Block Windows 10 Telemetry Tracking

There is no reason an operating system needs to phone home telemetry data in order to function. The sole purpose for this capability is so the operating system can report back statistics about computer use, operator habits, and other things which they can then analyze and/or provide to other parties to help them develop or improve their products. Unix, Linux, Solaris, OpenVMS, and a multitude of others don’t phone home, so there is no reason Windows 10 needs to either.

Good news is, you can block the telemetry data from phoning home to the Microsoft mother-ship, but you must use an external device. You cannot achieve this by enabling the privacy settings within Windows 10, modifying the registry, deleting tasks in the task scheduler (although this does work until the next patch), using the internal Windows Defender Firewall or modifying the hosts file. You do block it by using an external DNS blocker.

Why? Because each time Windows updates, it will re-create the scheduled tasks and revert the registry settings. Moreover, people have proven some of the telemetry data still reports back to Microsoft even when they blocked the phone-home IP addresses in Windows Defender and modified the hosts file, probably because the host can simply bypass both prior to sending the data. Microsoft can do whatever they want at the application layer, or the IP addresses are whitelisted behind the scenes.

I think it would be wise to assume you cannot modify Windows 10 so Windows 10 can’t report back home.

Again, you must use an external device and block the data after it has left the Windows 10 host, and your typical Netgear, Linksys, ASUS or Best Buy NAT router won’t work. I won’t lie. It’ll take a bit of work and not everyone will be able to do it. But if you’re up for the challenge, it’s completely worth it. About 99% of all home users will have a setup that’ll look like this, which will protect all devices on your local area network (LAN). This includes all WiFi devices, Windows 10 computers, etc.

    Internet --> Modem --> WAN/firewall/LAN --> Switch/Wireless AP --> All Devices

I highly recommend using a firewall product called pfSense with the pfBlockerNG package. It’s a totally free opensource firewall and DNS resolver solution. Go onto craigslist and buy an old computer, and I mean it can be really old. I installed pfSense on a computer I bought for $50 that has 10GB of DDR3 and a 2.4Ghz Core2 Duo CPU. It does need to have two NICs though, so make sure you can add another. I’m not going to write up how to install pfSense, because many others have already done that (see below). It literally takes 10 minutes to install and get it up and running.

Once complete, log into the GUI and install the pfBlockerNG package. It’s under the Package Manager menu item and takes about 15 seconds. Watch the below video on configuring pfBlockerNG. As of right now, this is the best solution I know about to block not only Windows 10 telemetry reporting, but a lot of other stuff too.

Enter the following DNS entries into the DNSBL tab. Some people have been using the IP addresses. This is a bad idea. IP address will and do change. In fact, Microsoft regularly changes their Windows Update IP addresses for security purposes, and I suspect they do the same for the telemetry gathering. It’s much harder for them to change DNS names, and so they rarely do.

    a-0001.a-msedge.net
    a.ads1.msn.com
    a.ads2.msn.com
    ad.doubleclick.net
    adnexus.net
    adnxs.com
    ads.msn.com
    ads1.msads.net
    ads1.msn.com
    az361816.vo.msecnd.net
    az512334.vo.msecnd.net
    choice.microsoft.com
    choice.microsoft.com.nsatc.net
    compatexchange.cloudapp.net
    corp.sts.microsoft.com
    corpext.msitadfs.glbdns2.microsoft.com
    cs1.wpc.v0cdn.net
    cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com
    df.telemetry.microsoft.com
    diagnostics.support.microsoft.com
    fe2.update.microsoft.com.akadns.net
    feedback.microsoft-hohm.com
    feedback.search.microsoft.com
    feedback.windows.com
    i1.services.social.microsoft.com
    i1.services.social.microsoft.com.nsatc.net
    oca.telemetry.microsoft.com
    oca.telemetry.microsoft.com.nsatc.net
    pre.footprintpredict.com
    preview.msn.com
    rad.msn.com
    redir.metaservices.microsoft.com
    reports.wes.df.telemetry.microsoft.com
    services.wes.df.telemetry.microsoft.com
    settings-sandbox.data.microsoft.com
    sls.update.microsoft.com.akadns.net
    sqm.df.telemetry.microsoft.com
    sqm.telemetry.microsoft.com
    sqm.telemetry.microsoft.com.nsatc.net
    statsfe1.ws.microsoft.com
    statsfe2.update.microsoft.com.akadns.net
    statsfe2.ws.microsoft.com
    survey.watson.microsoft.com
    telecommand.telemetry.microsoft.com
    telecommand.telemetry.microsoft.com.nsatc.net
    telemetry.appex.bing.net
    telemetry.appex.bing.net:443
    telemetry.microsoft.com
    telemetry.urs.microsoft.com
    vortex-sandbox.data.microsoft.com
    vortex-win.data.microsoft.com
    vortex.data.microsoft.com
    watson.live.com
    watson.microsoft.com
    watson.ppe.telemetry.microsoft.com
    watson.telemetry.microsoft.com
    watson.telemetry.microsoft.com.nsatc.net
    wes.df.telemetry.microsoft.com

This does not break windows update. I have confirmed on all my Windows 10 workstations that it still works. I just received the latest monthly patches without issue. What’s interesting is, I performed a packet capture while initiating a Windows Update and noticed a couple things. First, it looks like a Windows Update also initiates a telemetry sync, and even though I block the telemetry, the update still works. Second, the Windows Update IP addresses change with each sync. It appears they do a sort of round-robin usage. Not really relevant to the problem, but interesting. One sync I was grabbing from IPs in the Redmond, WA and the next I was grabbing IP’s in Singapore.

