
||
|
- Installing a debloated custom ISO like **[AtlasOS](https://atlasos.net/)**.
|
||
|
- Creating your own using **NTLite**.
|
||
|
|
||
|
---
|
||
|
|
||
|
Would you like a pre-made script to automate these steps? Let me know!
|
||
|
```
|
||
|
|
||
|
## GPT Sciprt:
|
||
|
# Set-ExecutionPolicy Bypass -Scope Process -Force .\RemoveTracking.ps1
|
||
|
|
||
|
```
|
||
|
# Disable Telemetry Services
|
||
|
Write-Host "Disabling telemetry services..." -ForegroundColor Green
|
||
|
sc.exe stop DiagTrack
|
||
|
sc.exe delete DiagTrack
|
||
|
sc.exe stop diagnosticshub.standardcollector.service
|
||
|
sc.exe delete diagnosticshub.standardcollector.service
|
||
|
sc.exe stop dmwappushservice
|
||
|
sc.exe delete dmwappushservice
|
||
|
|
||
|
# Disable Telemetry via Registry
|
||
|
Write-Host "Disabling telemetry via registry..." -ForegroundColor Green
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
|
||
|
|
||
|
# Remove Pre-installed Apps
|
||
|
Write-Host "Removing pre-installed apps..." -ForegroundColor Green
|
||
|
Get-AppxPackage -AllUsers | Remove-AppxPackage -ErrorAction SilentlyContinue
|
||
|
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue
|
||
|
|
||
|
# Disable Cortana
|
||
|
Write-Host "Disabling Cortana..." -ForegroundColor Green
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
|
||
|
|
||
|
# Disable Feedback Requests
|
||
|
Write-Host "Disabling feedback requests..." -ForegroundColor Green
|
||
|
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
|
||
|
|
||
|
# Block Microsoft Telemetry Domains via Hosts File
|
||
|
Write-Host "Blocking telemetry domains..." -ForegroundColor Green
|
||
|
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
|
||
|
$domains = @"
|
||
|
127.0.0.1 vortex.data.microsoft.com
|
||
|
127.0.0.1 settings-win.data.microsoft.com
|
||
|
127.0.0.1 watson.telemetry.microsoft.com
|
||
|
127.0.0.1 feedback.windows.com
|
||
|
127.0.0.1 activity.windows.com
|
||
|
127.0.0.1 assets.onestore.microsoft.com
|
||
|
127.0.0.1 c1.microsoft.com
|
||
|
127.0.0.1 c2.microsoft.com
|
||
|
127.0.0.1 c3.microsoft.com
|
||
|
127.0.0.1 msftncsi.com
|
||
|
127.0.0.1 officeclient.microsoft.com
|
||
|
127.0.0.1 www.msftconnecttest.com
|
||
|
"@
|
||
|
Add-Content -Path $hostsPath -Value $domains
|
||
|
|
||
|
# Disable Defender Realtime Monitoring
|
||
|
Write-Host "Disabling Windows Defender real-time monitoring..." -ForegroundColor Green
|
||
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
||
|
|
||
|
# Disable Activity History
|
||
|
Write-Host "Disabling activity history..." -ForegroundColor Green
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
|
||
|
|
||
|
# Disable Windows Update Service
|
||
|
Write-Host "Disabling Windows Update service..." -ForegroundColor Green
|
||
|
sc.exe config wuauserv start= disabled
|
||
|
sc.exe stop wuauserv
|
||
|
|
||
|
# Block Telemetry Domains via Firewall
|
||
|
Write-Host "Blocking telemetry domains via firewall..." -ForegroundColor Green
|
||
|
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
|
||
|
|
||
|
# Disable Online Features
|
||
|
Write-Host "Disabling online features..." -ForegroundColor Green
|
||
|
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
|
||
|
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
|
||
|
|
||
|
Write-Host "All tracking has been disabled. Reboot your system for changes to take effect." -ForegroundColor Green
|
||
|
```
|
||
|
|
||
|
|
||
|
### Old privacy hardening notes below
|
||
|
|
||
|
# Disable all networking except for programs you need it for.
|
||
|
|
||
|
# Alternatively try these and use a good firewall, don't allow unwanted sites.
|
||
|
|
||
|
# Uninstall tracking updates:
|
||
|
wusa /uninstall /kb:3083710 /quiet /norestart
|
||
|
wusa /uninstall /kb:3083711 /quiet /norestart
|
||
|
wusa /uninstall /kb:3065988 /quiet /norestart
|
||
|
wusa /uninstall /kb:3083325 /quiet /norestart
|
||
|
wusa /uninstall /kb:3083324 /quiet /norestart
|
||
|
wusa /uninstall /kb:2976978 /quiet /norestart
|
||
|
wusa /uninstall /kb:3075853 /quiet /norestart
|
||
|
wusa /uninstall /kb:3065987 /quiet /norestart
|
||
|
wusa /uninstall /kb:3050265 /quiet /norestart
|
||
|
wusa /uninstall /kb:3050267 /quiet /norestart
|
||
|
wusa /uninstall /kb:3075851 /quiet /norestart
|
||
|
wusa /uninstall /kb:2902907 /quiet /norestart
|
||
|
wusa /uninstall /kb:3068708 /quiet /norestart
|
||
|
wusa /uninstall /kb:3022345 /quiet /norestart
|
||
|
wusa /uninstall /kb:2952664 /quiet /norestart
|
||
|
wusa /uninstall /kb:2990214 /quiet /norestart
|
||
|
wusa /uninstall /kb:3035583 /quiet /norestart
|
||
|
wusa /uninstall /kb:3021917 /quiet /norestart
|
||
|
wusa /uninstall /kb:3044374 /quiet /norestart
|
||
|
wusa /uninstall /kb:3046480 /quiet /norestart
|
||
|
wusa /uninstall /kb:3075249 /quiet /norestart
|
||
|
wusa /uninstall /kb:3080149 /quiet /norestart
|
||
|
|
||
|
|
||
|
# Stop tracking Services:
|
||
|
sc stop DiagTrack
|
||
|
sc stop dmwappushservice
|
||
|
sc delete DiagTrack
|
||
|
sc delete dmwappushservice
|
||
|
|
||
|
|
||
|
# Or Windows behind a firewall and block Microsoft...
|