Five tips for dealing with Windows 10 telemetry

• Author
• Recent Posts

James Rankin

James is a consultant from the UK, specializing mainly in end-user computing, Active Directory and client-side monitoring. When not consulting for james-rankin.com, he can often be found blogging, writing technical articles and speaking at conferences and user groups.

Latest posts by James Rankin (see all)

• Can’t uninstall app: Delete or change Windows apps that have been flagged as non-removable - Thu, Mar 16 2023
• FSLogix VHDX compaction: Resize virtual disks - Thu, Dec 1 2022
• Sysinternals Process Monitor: Real-time file system, registry, and process monitoring - Fri, Oct 28 2022

Windows 10 was free, though, and unless you’re breathtakingly naïve, there was always the expectation that Microsoft would shoehorn a tried-and-tested form of monetization into the platform. It has certainly done that, adding in the capability to gather, analyze, and aggregate user data in some often-alarming ways. You only have to look at some of the names of the Registry values that control said telemetry to get an idea of the approach that Microsoft has used. HarvestContacts and EnableImplicitTextCollection are two of my personal favorites.

Dealing with this telemetry in the enterprise depends on a number of factors. But the fact remains that it needs to be dealt with—users shouldn’t be expected, or allowed, to make decisions that potentially open up their employers to regulatory action or compromise the security of data and/or intellectual property.

The factors in play are your industry vertical (healthcare, defense, and finance will have the most pressing concerns); the regulatory compliance that you are subject to, both on an industry and a geographic basis; how and where your data is stored and accessed; the nature of the data that you utilize; and, possibly, the level of tinfoil-hattery that you exhibit.

All light-heartedness aside, the fact remains that Windows 10 has proven to be very talkative and likes to check in with the Microsoft mothership on a very regular basis. How can we go about dealing with this?

Remove modern apps

Microsoft’s Modern Apps themselves, because they are intended to run through the mobile-like Windows Store interface, tend to be quite active in the telemetry department, especially if the apps themselves are free. Getting rid of the Modern Apps that you do not need in your environment is a good way to address telemetry concerns as well as to improve performance, reduce attack surface, and simplify the Windows 10 interface.

I wrote about the inner workings of Modern Apps in a previous article, but I have also noticed several places on the Internet where people are discussing how to disable or remove them entirely, whether in the image or via policies and scripts. My own preference is for disabling them rather than removing them, and I published a blog article on how to do this a month or so ago. (Although the script I provided isn’t the most elegant, it is—currently—very effective.)

You can use this script or one of the others available to remove the unneeded Modern Apps and reduce your telemetry concerns accordingly. Of course, there is always the Windows 10 LTSB version if you wish to deploy an operating system free from most of these Modern Apps to begin with, but there are feature-limiting factors to think about.

Turn off web search

One of the simplest steps you can take to reduce the telemetry is to turn off that consumer-grade annoyance called Cortana. Interestingly, when Microsoft announced that it had gotten Windows 10 onto 300 million devices, it also announced that there had been “seven billion web searches through Cortana.” By my reckoning, that’s approximately twenty-four web searches through Cortana per Windows 10 instance. Even allowing for those who exercised downgrade rights, the figures don’t lie: nobody likes Cortana, or they turned it off because they’re worried about monitoring.

The settings to disable web search are covered in Michael’s excellent article on Windows 10 privacy, but I’ve reproduced an image of the specific GPO in question below.

Turn off web search

Apply required GPO and Registry settings

There are a huge number of Group Policy Objects and Registry settings that you can use to control many aspects of Windows 10’s behavior (access to devices, OneDrive, settings sync, etc.), and most of them have an aspect of telemetry-limitation to them. Again, as I mentioned above, Michael’s article on Windows 10 privacy covers all of these, so rather than reproduce them, I’ll let you glean them all from the previous article and apply them as necessary—after you thoroughly test all of them, naturally!

Disable unneeded services

Windows 10 has a large array of services attached to it, and many of these are unnecessary to have either running, or available to start as required. I thought Microsoft had ditched the “one OS to rule them all” idea that started with Windows 8, but judging by the presence of services such as AllJoyn Router and Xbox-related processes, clearly the concept still exists.

From my own Wireshark-ing, I found that the two most talkative services (on my own particular deployment—feel free to test your own independently) were the WAP Push Message Routing Service (dmwappushsvc) and the Diagnostics Tracking Service (which has now morphed into two services, Diagnostics Service Host and Diagnostics System Host, on the latest Insider builds). Disabling these left no discernible performance or application lag on the test machine.

