From bea7149bd668fb981046b9fc659e142c6c95c772 Mon Sep 17 00:00:00 2001 From: six Date: Mon, 16 Dec 2024 03:15:09 +0000 Subject: [PATCH] Now it is an actual guide --- windows_11_hardening_w_privacy.txt | 260 +++++++---------------------- 1 file changed, 62 insertions(+), 198 deletions(-) diff --git a/windows_11_hardening_w_privacy.txt b/windows_11_hardening_w_privacy.txt index e0f20f9..6bff47a 100644 --- a/windows_11_hardening_w_privacy.txt +++ b/windows_11_hardening_w_privacy.txt @@ -1,193 +1,15 @@ -## TBA, fix mess +## Simplified Version -### Relevant + newer repos found +### Guides worth considering: # https://github.com/beerisgood/Windows11_Hardening - txt guide # hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/ +# First, install without internet and local account (disable WLAN from BIOS and Shift+F10, OOBE\BYPASSNRO) +# Second, Block ALL traffic in firewall, set default to block and set enabled services to block too +# Third, be aware this fucker is enabling firewall rules automatically after you enable WLAN. You want to block those too, but idk how to avoid Windows setting their own rules without permission. Fucking crazy this is rules appear in firewall without consent. +# ! Run the commands below, then restart and then allow internet only. - -### ChatGPT Answer - -Here's the answer in **Gitea Markdown** format: - -```markdown -# Remove ALL Tracking from Windows 11 - -This guide provides commands and steps to remove all tracking from Windows 11. **Warning:** This will break some functionality, including Windows Updates, the Microsoft Store, Cortana, and other system features. Proceed with caution. - ---- - -## 1. Disable Telemetry via Group Policy or Registry - -### Group Policy Settings via PowerShell -```powershell -# Disable telemetry via Group Policy -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f -``` - -### Block Data Collection via Services -```powershell -# Disable telemetry services -sc stop DiagTrack -sc delete DiagTrack -sc stop diagnosticshub.standardcollector.service -sc delete diagnosticshub.standardcollector.service -sc stop dmwappushservice -sc delete dmwappushservice -``` - ---- - -## 2. Disable Tracking Features - -### Remove Pre-installed Apps -```powershell -# Remove all pre-installed apps -Get-AppxPackage -AllUsers | Remove-AppxPackage -Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online -``` - -### Disable Cortana -```powershell -# Disable Cortana -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f -``` - -### Disable Feedback Requests -```powershell -# Turn off feedback requests -reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f -reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f -``` - ---- - -## 3. Block Microsoft Telemetry Domains - -### Open HOSTS File -```powershell -notepad C:\Windows\System32\drivers\etc\hosts -``` - -### Add Telemetry Domains -Add the following lines to the `hosts` file: -```plaintext -127.0.0.1 vortex.data.microsoft.com -127.0.0.1 settings-win.data.microsoft.com -127.0.0.1 watson.telemetry.microsoft.com -127.0.0.1 feedback.windows.com -127.0.0.1 activity.windows.com -127.0.0.1 assets.onestore.microsoft.com -127.0.0.1 c1.microsoft.com -127.0.0.1 c2.microsoft.com -127.0.0.1 c3.microsoft.com -127.0.0.1 msftncsi.com -127.0.0.1 officeclient.microsoft.com -127.0.0.1 www.msftconnecttest.com -``` - -Save the file and reboot. - ---- - -## 4. Disable Tracking Using PowerShell - -### Disable Windows Defender (Tracking) -```powershell -# Disable Windows Defender -Set-MpPreference -DisableRealtimeMonitoring $true -``` - -### Disable Data Sharing Features -```powershell -# Disable OneDrive -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f - -# Disable Activity History -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f -``` - ---- - -## 5. Disable Windows Update (Tracking) -Completely disable Windows Updates to stop telemetry-related data collection. -```powershell -# Disable Windows Update Service -sc config wuauserv start= disabled -sc stop wuauserv -``` - ---- - -## 6. Disable Telemetry via Firewall - -### Block Telemetry Domains -```powershell -netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200 -``` - ---- - -## 7. Use Advanced Privacy Tools - -1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**. - - Apply all "Recommended" and "Recommended and somewhat recommended" settings. -2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking. - ---- - -## 8. Disable Online Features -```powershell -# Disable online search in Start Menu -reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f -reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f -``` - ---- - -## 9. Use a Debloated ISO - -For a fully stripped-down version of Windows 11, consider: -- Installing a debloated custom ISO like **[AtlasOS](https://atlasos.net/)**. -- Creating your own using **NTLite**. - ---- - -Would you like a pre-made script to automate these steps? Let me know! -``` - -## GPT Sciprt: -# Set-ExecutionPolicy Bypass -Scope Process -Force .