Re-write of Windows Page

[dngray]

Description

https://privacyguides.org/operating-systems/#win10

This page does need to be re-written. It is quite a bit out of date. I think we could benefit from bringing https://github.com/privacytools/privacytools.io/issues/926 forward into this PR.

Additionally regarding removal of Cortana, (something that wasn't possible when that page was written), we should provide instruction https://github.com/privacytools/privacytools.io/issues/926#issuecomment-707844416.

It's worth noting O&O ShutUp10, already supports Windows 11.

Closes: https://github.com/privacyguides/privacyguides.org/issues/172#issuecomment-942002749

[jnton]

I would recommend adding a guide to disable telemetry as indicated here: https://github.com/privacyguides/privacyguides.org/discussions/169#discussioncomment-1474036

1. The first step is to activate Windows, it can be followed the official way or the "unofficial one" (parenthesis points refer to the "unofficial", be aware that depending on the place you live this operation may be not completely legal and that the following activation procedure is made for Windows 10 but with the right changes can be easily adapted to Windows 11): (2.) Go to Settings ------> Update & security ------> Activation --------> Change product key (3.) Enter the following generic product key and click Next. Follow the prompts all the way through. (4.) XGVPP-NMH47-7TTHJ-W3FW7-8HV2C [source] (5.) Now reboot the computer (6.) Use massgravel's HWID activation method: https://github.com/massgravel/Microsoft-Activation-Scripts§
2. (7.) Follow the official guidelines to deactivate telemetry: https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization

It would also be a good idea for those who want more security (and also performance) at the expense of some functionality (in particular, it will only be possible to install apps from Microsoft Store*) to switch to Windows S mode. At the moment Windows 11 in S mode is available only for the Home edition, while Windows 10 in S mode is available for all its editions: Home, Enterprise, Education and Pro.

*Note: If you switch out of S mode, you can install 32-bit (x86) Windows apps that aren’t available in the Microsoft Store in Windows. If you make this switch, it's permanent, and 64-bit (x64) apps still won't run.

[ghost]

The S mode has a lot of things to be noted btw :

• you can only install apps from microsoft store

• you can't change your default browser ( edge will always stay as the default ) . You can however install other web browsers

• also you cannot change the search engine of microsoft edge to anything other than bing . It forces people to use bing .

• you can't use powershell ,cmd etc

• you don't have access to windows registry through registry editor either ...

Overall I don't think it's a good thing unless it's been set up in a school or something

[ghost]

I would recommend ThisIsWindows11 It's an open source software and is visually appealing and user friendly to use

[dngray]

Regarding shutup10, we might want to see if the same thing is possible with the https://docs.microsoft.com/en-us/windows/privacy/windows-10-and-privacy-compliance

[dngray]

Another thing regarding this we should mention uninstalling Cortana, which was made possible as of May 2020 (build 2004). It's possible via PowerShell:

Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage

Or if you have Winget:

winget uninstall cortana

[ghost]

I really think you guys should look into Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11). As far as I know, most (if not all) of the privacy changes can be made via group policy or the settings so there's really no need for 3rd party tools.

[dngray]

Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11

Pretty sure that is the Windows Restricted Traffic Limited Functionality Baseline.

[blacklight447]

Another thing we have to look into is recommending that if people eill be using Windows, is that they shoild try and choose computers which support the neccesary features for hardware based security. Things like intel vt-d for iommu and uefi/tpm for secureboot.

The best is that peoppe choose devuces which are certified by the windows secure core program.

[ghost]

Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11

Pretty sure that is the Windows Restricted Traffic Limited Functionality Baseline.

Not exactly. I got to play around and level 0 telemetry is only a part of the group policies that the restricted functionality baseline deploys (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).

A lot of the policies also seem to be privacy/security regressive (e.g no windows update, no Microsoft store - i.e. no UWP apps, etc.). Perhaps we should try to pick out what policies aren't regressive (e.g. cortana related policies) and go on from there.

I think I've been saying things that you already know so I'll leave it at that.

[ilmaisin]

Recommeding things, like Windows Enterprise, that are not legally available for consumers, is probably not a good idea for privacy or security. Bootleg software is pretty notorious for malware.

[ghost]

You can get Windows Enterprise straight from the media creation tool.

[Guardian-Dusty]

The thing with installing anything other than windows 11 pro is very minimum . Like for example if you install the workstation version and above ( the enterprise ones ) ,it doesn't come installed with the Extra bloat like Photoshop and stuff .

Another thing is we could recommend simplefirewall ( it has a custom config to block some specific windows thing iirc )

And This Essentially simplefirewall utilises this only anyways

And then above this all we can utilise winget to uninstall Microsoft teams or edge and stuff

[0rdinant]

Recommeding things, like Windows Enterprise, that are not legally available for consumers, is probably not a good idea for privacy or security. Bootleg software is pretty notorious for malware.

To add to what @xibeifenghenhaohe was saying, many students are able to get Education Edition (almost identical to enterprise) for free.

[IkelAtomig]

I would recommend using BulkCrap Uninstaller for uninstalling things such as Cortana and Many UWP apps.

[dngray]

There is some good material here https://github.com/beerisgood/Windows11_Hardening

We should see if @beerisgood would like to contribute to this page. I know they used to hang around old PTIO back in the day.

[beerisgood]

Thanks for the link to my repository 🍺 Also see https://github.com/beerisgood/Windows11_Privacy

However, I have no interest in working on this or other PTIO project(s).

