Block Windows 10 Telemetry Tracking

There is no reason an operating system needs to phone home telemetry data in order to function. The sole purpose for this capability is so the operating system can report back statistics about computer use, operator habits, and other things which they can then analyze and/or provide to other parties to help them develop or improve their products. Unix, Linux, Solaris, OpenVMS, and a multitude of others don’t phone home, so there is no reason Windows 10 needs to either.

Good news is, you can block the telemetry data from phoning home to the Microsoft mother-ship, but you must use an external device. You cannot achieve this by enabling the privacy settings within Windows 10, modifying the registry, deleting tasks in the task scheduler (although this does work until the next patch), using the internal Windows Defender Firewall or modifying the hosts file. You do block it by using an external DNS blocker.

Why? Because each time Windows updates, it will re-create the scheduled tasks and revert the registry settings. Moreover, people have proven some of the telemetry data still reports back to Microsoft even when they blocked the phone-home IP addresses in Windows Defender and modified the hosts file, probably because the host can simply bypass both prior to sending the data. Microsoft can do whatever they want at the application layer, or the IP addresses are whitelisted behind the scenes.

I think it would be wise to assume you cannot modify Windows 10 so Windows 10 can’t report back home.

Again, you must use an external device and block the data after it has left the Windows 10 host, and your typical Netgear, Linksys, ASUS or Best Buy NAT router won’t work. I won’t lie. It’ll take a bit of work and not everyone will be able to do it. But if you’re up for the challenge, it’s completely worth it. About 99% of all home users will have a setup that’ll look like this, which will protect all devices on your local area network (LAN). This includes all WiFi devices, Windows 10 computers, etc.

Internet --> Modem --> WAN/firewall/LAN --> Switch/Wireless AP --> All Devices

I highly recommend using a firewall product called pfSense with the pfBlockerNG package. It’s a totally free opensource firewall and DNS resolver solution. Go onto craigslist and buy an old computer, and I mean it can be really old. I installed pfSense on a computer I bought for $50 that has 10GB of DDR3 and a 2.4Ghz Core2 Duo CPU. It does need to have two NICs though, so make sure you can add another. I’m not going to write up how to install pfSense, because many others have already done that. It literally takes 10 minutes to install and get it up and running. Search YouTube for examples.

Once complete, log into the GUI and install the pfBlockerNG package. It’s under the Package Manager menu item and takes about 15 seconds. Watch the below video on configuring pfBlockerNG. As of right now, this is the best solution I know about to block not only Windows 10 telemetry reporting, but a lot of other stuff too.

Enter the following DNS entries into the DNSBL tab. Some people have been using the IP addresses. This is a bad idea. IP address will and do change. In fact, Microsoft regularly changes their Windows Update IP addresses for security purposes, and I suspect they do the same for the telemetry gathering. It’s much harder for them to change DNS names, and so they rarely do. A very comprehensive list can be at https://www.encrypt-the-planet.com/downloads/hosts.

a-0001.a-msedge.net
a.ads1.msn.com
a.ads2.msn.com

ad.doubleclick.net
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.appex.bing.net:443
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
vortex.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com

This does not break windows update. I have confirmed on all my Windows 10 workstations that it still works. I just received the latest monthly patches without issue. What’s interesting is, I performed a packet capture while initiating a Windows Update and noticed a couple things. First, it looks like a Windows Update also initiates a telemetry sync, and even though I block the telemetry, the update still works. Second, the Windows Update IP addresses change with each sync. It appears they do a sort of round-robin usage. Not really relevant to the problem, but interesting. One sync I was grabbing from IPs in the Redmond, WA and the next I was grabbing IP’s in Singapore.

