Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to block in Windows10 Telemetry with pfsense

    Firewalling
    19
    80
    43038
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      foresthus last edited by

      Hi there,

      I would like to do more than editing the regsitry in Windows to block the funktion telemetry. Is it possible to block it in pfblocker, squidguard or native with firewall rules? The aim is that the updates should still work.

      In the regedit you can navigate to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Data Collection" and create by right-clicking a file DWORD (32-bit). Rename it to "AllowTelemetry". The value must be set to "0" (normally this is done automatically).

      Another idea is to block cloud-server to microsoft an d those to https://www.iblocklist.com/.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • N
        n3by last edited by

        Hi,
        try this:

        make an alias to allow MS_update with this:

        download.windowsupdate.com	-w7 xp
        update.microsoft.com	- w7 xp
        sls.update.microsoft.com.akadns.net	- w8.1
        vortex.data.microsoft.com	- w8.1
        vortex-win.data.microsoft.com	- w8.1
        fe2.update.microsoft.com.akadns.net	- w8.1
        statsfe2.update.microsoft.com.akadns.net	-w8.1 not required at the moment ?
        

        make another alias to block MS_telemetry with this:

        vortex.data.microsoft.com
        vortex-win.data.microsoft.com
        telecommand.telemetry.microsoft.com
        telecommand.telemetry.microsoft.com.nsatc.net
        oca.telemetry.microsoft.com
        oca.telemetry.microsoft.com.nsatc.net
        sqm.telemetry.microsoft.com
        sqm.telemetry.microsoft.com.nsatc.net
        watson.telemetry.microsoft.com
        watson.telemetry.microsoft.com.nsatc.net
        redir.metaservices.microsoft.com
        choice.microsoft.com
        choice.microsoft.com.nsatc.net
        df.telemetry.microsoft.com
        reports.wes.df.telemetry.microsoft.com
        wes.df.telemetry.microsoft.com
        services.wes.df.telemetry.microsoft.com
        sqm.df.telemetry.microsoft.com
        telemetry.microsoft.com
        watson.ppe.telemetry.microsoft.com
        telemetry.appex.bing.net
        telemetry.urs.microsoft.com
        telemetry.appex.bing.net:443
        settings-sandbox.data.microsoft.com
        vortex-sandbox.data.microsoft.com
        survey.watson.microsoft.com
        watson.live.com
        watson.microsoft.com
        statsfe2.ws.microsoft.com
        corpext.msitadfs.glbdns2.microsoft.com
        compatexchange.cloudapp.net
        cs1.wpc.v0cdn.net
        a-0001.a-msedge.net
        statsfe2.update.microsoft.com.akadns.net
        sls.update.microsoft.com.akadns.net
        fe2.update.microsoft.com.akadns.net
        diagnostics.support.microsoft.com
        corp.sts.microsoft.com
        statsfe1.ws.microsoft.com
        pre.footprintpredict.com
        i1.services.social.microsoft.com
        i1.services.social.microsoft.com.nsatc.net
        feedback.windows.com
        feedback.microsoft-hohm.com
        feedback.search.microsoft.com
        rad.msn.com
        preview.msn.com
        ad.doubleclick.net
        ads.msn.com
        ads1.msads.net
        ads1.msn.com
        a.ads1.msn.com
        a.ads2.msn.com
        adnexus.net
        adnxs.com
        az361816.vo.msecnd.net
        az512334.vo.msecnd.net
        vortex-bn2.metron.live.com.nsatc.net
        vortex-cy2.metron.live.com.nsatc.net
        dmd.metaservices.microsoft.com
        

        add appropriate rules at firewall to allow the MS_update and after that rule to block the MS_telemetry.

        feel free to experiment and add another domains if you have… in case you want to block all MS just disable the MS_update rule.

        1 Reply Last reply Reply Quote 0
        • F
          foresthus last edited by

          Hi,

          thnx 4 the quick response. Where did u get all the urls from?

          1 Reply Last reply Reply Quote 0
          • N
            n3by last edited by

            from here and from traffic logs:
            http://pastebin.com/ULJjVM7w

            edit:

            here it is an updated list
            http://www.pcsympathy.com/

            1 Reply Last reply Reply Quote 0
            • F
              foresthus last edited by

              Thank you very much.

