How to lock down Windows 10

New windows 10 installation.
I’ve uninstalled Cortana, Onedrive, etc. Have disabled lots of services including updates. Disabled lots of scheduled tasks. Ran various scripts (like DisableWin10tracking). And use good Norton firewall to block pretty much every program except Svchost and Firefox.

Thought all good now.
Then I installed Wireshark and was amazed on the amount of traffic, just after booting up.
So much still going on, including downloading mysterious images from Akamai addresses which do not work going through a browser! That freaked me out, images of what exactly are they downloading on my computer!

I installed Glasswire and now I can see a list of the sites visited.

Some questions, if anyone knows and can help:

1. Has anyone successfully secured Windows 10, so it doesn’t communicate to Microsoft/etc? (Actually on Wireshark not just like me switching off 100 settings and thinking all is good).

2. Do you know of any external hardware firewall that you can recommend? I don’t trust any firewall running on windows, I read that even the hosts file is circumvented/ignored by Microsoft, and that Microsoft goes straight to IP addresses not necessarily using domains.

Kind Regards,
Michael.

Here is an older article on how to lock down Windows 10.
https://blog.glasswire.com/2015/09/15/165/

With the Pro version of Windows 10 there are some settings you can change. Since we wrote this blog post the GDPR came into effect and Microsoft made privacy improvements.

Here is an article I found that is pretty up to date https://docs.microsoft.com/en-us/windows/privacy/gdpr-it-guidance. Scroll down to find recommended settings to disable telemetry.

I hope it helps!

Be careful not to disable Windows Defender so it can’t update.

Hi " Servo_GlassWire"

Thank you, but I have done 10 times more than that already.
And of course I disabled “Defender”, Windows Search, Cortana, ec, etc.
I don’t think you actually read what I wrote, just the subject.

I read your post. The GDPR is very strict on data usage rules so I thought perhaps the article would be useful for you on ways to restrict your data. Sorry if I misunderstood.

I do not recommend disabling Windows Defender unless you are using another separate antivirus.

Agree with Servo. You should never disable any Microsoft services. True IT experts would know this. Also, leave Windows Defender enabled; it was recently one of the top antivirus products. You don’t need to disable it when using another anti-malware solution as that should automatically be handled on installation. Norton is also a software to avoid, as they have a well known history of being a poorly optimized product, just like McAfee.

In the long run you’re simply crippling your Windows install and contributing to problems further down the road. This is also why many “Lite” softwares that modify your Windows installation media are frowned upon. The hosts file is not meant to block websites, the purpose is to redirect when there are problems. This is sadly a common misconception thanks to several websites who falsely advertise custom hosts files as “protection” when all they really do is slow your connection.

If you are so concerned about data being “leaked” to Microsoft - anonymous telemetry is a good thing in actuality and is opt-in - then perhaps you should try Ubuntu or another Linux distro.

I was hoping to find knowledgeable security people on here, not being told “telemetry is a good thing” and to “never disable Microsoft services” hehehe
I have half of them disabled for 10+ years, on many computers. Lots of websites list which services you should or could disable.
I obviously wrote in the wrong place, I should have seen it coming, as Glasswire is advertising itself as a firewall but then there is no firewall, just using Window’s joke firewall.

That is a petty response. You didn’t get the sort of answer you wanted so you make unreliable statements.

The main reason you didn’t get what you want is that you’re asking in the wrong forum but not for the reason you give. Instead, it is because, GlassWire provides an interactive method to block hosts. That is different to using a block list for your hosts file. Despite this, the GlassWire team made an effort to help you anyway.

It didn’t help that you too easily believed unreliable complaints that Windows ignores the host file. All the problems I’ve seen are either wrong configurations or user errors. Here’s one example of users corrupting a hosts file:

Someone summarised the many possible causes in this topic:

1. No

Bottom line is that Windows 10 cannot be completely locked down, short of disabling networking completely. It is built into this OS to connect to Microsoft servers.

I run Windows 10 Pro, and have minimized as much as possible, without breaking Windows. It is still quite chatty.

It is what it is.

I have decided that my only options are to either trust Microsoft, or switch to Linux full time.

I agree with you. Akamai, Google, Apple etc… the list just goes on and on.

@Ultrasnoop

I guess it depends on what the definition of “lock down” is. In our case I’d say the definition is to lock it down securely from hackers.

In your definition you mean to lock it down from communicating to Microsoft servers.

I think our definition of locking down your PC from hackers is a very good idea. However, I think it’s possible to block Microsoft telemetry to the degree that it actually causes new and different security issues for you.

For example if you accidentally block Windows updates I don’t think that’s good.

Microsoft’s process is hacking by definition at older PC’s. According to Microsoft my PC (in the beginning) tested out and was OK for WIN10. Microsoft had software they ran the once to expose any issues, and *that was the last and ONLY time when Microsoft tested my PC or anyone else’s for continuing compatibility as it pushed out updates." In the meantime my PC’s manufacturer (Dell) said to me that Microsoft Win 10 was no longer compatible with my PC (this was June a year ago after a Microsoft update crashed my PC).

