Block Windows 10 From Tracking You

There is no reason an operating system needs to phone home telemetry data in order to function properly. The sole purpose for this capability is so the operating system can report back statistics about computer use, operator habits, and other things which can then be analyzed and/or provided to other third parties to help them develop or improve their products.

Unix, Linux, Solaris, OpenVMS, and a multitude of others don’t phone home, so there is no reason Windows 10 needs to either.

Good news is, you can block the telemetry data from phoning home to the Microsoft mother-ship. But you must use a combination of an external DNS resolver that will intercept DNS requests and route them to a “black hole” and an external IP based firewall.

What Won’t Work

You cannot achieve a similar result by enabling the privacy settings within Windows 10, modifying the registry, deleting tasks in the task scheduler (although this does work until the next patch), using the internal Windows Defender Firewall or modifying the hosts file.

Why? Because each time Windows updates, it will re-create the scheduled tasks and revert the registry settings. Moreover, people have proven some of the telemetry data still reports back to Microsoft even when they blocked the phone-home IP addresses in Windows Defender and modified the hosts file. The host operating system can simply bypass both prior to sending the data, or the desired IP addresses are simply whitelisted.

In other words, you cannot modify the configuration of Windows 10 so Windows 10 can’t report back home.

What Will Work

It’ll take a bit of work, but if you’re up for the technical challenge, it’s probably worth it. About 99% of all home users will have a setup that’ll look like this, which will protect all devices on your local area network (LAN). This includes all WiFi devices, Windows 10 computers, etc.

Internet --> Modem --> WAN/firewall/LAN --> Switch/Wireless AP --> All Devices

I highly recommend using pfSense with the pfBlockerNG package. It’s a totally free opensource firewall and DNS resolver solution packaged in its own operating system. Simply load the image on an old computer and you’ll be up and running in no time.

And by old, I mean really old. I installed pfSense on a computer I bought for $50 on craigslist that has 8GB of DDR3 RAM and a 2.4Ghz Core2 Duo CPU. It does need to have two NICs though, so make sure you can add a second one. I’m not going to write up how to install pfSense, because many others have already done that. Just search YouTube.

Once complete, log into the GUI and install the pfBlockerNG package. It’s under the Package Manager menu item and takes about 15 seconds.

What I’m providing in this article is a high-level roadmap on what it takes to stop Windows 10 from tracking you, and some important information. What it’s not going to do is walk you through the setup process. Other people have created some excellent videos on how to do that. For example, see the video to the left.

Basic Steps Needed

Enter the below DNS entries into the DNSBL tab. Some people have been using the IP addresses. This is a bad idea. IP address will and do change. In fact, Microsoft regularly changes their Windows Update IP addresses for security purposes, and I suspect they do the same for the telemetry gathering. It’s much harder for them to change DNS names, and so they rarely do. A very comprehensive list can be at https://www.encrypt-the-planet.com/downloads/hosts. Or, you can use the DNS names listed below:

a-0001.a-msedge.net
a.ads1.msn.com
a.ads2.msn.com

ad.doubleclick.net
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.appex.bing.net:443
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
vortex.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com

This does not break windows update. I have confirmed on all my Windows 10 workstations that it still works. I just received the latest monthly patches without issue.

What’s interesting is, I performed a packet capture while initiating a Windows Update and noticed a couple things. First, it looks like a Windows Update also initiates a telemetry sync, and even though I block the telemetry, the update still works. Second, the Windows Update IP addresses change with each sync. It appears they do a sort of round-robin usage. Not really relevant to the problem, but interesting. One sync I was grabbing from IPs in the Redmond, WA and the next I was grabbing IP’s in Singapore.