              1 Reply Last reply Reply Quote 0
              • C
                cyberbot last edited by

                @foresthus:

                Thank you very much.

                telemtry uses a million links
                Blocking those won't rely block it
                I have created some powershell to disable this .

                1 Reply Last reply Reply Quote 0
                • F
                  foresthus last edited by

                  Hi there,

                  and do you show us all this script?

                  1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    A centralized solution would be best.  If you're going to go local, why not just use one of the many utils already out there?

                    http://www.oo-software.com/en/shutup10

                    http://pxc-coding.com/portfolio/donotspy10/

                    1 Reply Last reply Reply Quote 0
                    • BBcan177
                      BBcan177 Moderator last edited by

                      http://thehackernews.com/2015/08/windows-10-privacy-spying.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29

                      http://thehackernews.com/2015/08/windows-10-disables-pirated-games-microsoft.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • R
                        robi last edited by

                        Well, looking at the news, I decided to simply not upgrade my Win7 to the free Win10.
                        Instead, I'm starting to evaluate seriously using a Linux distro as a desktop OS. Ubuntu-MATE is a really good candidate given that the user interface can be easily customized to look similar to Windows (just as Linux Mint too).

                        1 Reply Last reply Reply Quote 0
                        • F
                          foresthus last edited by

                          @cyberbot:

                          @foresthus:

                          Thank you very much.

                          telemtry uses a million links
                          Blocking those won't rely block it
                          I have created some powershell to disable this .

                          Hi there,

                          Still waiting for the script. Will it be posted?

                          1 Reply Last reply Reply Quote 0
                          • F
                            foresthus last edited by

                            @robi:

                            Well, looking at the news, I decided to simply not upgrade my Win7 to the free Win10.
                            Instead, I'm starting to evaluate seriously using a Linux distro as a desktop OS. Ubuntu-MATE is a really good candidate given that the user interface can be easily customized to look similar to Windows (just as Linux Mint too).

                            Hi,

                            do u really think, that win7 or above are not connecting to MS? LOL
                            You mentioned to stay close to win7. That is OK 4 me, but a solution to the problem that ms-infos of your station might be send to ms or even other companies working with ms together is still present. There I would test your workstation, with a firewall before, what traffic is going to which URL or ip.

                            The best solution is say farewell 2 your ms-system and switch over to linux.

                            It just an idea  ;) Do not 4get that the whole world wants 2 go to cloudservices (not only ms)

                            cu

                            1 Reply Last reply Reply Quote 0
                            • KOM
                              KOM last edited by

                              I decided to simply not upgrade my Win7

                              All the same telemetry shit was added to 7, 8 and 8.1 in a recent Windows Update.

                              1 Reply Last reply Reply Quote 0
                              • N
                                n3by last edited by

                                Do you have that w7 w8.1 update nr ?

                                If is not marked as security then can be uninstalled if by mistake somebody installed.

                                1 Reply Last reply Reply Quote 0
                                • R
                                  robi last edited by

                                  Thank God I already switched my machines to Linux.
                                  To be really honest, I really don't see any difference while using it. I was perfectly able to switch over all my workflows to Ubuntu Mate.

                                  Win7 is still there "dormant" on the disk as the installs are dual-boot at the moment, but if I'll be able to sustain the Linux desktop the way it is, absolutely frustrationless for about 2-3 months, I'll be surely deleting the Windows partition to reclaim the space.

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    robi last edited by

                                    @KOM:

                                    A centralized solution would be best.

                                    Agree, but that would be very hard to accomplish, because at a central location, it will be very hard to distinguish between useful traffic and and Microsoft telemetry traffic.
                                    I guess they were smart enough to bypass simple firewall rules by frequently changing CDN IPs and addresses.

                                    And local solutions installed on Windows 10s themselves are not trustful.

                                    So, the only real solution is to either:
                                    a) don't upgrade to Windows 10
                                    b) switch over to something else

                                    Of course the fact that all this telemetry was deployed to Win7 and Win8 engraves the situation. Hopefully it can be uninstalled somehow.

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      robi last edited by

                                      @n3by:

                                      Do you have that w7 w8.1 update nr ?