Anyhow, while you’re at it, you might want to also block Trend Micro. All those ASUS NAT routers have teamed up with Trend Micro and phone home every website you visit (and other stuff too). In fact, they have a EULA that you must acknowledge before you can enable QoS, Filtering, or Parental Controls within their products. I still have my wireless access-point in bridge mode with all those features turned off, and it’s still phoning home “something”.


    fbsv1.trendmicro.com
    fbsv2.trendmicro.com
    ntd-asus-2014b-en.fbs20.trendmicro.com
    gslb1.fbs.trendmicro.com.akadns.net
    rgom10-en.url.trendmicro.com
    trendmicro.com.edgesuite.net
    slb1.fbs.trendmicro.com.akadns.net
    activeupdate.trendmicro.co.jp
    backup21.url.trendmicro.com
    wrs.trendmicro.com
    e5110.dscd.akamaiedge.net
    dlcdnets.asus.com
    wideip-dlcdnets.isoi.asia
    dlcdnets-ds.asus.com.edgekey.net

… and if you have a Samsung TV connected to the internet and use those features, you’ll want to block these DNS entries as well. Mine is connected to WiFi, but I don’t use any of the SmartTV apps, and I totally block all outbound traffic for all protocols/ports from its static IP at the firewall (nothing gets out).


    Coordinator-Production-28516768.us-east-1.elb.amazonaws.com
    abtauthprd.samsungcloudsolution.com
    acr0.samsungcloudsolution.com
    ad.samsungadhub.com
    amauthprd.samsungcloudsolution.com
    api-hub.samsungyosemite.com
    auth.samsungosp.com
    az43064.vo.msecnd.net
    cdn.samsungcloudsolution.com
    cdn.samsungcloudsolution.net
    d179kwmlpc4o47.cloudfront.ne
    d179kwmlpc4o47.cloudfront.net
    d1jwpcr0q4pcq0.cloudfront.net
    d1oxlq5h9kq8q5.cloudfront.net
    d2tnx644ijgq6i.cloudfront.net
    d3mjsomixevyw7.cloudfront.net
    dev-multiscreen.samsung.com
    fkp.samsungcloudsolution.com
    fkp.samsungcloudsolution.net
    game.internetat.tv
    gld.samsungosp.com
    gpm.samsungqbe.com
    i-stream.pl
    infolink.pavv.co.kr
    lcprd1.samsungcloudsolution.net
    log-1.samsungacr.com
    log-2.samsungacr.com
    log-3.samsungacr.com
    log.internetat.tv
    multiscreen.samsung.com
    notice.samsungcloudsolution.com
    noticecdn.samsungcloudsolution.com
    noticefile.samsungcloudsolution.com
    ns11.whois.co.kr
    oempprd.samsungcloudsolution.com
    oempprd.samsungcloudsolution.net
    openapi.samsung.com
    osb.samsungqbe.com
    otnprd10.samsungcloudsolution.net
    otnprd11.samsungcloudsolution.net
    otnprd8.samsungcloudsolution.net
    otnprd9.samsungcloudsolution.net
    pipeaota.com
    premium-videos.telly.com
    prov.samsungcloudsolution.com
    rd.samsungadhub.com
    sas.samsungcloudsolution.com
    sca.samsung.com
    sso.internetat.tv
    syncplusconfig.s3.amazonaws.com
    targeted-config-test.samsungacr.com
    test.samsungrm.net
    time.samsungcloudsolution.com
    upu.samsungelectronics.com
    us-api.samsungyosemite.com
    vd.emp.prd.s3.amazonaws.com
    vdterms.samsungcloudsolution.com
    www.samsungotn.net
    www.samsungrm.net
    xpu.samsungelectronics.com

Below is a screenshot from half a day’s worth of traffic collection on my LAN. I blocked 1,225 packets destined for the mother-ship, which could have equaled 1.8 MB of data (1,225 x 1,500 MTU roughly equals 1.8 MB). I also block advertiser tracking (Piehole), ads, and several countries outright … not on the WAN side, but on the LAN side. There is no silver bullet solution to privacy (except totally disconnect, but that’s not logical in today’s world), but better privacy comes in layers and the more layers you have, the better.

It’s a crazy world we live in. Every device is phoning home because telemetry and user habits can be sold for big money to advertisers. Apps on your smartphones sell your personal data as well, but this solution blocks all devices as long as they are connected to the LAN (once you leave the LAN, you’re totally unprotected).

I cannot stress or even begin to tell you how much of your information is being collected, sold, and shared with other companies. Many of whom are not using it for good purposes. They know what time you use your computer, what websites you visit, your location, what you type on the computer or phone, what you click on, what you buy, what you search … and they are listening in on you as well. I know my wife’s iPhone is, because on numerous occasions we were talking about buying something and a relevant ad showed up in her Facebook feed. No more Facebook for me (deleted my account). I’m done with that crap.

Ok, I’m done rambling.