[ghost]

https://www.ghacks.net/2022/03/28/windows-defender-vulnerable-driver-blocklist-protects-against-malicious-or-exploitable-drivers/ mention this as well

[IkelAtomig]

https://www.windowslatest.com/2022/03/30/windows-11-to-get-smart-clipboard-and-actions-features/ - Need to cut off Telemetry and Internet Connection of Clipboard.

[IkelAtomig]

When using with MS Account, windows recommends you to use Device Encryption which is nothing but Bitlocker but Encryption keys linked to MS account. Be carefult to note that. Say a proper way to use Bitlocker Encryption in the guide.

[IkelAtomig]

Consider using this tool : https://www.ghacks.net/2022/04/09/bloatware-removal-tool-remove-pre-installed-windows-applications-and-more/ for removing Bloatware

[jonaharagon]

We currently don't have any Windows-specific recommendations at the moment. @dngray are we interested in re-introducing this page, or can this issue be closed?

[IkelAtomig]

@jonaharagon Seriously!? Only Linux Fanboys can have Privacy not Windows ?

I know you are writing for MacOS. But you should consider Windows too.

Privacy Guides is actually to give advice for People on Privacy.

The Thing is AFAIK, dngray do not have Windows. So, He aint' testing it out.

You can ask for Windows users to contribute.

[elitejake]

Microsoft Windows still has a significant market share and is the dominant desktop OS (73% of the desktop market)^1. IMO, creating a Windows page should be high on our list.

[elitejake]

It is also evident from the website statistics that most visitors use Windows OS.

[pm4rcin]

It is also evident from the website statistics that most visitors use Windows OS.

I guess that it uses user agent for OS detection which is not reliable since people here probably spoof it.

[IkelAtomig]

Recommend using TPM + Pin on Boot to prevent Cold boot attacks.

More Context - https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/

Also here - https://www.kapilarya.com/enable-bitlocker-pin-in-windows-11 (Guide for How to Set it up)

[IkelAtomig]

I think that this Guide should be focused on Windows 11 mainly not 'Only' as Windows 10 will be discontinued in 3yrs. Though there are no differences between them just UI. A suggestion though.

[IkelAtomig]

Configure TPM + PIN as below in Group Policy.

[cryptocat8]

Very important reference according to me: https://www.makeuseof.com/windows-10-11-disable-telemetry/

[dngray]

• you can't change your default browser ( edge will always stay as the default ) . You can however install other web browsers

So had another look at S-Mode today, and found this article from 2 June 2022.

Another limitation it puts on the user includes the web browser. Windows 11 S mode makes Microsoft Edge the default browser on your system. Now, here’s how it differs from Windows 10 S. In Windows 10 S, you cannot install any browser other than Microsoft Edge. Windows 11 provides some leeway in this area.

You can install other browsers, like Chrome and Firefox as long as they’re available in the Microsoft Store, on your Windows 11 S device. But, and that’s a big but, you cannot make any of them your default browser. Edge safely takes up that mantle; it will always be your default browser, come what may.

If we do mention it, it's worth mentioning that it is not available for Windows 11 Professional.

Windows 11 in S mode is only available in the Windows 11 Home edition. If you have the Pro, Enterprise, or Education editions of Windows 10 in S mode, Windows Update will not offer Windows 11 because S mode is not available in those editions of Windows 11. Therefore, if you have the Pro, Enterprise or Education editions of Windows 10 in S mode, you'll need to switch out of S mode to upgrade to Windows 11.

This will likely change in the future:

The upgrade rollout for Windows 11 begins in October 2021 and will continue into 2022. Specific timing will vary by device. After the upgrade has been tested and validated for your specific PC, Windows Update will indicate that it's ready for installation.

Maybe we'd like to write a guide a simple SRP policy or, a more advanced guide with WDAC/AppLocker.

[sith-on-mars]

What about W10 Privacy that was previously recommended by Privacytools?

[ghost]

The r/piracy section regarding windows might be useful.

[ghost]

As discussed in the macOS privacy and security guide, thoughts on having a separate admin and standard user account for windows?

[IkelAtomig]

It will also be added. I might update the PR this weekend.

[privacyguides-bot]

This issue has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.org/t/remove-bitlocker-as-windows-fde-recommendation/237/7

[dngray]

Some other associated links that might be worth including in the text where we explain things:

• https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm
• https://learn.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process
• https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures

[dngray]

Some other things we might want to discuss:

• https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings
• https://www.hexnode.com/mobile-device-management/help/how-to-manage-bitlocker-with-hexnode-mdm/

By default BitLocker is 128bit, so for 256 there is this GUI method https://www.maketecheasier.com/set-bitlocker-encryption-aes-256/

There is this registry method:

cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

I'd prefer to specify it with Group Policy command and not mess with registry. https://docs.microsoft.com/en-us/archive/blogs/dubaisec/bitlocker-aes-xts-new-encryption-type

[dngray]

We should also remind people not to backup their encryption keys to the Microsoft cloud etc, that this can be used for recovery and should be considered very carefully.

[efb4f5ff-1298-471a-8973-3d47447115dc]

Corrections for #1659

line 14: criticised > criticized line 26: having > Having line 32: systemf > system line 32: Telemtry > Telemetry line 40: Bitlocker > BitLocker 2x line 68: in the website > on the website

[IkelAtomig]

@efb4f5ff-1298-471a-8973-3d47447115dc Thanks !

[IkelAtomig]

Please read - https://discuss.privacyguides.net/t/windows-guide/250/79?u=ikel

[IkelAtomig]

https://gabrielsieben.tech/2023/01/02/debloating-windows-10-with-one-command-and-no-scripts/