\RemoveTracking.ps1 - -``` -# Disable Telemetry Services -Write-Host "Disabling telemetry services..." -ForegroundColor Green -sc.exe stop DiagTrack -sc.exe delete DiagTrack -sc.exe stop diagnosticshub.standardcollector.service -sc.exe delete diagnosticshub.standardcollector.service -sc.exe stop dmwappushservice -sc.exe delete dmwappushservice - -# Disable Telemetry via Registry -Write-Host "Disabling telemetry via registry..." -ForegroundColor Green -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f - -# Remove Pre-installed Apps -Write-Host "Removing pre-installed apps..." -ForegroundColor Green -Get-AppxPackage -AllUsers | Remove-AppxPackage -ErrorAction SilentlyContinue -Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue - -# Disable Cortana -Write-Host "Disabling Cortana..." -ForegroundColor Green -reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f - -# Disable Feedback Requests -Write-Host "Disabling feedback requests..." -ForegroundColor Green -reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f -reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f +### Copy paste privacy settings # Block Microsoft Telemetry Domains via Hosts File Write-Host "Blocking telemetry domains..." -ForegroundColor Green @@ -208,32 +30,74 @@ $domains = @" "@ Add-Content -Path $hostsPath -Value $domains -# Disable Defender Realtime Monitoring -Write-Host "Disabling Windows Defender real-time monitoring..." -ForegroundColor Green +## Disable telemetry + +# Disable via Group Policy +reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f + +# Disable telemetry services +sc.exe stop DiagTrack +sc.exe delete DiagTrack +sc.exe stop diagnosticshub.standardcollector.service +sc.exe delete diagnosticshub.standardcollector.service +sc.exe stop dmwappushservice +sc.exe delete dmwappushservice + + +## Disable Tracking Features + +# Remove all pre-installed apps +Get-AppxPackage -AllUsers | Remove-AppxPackage +Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online + + +## Disable Cortana + +reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f + + +## Disable Feedback Requests +reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f +reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f + +## Block Microsoft Telemetry Domains + + +## Disable Windows Defender (Tracking) Set-MpPreference -DisableRealtimeMonitoring $true +## Disable Data Sharing Features + +# Disable OneDrive +reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f + # Disable Activity History -Write-Host "Disabling activity history..." -ForegroundColor Green reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f -# Disable Windows Update Service -Write-Host "Disabling Windows Update service..." -ForegroundColor Green -sc.exe config wuauserv start= disabled -sc.exe stop wuauserv +## Disable Windows Auto Update (Tracking) -# Block Telemetry Domains via Firewall -Write-Host "Blocking telemetry domains via firewall..." -ForegroundColor Green +# Disable Windows Update Service +sc config wuauserv start=disabled # Not working? +sc stop wuauserv + + +## Disable Telemetry via Firewall + +# Block Telemetry Domains netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200 -# Disable Online Features -Write-Host "Disabling online features..." -ForegroundColor Green +# Disable online search in Start Menu reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f -Write-Host "All tracking has been disabled. Reboot your system for changes to take effect." -ForegroundColor Green -``` + +### Things I didn't try/test: Use Advanced Privacy Tools + +1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**. + - Apply all "Recommended" and "Recommended and somewhat recommended" settings. +2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking. ### Old privacy hardening notes below