I couldn’t look to Microsoft to fix it, and I couldn’t look to Dell to fix it. The PC worked on June 11, 2020, on June 12, 2020 it was rendered a boat anchor because Windows 10 failed to support the RAID hardware/software (co-requisites) on my PC.

I stripped my PC of that RAID hardware/software (at a cost of about $300). Since then I’ve been using WinUpdateBlock (3rd party software) but it failed last week. I’m lucky this June, no blue screen of death) but Microsoft didn’t give me a thing I wanted or needed. I have a machine that works as it should with all the software I have installed and all the hardware upgrades and attached devices. I just need Microsoft to leave me alone.

It’s been suggested elsewhere in this forum that I change my network adapter settings to show that I have a metered connection between me and my ISP, and that if I do that Microsoft will leave me alone, not true! Microsoft does not honor that to where it is effectively an end-all stop of updates. Microsoft also allows a postponement setting (days to hold back on updates) and MS keeps you from pushing that delay repeatedly outward.

When you say to me or others we shouldn’t stop updates you fail to understand that Microsoft is leaving my PC and other older PCs behind. Neither MS nor the PC manufacturer’s care, to them the turnover being forced on ALL OF US (if not now, then eventually) is revenue.to them.

I need to stop these updates because they can render my PC useless, that’s the simple answer why I don’t want or need any updates from Microsoft. There’s an old adage “If it ain’t broke don’t fix it.” If I can preserve it as is, I get to use it as long as all the hardware holds out.

The other reason is I’m not stuck on some archaic machine. I have an Intel i7core PC with 16 gig of RAM, it’s faster than a lot of the PC’s being sold now. I have upgraded to USB 3.0, and my graphics adapter has its own fan and RAM. I can render video faster or as fast as any PC being sold today. (A MAC might do better, but that’s another subject).

The point is my PC works today, and if Microsoft leaves it alone it will work tomorrow. In case you haven’t noticed Microsoft doesn’t let you uninstall these updates anymore, and if you turn on the Restore System that’s in Win10 and keep some images, these new updates (each one of them) eliminate the images you saved and turn off the Restore System. You have to find this out, Microsoft doesn’t even tell you after the fact.

Anyone that doesn’t think we need a STOP that works probably has a new machine and is happy with it. My machine is not new, but I’m happy with it, and if the next MS upgrade breaks it I won’t be happy. I’ll have to spend a lot of money and install a lot of software just to stay functional, and the timing of this labor-intensive shut down and expense won’t be at a time when it’s at my convenience or when I’m ready to spend a lot of money.

This may be about me and other contemporaries of mine now, but Microsoft’s uncaring trudging ahead will eventually break everyone’s machine across time because it’s not their concern, nor is it a concern of the PC manufacturers, they’re all incentivized by the revenue that lies ahead on this course.

I have a working PC, Microsoft has had 5 tries at my machine, the one in 2020 broke it then and that’s when Dell told me my machine was no longer Win 10 compatible (they never sent out a notice, I found out when I called them… I’m running Win10 right now, but they’ve already proven they can (and will) take me down in a single upgrade.

Is the public clamoring for a new OS; certainly not the general public, we like to enjoy a stasis. We don’t like Microsoft adding XBOX, PHONE, the WEATHER, and other toys we consider clutter and a waste of resources. Each update puts them back, and usually they get harder to remove as XBOX is in WIN10 ver 190042, build 19042.

Obviously you haven’t read "Who Moved My Cheese” by Spencer Johnson. It was mandatory reading (assigned by Robert Pittman our CEO) for programmers and their managers because they moved things around in a customer interface which caused the phones to light up in our call centers. The programmers weren’t thinking ahead, they just thought it would be nice and moved the ‘cheese’ to a secondary screen. That was AOL version 9, and how is AOL doing now? [Rhetorical]

Microsoft is just plain not caring, they are busy assembling what they want you to have. If you read the same forums and tech papers I do most people resent this, certainly more than praise it. When it comes your turn and you have to buy and reload a new PC, maybe you’ll remember this moment in time, maybe not. Microsoft won’t care.

They say they’re going to stop supporting Win10, wouldn’t that be great, but these updates suggest they haven’t broken enough PC’s yet. Microsoft did stop supporting Windows 7 and for the people that found that acceptable, their machines still work because Microsoft left them alone. That was a mistake I don’t expect Microsoft to repeat.

Lest I be found out and be called duplicitous I own 2000 shares of Microsoft and I still want them to leave me and my PC alone, and telling them I’m on a metered connection does not stop them because I’ve done that and more. Ken, thanks for your answer, I know you meant well, but your assumption that nothing bad will happen to me if I keep taking updates just isn’t true, and what you think will stop them is something they’ve learned to bypass. Sincerely, Dean (Thanks for reading of my plight, I’m not alone, others will ask for this).

When Dell said your system was no longer compatible with Windows 10, what was the reason or cause?
Is it a hardware manufacturer ceasing software support for their device driver? Or was there some other reason?