Securing Privacy on Windows 10? Can it Be Done?

Matthew Wai said:

Does "telemetry" here refer to "Connected User Experiences and Telemetry"?

Yes, indeed this service is also responsible for data collection. But as you know the Device Management Wireless Application Push Notification is equally responsible for sending telemetry data. Even if you disabled "Connected User Experiences and Telemetry". Microsoft doesn't seem to turn that service to on in 20H2 and above. But Device Management Wireless Application Push Notification service will return back to enabled.

This is why sometimes if you open Task Manager particular after the first 10-15 minutes of boot up you see this service silently starting up and then it stops. You will see network activity and upload data spikes, it is your data being sent to Microsoft.

20H2 ShutUp10 disables these services but after a few hours it turns back on. Mainly this service that turns on. Something tells me that Device Wireless Management Application Push Notification is the main culprit for telemetry. Because the "Connected User Experiences and Telemetry" still remains disabled.

MS patched things up and made it so that disabling that service not only switches back to Manual, but it also logs an error in event viewer. Never before for 2 years did I experience that on 1903!

margrave55 said:

This is yet another reason not to accept Windows updates.

Windows doesn't get better with updates. It only gets worse.

Indeed, while some people think security updates are important and newer feature updates improve performance, this is an illusion. There is little to no fps performance difference between 1903, 1909 and 20H2 in all games. So the overall performance is practically the same.

Sadly MS has programmed Windows in such a cheeky way that it tries to force you to the latest feature updates by default.

Part of these updates are not to really improve the operating system, but to in fact improve the forced telemetry! So that any configurations you make will revert back to default. MS are doing everything they can to stop these programs from blocking their telemetry.

Here's my solution! Unplug LAN cable/WiFi when installing Windows 10. Then go to regedit and Use Specify Target in registry and set it to 1903, 1909, etc. Then replug back cable. Windows then will update to only the final build version of these old versions of Windows. You will be then Up to Date.

The next thing is to use Windows Update Blocker Tool to disable the services and task schedules. Even though your Windows will be reported as up to date. Don't worry, you can do this in a few days. The only updates it will install will be Edge Chromium and Windows Malicious Software Removal Tool. After that it will no longer install additional updates. At least not had one last 1 month.

MS still has these task schedules like Update Orchestrator Service that you cannot disable or delete under any normal procedure!

Once these are disabled you should be good to go. Remember, make sure you safely keep the ISO of your old Windows 10 versions to your memory stick or another hard drive not to lose them! As Microsoft does not let you download old versions from their website.

After that use a script like windows-lite-1903/win-cleanup.bat at master . ChrisTitusTech/windows-lite-1903 . GitHub

Some of these don't work like deleting task schedules relating to Update Orchestrator. That's why Windows Update Blocker tool comes handy and will instead disable them rather than delete them.

But it will disable Cortana, Telemetry, Microsoft Store auto install, uninstall OneDrive, etc.

BLaZiNgSPEED said:

the Device Management Wireless Application Push Notification is equally responsible for sending telemetry data. Even if you disabled "Connected User Experiences and Telemetry". Microsoft doesn't seem to turn that service to on in 20H2 and above. But Device Management Wireless Application Push Notification service will return back to enabled.

On my 20H2, by default, the "Startup type" of "Connected User Experiences and Telemetry" is "Automatic". I have disabled it, which is not running as shown below:

Code:

PS C:\Users\Matthew_Wai> GSV 'Connected User Experiences and Telemetry'|Select StartType, Status

StartType  Status
---------  ------
 Disabled Stopped

However, I have another "Telemetry", which is running as shown below:

Code:

PS C:\Users\Matthew_Wai> GSV 'Telemetry'|Select DisplayName, StartType, Status

DisplayName                StartType  Status
-----------                ---------  ------
Intel(R) Telemetry Service      Boot Running

I am considering whether to disable it.


"Device Management Wireless Application Protocol (WAP) Push Message Routing Service" is not running on my Windows as shown below.

Code:

PS C:\Users\Matthew_Wai> GSV 'Device Management Wireless Application Protocol (WAP) Push Message Routing Service'|Select StartType, Status

StartType  Status
---------  ------
   Manual Stopped

Yes, as I've said 'Connected User Experiences and Telemetry' does remain disabled under 20H2.

However, the 'Device Management Wireless Application Protocol (WAP) Push Message Routing Service' will not remain disabled. Because as you posted while it may show Manual (Stopped) that doesn't mean the service didn't run at all!

Not all services with a Manual startup remain running at all times. This service will go from Manual to stopped, giving the impression that it didn't run. Have you tested when you disable this service whether it remains disabled at all times?

Because that wasn't the case for me when I upgraded to 20H2. Similar posts show the same results. Cannot Disable Win10 Telemetry Svc: Device Management Wireless Appli.

