There is no reason an operating system needs to phone home telemetry data in order to function properly. The sole purpose for this capability is so the operating system can report back statistics about computer use, operator habits, and other things which can then be analyzed and/or provided to other third parties to help them develop or improve their products.
Unix, Linux, Solaris, OpenVMS, and a multitude of others don’t phone home, so there is no reason Windows 10 needs to either.
Good news is, you can block the telemetry data from phoning home to the Microsoft mother-ship. But you must use a combination of an external DNS resolver that will intercept DNS requests and route them to a “black hole” and an external IP based firewall.
What Won’t Work
You cannot achieve a similar result by enabling the privacy settings within Windows 10, modifying the registry, deleting tasks in the task scheduler (although this does work until the next patch), using the internal Windows Defender Firewall or modifying the hosts file.
Why? Because each time Windows updates, it will re-create the scheduled tasks and revert the registry settings. Moreover, people have proven some of the telemetry data still reports back to Microsoft even when they blocked the phone-home IP addresses in Windows Defender and modified the hosts file. The host operating system can simply bypass both prior to sending the data, or the desired IP addresses are simply whitelisted.
In other words, you cannot modify the configuration of Windows 10 so Windows 10 can’t report back home.
What Will Work
It’ll take a bit of work, but if you’re up for the technical challenge, it’s probably worth it. About 99% of all home users will have a setup that’ll look like this, which will protect all devices on your local area network (LAN). This includes all WiFi devices, Windows 10 computers, etc.
Internet --> Modem --> WAN/firewall/LAN --> Switch/Wireless AP --> All Devices
I highly recommend using pfSense with the pfBlockerNG package. It’s a totally free opensource firewall and DNS resolver solution packaged in its own operating system. Simply load the image on an old computer and you’ll be up and running in no time.
And by old, I mean really old. I installed pfSense on a computer I bought for $50 on craigslist that has 8GB of DDR3 RAM and a 2.4Ghz Core2 Duo CPU. It does need to have two NICs though, so make sure you can add a second one. I’m not going to write up how to install pfSense, because many others have already done that. Just search YouTube.
Once complete, log into the GUI and install the pfBlockerNG package. It’s under the Package Manager menu item and takes about 15 seconds.
What I’m providing in this article is a high-level roadmap on what it takes to stop Windows 10 from tracking you, and some important information. What it’s not going to do is walk you through the setup process. Other people have created some excellent videos on how to do that. For example, see the video to the left.
Basic Steps Needed
Enter the below DNS entries into the DNSBL tab. Some people have been using the IP addresses. This is a bad idea. IP address will and do change. In fact, Microsoft regularly changes their Windows Update IP addresses for security purposes, and I suspect they do the same for the telemetry gathering. It’s much harder for them to change DNS names, and so they rarely do. A very comprehensive list can be at https://www.encrypt-the-planet.com/downloads/hosts. Or, you can use the DNS names listed below:
This does not break windows update. I have confirmed on all my Windows 10 workstations that it still works. I just received the latest monthly patches without issue.
What’s interesting is, I performed a packet capture while initiating a Windows Update and noticed a couple things. First, it looks like a Windows Update also initiates a telemetry sync, and even though I block the telemetry, the update still works. Second, the Windows Update IP addresses change with each sync. It appears they do a sort of round-robin usage. Not really relevant to the problem, but interesting. One sync I was grabbing from IPs in the Redmond, WA and the next I was grabbing IP’s in Singapore.
Other Stuff to Block
While you’re at it, you might want to also block Trend Micro. All those ASUS NAT routers have teamed up with Trend Micro and phone home every website you visit. In fact, they have a EULA you must acknowledge and accept before you can enable QoS, Filtering, or Parental Controls within their products. I don’t use these features, but if you do and you block the below DNS entries, it could prevent those capabilities from functioning.
… and if you have a Samsung TV connected to the internet, you’ll want to block these DNS entries as well. Mine is connected to WiFi, but I don’t use any of the SmartTV apps, and I totally block all outbound traffic for all protocols/ports from its static IP at the firewall (nothing gets out). This will break updates, so you’ll need to occasionally stop blocking if you want to patch.
Below is a screenshot from half a day’s worth of traffic collection on my LAN. I blocked 1,225 packets destined for the Microsoft mother-ship, which could have equaled 1.8 MB of data (1,225 x 1,500 MTU roughly equals 1.8 MB). Why on earth they need 1.8MB of data from my system is beyond me. I also block advertiser tracking (Piehole), ads, and several countries outright … not on the WAN side, but on the LAN side. There is no silver bullet solution to privacy except to totally disconnect, but that’s not logical in today’s world. However, better privacy comes in layers and the more layers you have, the better.
It’s a crazy world we live in. Every device is phoning home because telemetry and user habits can be sold for big money to advertisers. Apps on your smartphones sell your personal data as well, but this solution blocks all devices as long as they are connected to the LAN (once you leave the LAN, you’re totally unprotected).
I cannot stress or even begin to tell you how much of your information is being collected, sold, and shared with other companies. Many of whom are not using it for good purposes. They know what time you use your computer, what websites you visit, your location, what you type on the computer or phone, what you click on, what you buy, what you search … and they are listening in on you as well. I know my wife’s iPhone is, because on numerous occasions we were talking about buying something and a relevant ad showed up in her Facebook feed. No more Facebook for me (deleted my account). I’m done with that crap.