How to block in Windows10 Telemetry with pfsense

robi

A centralized solution would be best.

Agree, but that would be very hard to accomplish, because at a central location, it will be very hard to distinguish between useful traffic and and Microsoft telemetry traffic.
I guess they were smart enough to bypass simple firewall rules by frequently changing CDN IPs and addresses.

And local solutions installed on Windows 10s themselves are not trustful.

So, the only real solution is to either:
a) don't upgrade to Windows 10
b) switch over to something else

Of course the fact that all this telemetry was deployed to Win7 and Win8 engraves the situation. Hopefully it can be uninstalled somehow.

robi

@n3by:

Do you have that w7 w8.1 update nr ?

http://www.infoworld.com/article/2911609/operating-systems/kb-2952664-compatibility-update-for-win7-triggers-unexpected-daily-telemetry-run-may-be-snooping.html
https://www.reddit.com/r/pcmasterrace/comments/3g7hr0/removing_telemetry_from_windows_7_and_8x/

KOM

Thank God I already switched my machines to Linux.

I've been contemplating that for 10+ years, but there was always a reliance on special software that I couldn't get for Linux. Now that I don't do a lot of desktop stuff at home anymore, I'm thinking now might be the time to dump Win10 and go with Mint Cinnamon.

robi

You can find equivalent programs under Linux for most of the daily tasks. No to little effort is required to switch over.
There could be though very special industrial apps which were made for Windows-only, that's true. But for the regular home user, Linux is a perfect alternative.

KOM

I've been adminning Linux boxes for more than a decade so I'm generally aware of what's available. For me, the showstoppers were always a decent money-management app (eg. Quicken, MS Money), a good Usenet browser (eg. Newsleecher, Forte Agent) and a decent RSS reader (eg. Feeddemon, QuiteRSS). Nowadays I don't use a money app, Usenet indexers have removed the need for an NNTP browser, and there are several decent RSS readers for Linux. I really should have thought of this 2 weeks ago before I spent a weekend doing the Windows 10 thing.

foresthus

@KOM:

A centralized solution would be best. If you're going to go local, why not just use one of the many utils already out there?

http://www.oo-software.com/en/shutup10

http://pxc-coding.com/portfolio/donotspy10/

Do not use that, you cannot go back without using a " restore point".

n3by

have a look here:

https://github.com/WindowsLies/BlockWindows

http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

KOM

Do not use that, you cannot go back without using a " restore point".

ShutUp10 will prompt you to let it create one before it applies its changes. I didn't bother as I can't see any scenario where I would need to undo that stuff.

Sea Monkey

Please forgive me. I'm a bit of a noob. Do these look right?

![allow update.PNG](/public/imported_attachments/1/allow update.PNG)
![allow update.PNG_thumb](/public/imported_attachments/1/allow update.PNG_thumb)
![block telemetry.PNG](/public/imported_attachments/1/block telemetry.PNG)
![block telemetry.PNG_thumb](/public/imported_attachments/1/block telemetry.PNG_thumb)

n3by

yes it looks ok.

KOM

Your pass rule isn't required unless you've really locked down your LAN. By default, LAN has full access out to everywhere.

n3by

yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

KOM

yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

Huh? Windows Update domains shouldn't be included in your telemetry alias.

n3by

some people want to block everyhing because MS can deliver an "security update" that will install telemetry and also use update hosts to get data from computer so this way is better, at least for me to have updates (allow only updates-block everything).

KOM

I still don't see how this is a good solution. Are you literally whitelisting every destination address you want access to and blocking everything else on the Internet? Because MS can spin up a zillion new domains on a whim.

n3by

MS can do whatever they want, but they must be able to make your computer to talk with any new domains ( and they can do this only with an allowed to install update ).
If now you block the telemetry C&C servers, there is no other way your computer will know to talk with new domains until you will install that update.

This is what we have for now, if we have another better way please elaborate ( except unplug the cable, stop using MS OS… ).

robi

@n3by:

yes it looks ok.

It's not ok as per your description, because it's a pass rule, not a block rule.

robi

@KOM:

yes it is required because other way update destinations will be blocked from Blocked rule that have these destinations included in case you don't want to allow update.

Huh? Windows Update domains shouldn't be included in your telemetry alias.

Which are the Windows Update domains, btw?

I found these:

windowsupdate.microsoft.com	 
update.microsoft.com	 
windowsupdate.com	 
download.windowsupdate.com	 
wustat.windows.com	 
ntservicepack.microsoft.com

Are there any others?

Sea Monkey

@robi:

@n3by:

yes it looks ok.

It's not ok as per your description, because it's a pass rule, not a block rule.

It's two rules.

Harvy66

Setup a WSUS server, whitelist that to talk to Microsoft, and block all clients?

I'm torn between Linux and FreeBSD. Linux has better Steam support, but a lot of stuff is being done in FreeBSD to increase comparability. ZFS and Jails are very attractive, even on a desktop.