Here's another post O&O Shutup10 Issue? - TweakHound

Others are mentioning the same issue that this service will re-enable itself back to Manual (trigger) from disabled.

Now I don't know if all versions of 20H2 do that. I'm curious to know if Enterprise version of 20H2 does the same behaviour, (probably not). And when you see the service switch from disabled back to manual, it will log an error in Event Viewer. This will indicate that Windows 10 20H2 tried to collect telemetry data at that moment and it auto-configured the service back to Enabled.

That was one of the reasons I quickly reformatted windows 10 and went back to 1903. Not to mention Windows Defender for me was impossible to disable under 20H2, it has tempered protection. In 1903 I didn't have this issue either.

There is alternative version of Windows 10, stripped from spying... Forget how it calls, sorry. You should be able to google it with relation to gaming, or private windows 10, or something like that... Only issue is reduced security and only Direct11. It should have updates.

BLaZiNgSPEED said:

Have you tested when you disable this service whether it remains disabled at all times?

Yesterday, I ran the following commands:

Code:

(REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /V "AllowTelemetry" /T REG_DWORD /D "0" /F)

SC config "dmwappushservice" start=disabled

Today, it remains disabled as shown below:

Code:

PS C:\Users\Matthew_Wai> GSV 'dmwappushservice'|Select StartType, Status

StartType  Status
---------  ------
 Disabled Stopped

Note that "dmwappushservice" stands for "Device Management Wireless Application Protocol (WAP) Push Message Routing Service". I can write a script to monitor the service, but I feel no need to do so at the moment.

BLaZiNgSPEED said:

Now I don't know if all versions of 20H2 do that.

My 20H2 has not yet re-enabled it.

BLaZiNgSPEED said:

Not to mention Windows Defender for me was impossible to disable under 20H2, it has tempered protection.

I can disable it on my 20H2 via this utility: Defender Control v2.0

Perramas said:

Check out the DNS redirect called Pi-Hole, There's a few good guides for setting up pi-hole. If you take $30 and get a raspberry pi, you can dedicate one to the purpose, lots of videos on youtube for getting it online and then adding millions of "rules" by network experts who want privacy. Think of it as a black list for IP's that serve advertising, marketing and all the IP's that would normally receive your telemetry data.

The real beauty of this is once hooked to your router, it's network wide, all devices on your home network, all phone apps, amazon devices, roku, computers, etc, they all get directed to the shitcan if they attempt to contact one of the known tracking IP's.

One of the big surprises I found is how often Roku devices attempt to log behavior data. It's about every 3 seconds, but after pi-hole, it never gets served, the device "thinks" it did it's job, but the pi-hole directs into a void. Because of this, it's also saving you bandwidth because you're not forced to deliver bullshit IP's. The request just gets dumped in the hole before the router has to serve it.. This is also a great tool to shutdown commercials across many platforms. I have an app I play chess with on my phone that had ads on the bottom, as soon as pihole was turned on, ads gone. Facebook apps from the wife and guests all have telemetry bullshit get vanished. Also while you're messing with network settings, force all guests to use guest network so they can't see other devices. Facebook apps are now scanning local networks to map out traffic from other devices and know what you have in your house. This is nullified if the guest using facebook connected to the "guest" network instead of the normal wifi.

Why not just to add said IPs to your hosts file?

Moreover, simply configuring your firewall to deny internet access to processes and services you think are spying on you will do the trick. Now, this is dangerous since most of these things are poorly documented (or not at all), so you may break some legitimate things in the process. Fortunately, the firewall rules can be easily changed or reset.

Finally, you need to determine what exactly is the purpose of this"'securing Windows". Most of the telemetry is just that, telemetry, not related to any kind of personal data. Where do you buy your things, how do you pay for them? Do you always go to a small shop 100 miles away from your home and pay cash? Or do you just order stuff on Amazon? In the latter case, "they" know very well what things you have in your house. Does that bother you? Do you use advanced home network features, such as the "smart home"? In that case, your ISP knows almost everything about your house. Is that disturbing? Do you actually use a smartphone? Is it OK with you that various services are constantly "tracking" your location (even if you turn off GPS, they do it by the cell signal)? Does your car have GPS navigation?

I'm not trying to belittle your concern, but you need to be realistic about setting your goals. What is it that you want to achieve? If your goal (like mine, for example) is to reduce unnecessary web traffic, improve battery life, and get rid of ads - this is perfectly doable. If, on the other hand, you want to use the internet and leave no digital footprint whatsoever, then this is just like the "tin hat" idea, it won't work and is basically pointless.

unifex said:

Why not just to add said IPs to your hosts file?

'Cos vendors are wise to that and use constantly rotating virtual IP address services like CloudFlare to swap them around, just so you play whac-a-mole or, like Microsoft, just ignore the hosts file.