Anyhow, while you’re at it, you might want to also block Trend Micro. All those ASUS NAT routers have teamed up with Trend Micro and phone home every website you visit (and other stuff too). In fact, they have a EULA that you must acknowledge before you can enable QoS, Filtering, or Parental Controls within their products. I still have my wireless access-point in bridge mode with all those features turned off, and it’s still phoning home “something”.


fbsv1.trendmicro.com
fbsv2.trendmicro.com
ntd-asus-2014b-en.fbs20.trendmicro.com
gslb1.fbs.trendmicro.com.akadns.net
rgom10-en.url.trendmicro.com
trendmicro.com.edgesuite.net
slb1.fbs.trendmicro.com.akadns.net
activeupdate.trendmicro.co.jp
backup21.url.trendmicro.com
wrs.trendmicro.com
e5110.dscd.akamaiedge.net
dlcdnets.asus.com
wideip-dlcdnets.isoi.asia
dlcdnets-ds.asus.com.edgekey.net

… and if you have a Samsung TV connected to the internet and use those features, you’ll want to block these DNS entries as well. Mine is connected to WiFi, but I don’t use any of the SmartTV apps, and I totally block all outbound traffic for all protocols/ports from its static IP at the firewall (nothing gets out).


Coordinator-Production-28516768.us-east-1.elb.amazonaws.com
abtauthprd.samsungcloudsolution.com
acr0.samsungcloudsolution.com
ad.samsungadhub.com
amauthprd.samsungcloudsolution.com
api-hub.samsungyosemite.com
auth.samsungosp.com
az43064.vo.msecnd.net
cdn.samsungcloudsolution.com
cdn.samsungcloudsolution.net
d179kwmlpc4o47.cloudfront.ne
d179kwmlpc4o47.cloudfront.net
d1jwpcr0q4pcq0.cloudfront.net
d1oxlq5h9kq8q5.cloudfront.net
d2tnx644ijgq6i.cloudfront.net
d3mjsomixevyw7.cloudfront.net
dev-multiscreen.samsung.com
fkp.samsungcloudsolution.com
fkp.samsungcloudsolution.net
game.internetat.tv
gld.samsungosp.com
gpm.samsungqbe.com
i-stream.pl
infolink.pavv.co.kr
lcprd1.samsungcloudsolution.net
log-1.samsungacr.com
log-2.samsungacr.com
log-3.samsungacr.com
log.internetat.tv
multiscreen.samsung.com
notice.samsungcloudsolution.com
noticecdn.samsungcloudsolution.com
noticefile.samsungcloudsolution.com
ns11.whois.co.kr
oempprd.samsungcloudsolution.com
oempprd.samsungcloudsolution.net
openapi.samsung.com
osb.samsungqbe.com
otnprd10.samsungcloudsolution.net
otnprd11.samsungcloudsolution.net
otnprd8.samsungcloudsolution.net
otnprd9.samsungcloudsolution.net
pipeaota.com
premium-videos.telly.com
prov.samsungcloudsolution.com
rd.samsungadhub.com
sas.samsungcloudsolution.com
sca.samsung.com
sso.internetat.tv
syncplusconfig.s3.amazonaws.com
targeted-config-test.samsungacr.com
test.samsungrm.net
time.samsungcloudsolution.com
upu.samsungelectronics.com
us-api.samsungyosemite.com
vd.emp.prd.s3.amazonaws.com
vdterms.samsungcloudsolution.com
www.samsungotn.net
www.samsungrm.net
xpu.samsungelectronics.com

Below is a screenshot from half a day’s worth of traffic collection on my LAN. I blocked 1,225 packets destined for the mother-ship, which could have equaled 1.8 MB of data (1,225 x 1,500 MTU roughly equals 1.8 MB). I also block advertiser tracking (Piehole), ads, and several countries outright … not on the WAN side, but on the LAN side. There is no silver bullet solution to privacy (except totally disconnect, but that’s not logical in today’s world), but better privacy comes in layers and the more layers you have, the better.

It’s a crazy world we live in. Every device is phoning home because telemetry and user habits can be sold for big money to advertisers. Apps on your smartphones sell your personal data as well, but this solution blocks all devices as long as they are connected to the LAN (once you leave the LAN, you’re totally unprotected).

I cannot stress or even begin to tell you how much of your information is being collected, sold, and shared with other companies. Many of whom are not using it for good purposes. They know what time you use your computer, what websites you visit, your location, what you type on the computer or phone, what you click on, what you buy, what you search … and they are listening in on you as well. I know my wife’s iPhone is, because on numerous occasions we were talking about buying something and a relevant ad showed up in her Facebook feed. No more Facebook for me (deleted my account). I’m done with that crap.

Ok, I’m done rambling.

Leave a Comment