                                      http://www.infoworld.com/article/2911609/operating-systems/kb-2952664-compatibility-update-for-win7-triggers-unexpected-daily-telemetry-run-may-be-snooping.html
                                      https://www.reddit.com/r/pcmasterrace/comments/3g7hr0/removing_telemetry_from_windows_7_and_8x/

                                      1 Reply Last reply Reply Quote 0
                                      • KOM
                                        KOM last edited by

                                        Thank God I already switched my machines to Linux.

                                        I've been contemplating that for 10+ years, but there was always a reliance on special software that I couldn't get for Linux.  Now that I don't do a lot of desktop stuff at home anymore, I'm thinking now might be the time to dump Win10 and go with Mint Cinnamon.

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          robi last edited by

                                          You can find equivalent programs under Linux for most of the daily tasks. No to little effort is required to switch over.
                                          There could be though very special industrial apps which were made for Windows-only, that's true. But for the regular home user, Linux is a perfect alternative.

                                          1 Reply Last reply Reply Quote 0
                                          • KOM
                                            KOM last edited by

                                            I've been adminning Linux boxes for more than a decade so I'm generally aware of what's available.  For me, the showstoppers were always a decent money-management app (eg. Quicken, MS Money), a good Usenet browser (eg. Newsleecher, Forte Agent) and a decent RSS reader (eg. Feeddemon, QuiteRSS).  Nowadays I don't use a money app, Usenet indexers have removed the need for an NNTP browser, and there are several decent RSS readers for Linux.  I really should have thought of this 2 weeks ago before I spent a weekend doing the Windows 10 thing.

                                            1 Reply Last reply Reply Quote 0
                                            • F
                                              foresthus last edited by

                                              @KOM:

                                              A centralized solution would be best.  If you're going to go local, why not just use one of the many utils already out there?

                                              http://www.oo-software.com/en/shutup10

                                              http://pxc-coding.com/portfolio/donotspy10/

                                              Do not use that, you cannot go back without using a " restore point".

                                              1 Reply Last reply Reply Quote 0
                                              • N
                                                n3by last edited by

                                                have a look here:

                                                https://github.com/WindowsLies/BlockWindows

                                                http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

                                                1 Reply Last reply Reply Quote 0
                                                • KOM
                                                  KOM last edited by

                                                  Do not use that, you cannot go back without using a "  restore point".

                                                  ShutUp10 will prompt you to let it create one before it applies its changes.  I didn't bother as I can't see any scenario where I would need to undo that stuff.

                                                  1 Reply Last reply Reply Quote 0
                                                  • S
                                                    Sea Monkey last edited by

                                                    Please forgive me.  I'm a bit of a noob.  Do these look right?

                                                    ![allow update.PNG](/public/imported_attachments/1/allow update.PNG)
                                                    ![allow update.PNG_thumb](/public/imported_attachments/1/allow update.PNG_thumb)
                                                    ![block telemetry.PNG](/public/imported_attachments/1/block telemetry.PNG)
                                                    ![block telemetry.PNG_thumb](/public/imported_attachments/1/block telemetry.PNG_thumb)

                                                    1 Reply Last reply Reply Quote 0
                                                    • N
                                                      n3by last edited by

                                                      yes it looks ok.

                                                      1 Reply Last reply Reply Quote 0
                                                      • KOM
                                                        KOM last edited by

                                                        Your pass rule isn't required unless you've really locked down your LAN.  By default, LAN has full access out to everywhere.

                                                        1 Reply Last reply Reply Quote 0
                                                        • N
                                                          n3by last edited by

                                                          yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

                                                          1 Reply Last reply Reply Quote 0
                                                          • KOM
                                                            KOM last edited by

                                                            yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

                                                            Huh?  Windows Update domains shouldn't be included in your telemetry alias.

                                                            1 Reply Last reply Reply Quote 0
                                                            • N
                                                              n3by last edited by

                                                              some people want to block everyhing because MS can deliver an "security update" that will install telemetry and also use update hosts to get data from computer so this way is better, at least for me to have updates (allow only updates-block everything).