Other Stuff to Block

While you’re at it, you might want to also block Trend Micro. All those ASUS NAT routers have teamed up with Trend Micro and phone home every website you visit. In fact, they have a EULA¬† you must acknowledge and accept before you can enable QoS, Filtering, or Parental Controls within their products. I don’t use these features, but if you do and you block the below DNS entries, it could prevent those capabilities from functioning.


fbsv1.trendmicro.com
fbsv2.trendmicro.com
ntd-asus-2014b-en.fbs20.trendmicro.com
gslb1.fbs.trendmicro.com.akadns.net
rgom10-en.url.trendmicro.com
trendmicro.com.edgesuite.net
slb1.fbs.trendmicro.com.akadns.net
activeupdate.trendmicro.co.jp
backup21.url.trendmicro.com
wrs.trendmicro.com
e5110.dscd.akamaiedge.net
dlcdnets.asus.com
wideip-dlcdnets.isoi.asia
dlcdnets-ds.asus.com.edgekey.net

… and if you have a Samsung TV connected to the internet, you’ll want to block these DNS entries as well. Mine is connected to WiFi, but I don’t use any of the SmartTV apps, and I totally block all outbound traffic for all protocols/ports from its static IP at the firewall (nothing gets out). This will break updates, so you’ll need to occasionally stop blocking if you want to patch.


Coordinator-Production-28516768.us-east-1.elb.amazonaws.com
abtauthprd.samsungcloudsolution.com
acr0.samsungcloudsolution.com
ad.samsungadhub.com
amauthprd.samsungcloudsolution.com
api-hub.samsungyosemite.com
auth.samsungosp.com
az43064.vo.msecnd.net
cdn.samsungcloudsolution.com
cdn.samsungcloudsolution.net
d179kwmlpc4o47.cloudfront.ne
d179kwmlpc4o47.cloudfront.net
d1jwpcr0q4pcq0.cloudfront.net
d1oxlq5h9kq8q5.cloudfront.net
d2tnx644ijgq6i.cloudfront.net
d3mjsomixevyw7.cloudfront.net
dev-multiscreen.samsung.com
fkp.samsungcloudsolution.com
fkp.samsungcloudsolution.net
game.internetat.tv
gld.samsungosp.com
gpm.samsungqbe.com
i-stream.pl
infolink.pavv.co.kr
lcprd1.samsungcloudsolution.net
log-1.samsungacr.com
log-2.samsungacr.com
log-3.samsungacr.com
log.internetat.tv
multiscreen.samsung.com
notice.samsungcloudsolution.com
noticecdn.samsungcloudsolution.com
noticefile.samsungcloudsolution.com
ns11.whois.co.kr
oempprd.samsungcloudsolution.com
oempprd.samsungcloudsolution.net
openapi.samsung.com
osb.samsungqbe.com
otnprd10.samsungcloudsolution.net
otnprd11.samsungcloudsolution.net
otnprd8.samsungcloudsolution.net
otnprd9.samsungcloudsolution.net
pipeaota.com
premium-videos.telly.com
prov.samsungcloudsolution.com
rd.samsungadhub.com
sas.samsungcloudsolution.com
sca.samsung.com
sso.internetat.tv
syncplusconfig.s3.amazonaws.com
targeted-config-test.samsungacr.com
test.samsungrm.net
time.samsungcloudsolution.com
upu.samsungelectronics.com
us-api.samsungyosemite.com
vd.emp.prd.s3.amazonaws.com
vdterms.samsungcloudsolution.com
www.samsungotn.net
www.samsungrm.net
xpu.samsungelectronics.com

The Results

Below is a screenshot from half a day’s worth of traffic collection on my LAN. I blocked 1,225 packets destined for the Microsoft mother-ship, which could have equaled 1.8 MB of data (1,225 x 1,500 MTU roughly equals 1.8 MB). Why on earth they need 1.8MB of data from my system is beyond me. I also block advertiser tracking (Piehole), ads, and several countries outright … not on the WAN side, but on the LAN side. There is no silver bullet solution to privacy except to totally disconnect, but that’s not logical in today’s world.¬† However, better privacy comes in layers and the more layers you have, the better.

It’s a crazy world we live in. Every device is phoning home because telemetry and user habits can be sold for big money to advertisers. Apps on your smartphones sell your personal data as well, but this solution blocks all devices as long as they are connected to the LAN (once you leave the LAN, you’re totally unprotected).

I cannot stress or even begin to tell you how much of your information is being collected, sold, and shared with other companies. Many of whom are not using it for good purposes. They know what time you use your computer, what websites you visit, your location, what you type on the computer or phone, what you click on, what you buy, what you search … and they are listening in on you as well. I know my wife’s iPhone is, because on numerous occasions we were talking about buying something and a relevant ad showed up in her Facebook feed. No more Facebook for me (deleted my account). I’m done with that crap.