However, if you want to start digging deeper, you can also disable other things that may also have telemetry capabilities. Naturally, when disabling services that are not natively disabled, you need to test very carefully and be very aware of the possible implications of what you are doing. I managed to break my OS by disabling the Enterprise App Management service, so make sure you test thoroughly before disabling anything!

With this disclaimer, though, I managed to run a stable test Windows 10 OS with all of the below services disabled (obviously things like biometrics and smart card readers will not function with the relevant services disabled). An asterisk after a service name indicates that there were multiple services starting with the prefix. Should you choose to test, the best way to do these is via Group Policy Preferences; however some of them cannot be natively disabled and involve changing the Startup value to 4 in HKLM\SYSTEM\CurrentControlSet\Services\servicename. Be very careful with these!

• Xbox*
• Windows Store Service (WSService)
• Windows Mobile Hotspot Service
• Windows Media Player Network Sharing Service
• Windows License Manager Service
• Windows Error Reporting Service
• Windows Biometric Service
• Windows Color System
• Touch Keyboard and Handwriting Panel Service
• Smart Card*
• Sensor*
• Retail Demo Service
• Quality Windows Audio Video Experience
• Program Compatibility Assistant Service
• Problem Reports and Solutions Control Panel Support
• Offline Files
• Microsoft Account Sign-In Assistant
• Microsoft Diagnostics Hub Standard Collector Service
• Internet Explorer ETW Collector Service
• Homegroup*
• Geolocation Service
• Fax
• Downloaded Maps Manager
• dmwappushsvc
• Diagnostic*
• Delivery Optimization
• Connected*
• Bluetooth*

Block domains via HOSTS file or firewall

For the heavier tinfoil-hat wearers, I’ve also picked out a bunch of domains that various parts of the operating system like to talk to on a regular basis. Again, be very careful to test before blocking access to these, particularly if you use Microsoft’s online services such as Office 365. But again, if you really need to restrict telemetry, this is a good way of doing it.

You could block using an old-fashioned HOSTS file to null-route the traffic, or, if you’re really paranoid and you believe the rumor that Microsoft can bypass the HOSTS file at will using dnsapi.dll, drop the traffic at the firewall.

There are, again, some really appropriate names in this domain list: vortex.data.microsoft.com and pre.footprintpredict.com are my personal favorites.

• data.microsoft.com
• telemetry.microsoft.com
• telemetry.microsoft.com.nsatc.net
• telemetry.microsoft.com
• telemetry.microsoft.com.nsatc.net
• telemetry.microsoft.com
• telemetry.microsoft.com.nsatc.net
• telemetry.microsoft.com
• telemetry.microsoft.com.nsatc.net
• metaservices.microsoft.com
• microsoft.com
• microsoft.com.nsatc.net
• telemetry.microsoft.com
• wes.df.telemetry.microsoft.com
• df.telemetry.microsoft.com
• wes.df.telemetry.microsoft.com
• df.telemetry.microsoft.com
• microsoft.com
• ppe.telemetry.microsoft.com
• appex.bing.net
• urs.microsoft.com
• appex.bing.net:443
• settings-sandbox.data.microsoft.com
• vortex-sandbox.data.microsoft.com
• watson.microsoft.com
• live.com
• microsoft.com
• ws.microsoft.com
• msitadfs.glbdns2.microsoft.com
• cloudapp.net
• wpc.v0cdn.net
• a-0001.a-msedge.net
• update.microsoft.com.akadns.net
• support.microsoft.com
• sts.microsoft.com
• ws.microsoft.com
• footprintpredict.com
• services.social.microsoft.com
• services.social.microsoft.com.nsatc.net
• windows.com
• microsoft-hohm.com
• search.microsoft.com
• microsoft.com
• bingads.microsoft.com
• microsoft.com
• apps.microsoft.com

Summary

Windows 10’s built-in telemetry needs to be taken very seriously in the enterprise, no matter what your vertical. It’s not just the fact that Microsoft gathers this data; it’s the potential for it to be lost, stolen, sold, or otherwise disseminated once Microsoft has swallowed it up.

In conjunction with the article on Windows 10 privacy that I’ve linked to, hopefully this rundown on ways to neuter the built-in monitoring will allow you to configure, test, and deploy an image that allows you to sleep much more soundly at night.