                                                              1 Reply Last reply Reply Quote 0
                                                              • KOM
                                                                KOM last edited by

                                                                I still don't see how this is a good solution.  Are you literally whitelisting every destination address you want access to and blocking everything else on the Internet?  Because MS can spin up a zillion new domains on a whim.

                                                                1 Reply Last reply Reply Quote 0
                                                                • N
                                                                  n3by last edited by

                                                                  MS can do whatever they want, but they must be able to make your computer to talk with any new domains ( and they can do this only with an allowed to install update ).
                                                                  If now you block the telemetry C&C servers, there is no other way your computer will know to talk with new domains until you will install that update.

                                                                  This is what we have for now, if we have another better way please elaborate ( except unplug the cable, stop using MS OS… ).

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • R
                                                                    robi last edited by

                                                                    @n3by:

                                                                    yes it looks ok.

                                                                    It's not ok as per your description, because it's a pass rule, not a block rule.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • R
                                                                      robi last edited by

                                                                      @KOM:

                                                                      yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

                                                                      Huh?  Windows Update domains shouldn't be included in your telemetry alias.

                                                                      Which are the Windows Update domains, btw?

                                                                      I found these:

                                                                      windowsupdate.microsoft.com	 
                                                                      update.microsoft.com	 
                                                                      windowsupdate.com	 
                                                                      download.windowsupdate.com	 
                                                                      wustat.windows.com	 
                                                                      ntservicepack.microsoft.com	 
                                                                      

                                                                      Are there any others?

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • S
                                                                        Sea Monkey last edited by

                                                                        @robi:

                                                                        @n3by:

                                                                        yes it looks ok.

                                                                        It's not ok as per your description, because it's a pass rule, not a block rule.

                                                                        It's two rules.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • H
                                                                          Harvy66 last edited by

                                                                          Setup a WSUS server, whitelist that to talk to Microsoft, and block all clients?

                                                                          I'm torn between Linux and FreeBSD. Linux has better Steam support, but a lot of stuff is being done in FreeBSD to increase comparability. ZFS and Jails are very attractive, even on a desktop.

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • 2
                                                                            2chemlud Banned last edited by

                                                                            Whenever I have the choice, M$-shyt has been replaced by opensuse or PC-BSD (the later has a steeper learning curve and is not so well supported, but is free of systemd). Big plus: you can both run with KDE desktop, which made it much easier to switch between these two, and btw the handling is not sooo far away from Windows xp/7…

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • 2
                                                                              2chemlud Banned last edited by

                                                                              PS: Here

                                                                              http://techne.alaya.net/?p=12499

                                                                              you can find a long list of IPs and host names to block for Windows telemetry.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • 2
                                                                                2chemlud Banned last edited by

                                                                                …just for the record:

                                                                                I uninstalled on Win 7 pro 64/32 (various computers) the following KBs:

                                                                                97 1033
                                                                                290 2907
                                                                                295 2664
                                                                                299 0214
                                                                                302 1917
                                                                                302 2345
                                                                                303 5583
                                                                                304 4374
                                                                                305 0265
                                                                                306 2345
                                                                                306 5987
                                                                                306 8708
                                                                                307 5249
                                                                                307 5851
                                                                                308 0149
                                                                                308 3325

                                                                                and in addition I set up a block rule with loggin for an alias containing all the IPs and host names listed here

                                                                                http://techne.alaya.net/?p=12499

                                                                                As you might expect, the firewall log is full of blocked "MS telemetry" this morning.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • 2
                                                                                  2chemlud Banned last edited by

                                                                                  …just to add:

                                                                                  Had my PC-BSD 10 PC up today for updating. Really amazing, I found in the firewall logs repeated access of this computer to an IP blocked for MS Telemetry.

                                                                                  WHAT has PC-BSD with MS-Telemetry in common? Or is it more correctly NSA telemetry featured by Microshyte?

                                                                                  I'm surprised!

                                                                                  ![BSD to MS 07.12.2015.JPG](/public/imported_attachments/1/BSD to MS 07.12.2015.JPG)
                                                                                  ![BSD to MS 07.12.2015.JPG_thumb](/public/imported_attachments/1/BSD to MS 07.12.2015.JPG_thumb)

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • KOM
                                                                                    KOM last edited by

                                                                                    That IP address is a-msedge.net and it takes you to Bing.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post