New
#31
Disabling telemetry 100% would be awesome from a personal security point of view but obviously this task is mighty impossible with how software is configured these days. To have a fully undetectable and unhackable online prescence is a dream that can't come true. Kill the telemetry I say, but no one is that bold.
Yeah that stealth test is incoming traffic and not outbound which would not effect things like MS telemetry because they are outbound. Its still good to know that you are pretty good incoming though.
The only way after applying various tweaks that claim to stop telemetry is to remap the routing table.
How Do I Completely Disable Windows 10 Telemetry?
Here are some lines from Tron script (not recommended) that block connection to telemetry ip's. And before anyone tries to point out that ip addresses change, these ones do not.
EDIT: Don't use the entries below. They're just lines from a script and you'd need the script to add them.
A usable list is here:
Stop telemetry
As for firewall:Code::: a-0001.a-msedge.net route -p add 204.79.197.200/32 0.0.0.0 :: a23-218-212-69.deploy.static.akamaitechnologies.com route -p add 23.218.212.69/32 0.0.0.0 :: a.ads1.msn.com route -p add 204.160.124.125/32 0.0.0.0 route -p add 8.253.14.126/32 0.0.0.0 route -p add 8.254.25.126/32 0.0.0.0 :: a.ads2.msads.net route -p add 93.184.215.200/32 0.0.0.0 :: a.ads2.msn.com route -p add 198.78.194.252/32 0.0.0.0 route -p add 198.78.209.253/32 0.0.0.0 route -p add 8.254.23.254/32 0.0.0.0 :: ac3.msn.com route -p add 131.253.14.76/32 0.0.0.0 :: ads1.msads.net route -p add 23.201.58.73/32 0.0.0.0 :: ads1.msn.com route -p add 204.160.124.125/32 0.0.0.0 route -p add 8.253.14.126/32 0.0.0.0 route -p add 8.254.25.126/32 0.0.0.0 :: adsmockarc.azurewebsites.net route -p add 191.236.16.12/32 0.0.0.0 :: ads.msn.com route -p add 157.56.91.82/32 0.0.0.0 :: auth.gfx.ms route -p add 23.61.72.70/32 0.0.0.0 :: b.ads1.msn.com route -p add 204.160.124.125/32 0.0.0.0 route -p add 8.253.14.126/32 0.0.0.0 route -p add 8.254.25.126/32 0.0.0.0 :: b.ads2.msads.net route -p add 93.184.215.200/32 0.0.0.0 :: df.telemetry.microsoft.com route -p add 65.52.100.7/32 0.0.0.0 :: help.bingads.microsoft.com route -p add 207.46.202.114/32 0.0.0.0 :: oca.telemetry.microsoft.com route -p add 65.55.252.63/32 0.0.0.0 :: oca.telemetry.microsoft.com.nsatc.net route -p add 65.55.252.63/32 0.0.0.0 :: pre.footprintpredict.com route -p add 204.79.197.200/32 0.0.0.0 :: reports.wes.df.telemetry.microsoft.com route -p add 65.52.100.91/32 0.0.0.0 :: sb.scorecardresearch.com route -p add 104.79.156.195/32 0.0.0.0 :: services.wes.df.telemetry.microsoft.com route -p add 65.52.100.92/32 0.0.0.0 :: settings-win.data.microsoft.com route -p add 65.55.44.108/32 0.0.0.0 :: s.gateway.messenger.live.com route -p add 157.56.106.210/32 0.0.0.0 :: sgmetrics.cloudapp.net route -p add 168.62.11.145/32 0.0.0.0 :: spynet2.microsoft.com route -p add 23.96.212.225/32 0.0.0.0 :: spynetalt.microsoft.com route -p add 23.96.212.225/32 0.0.0.0 :: sqm.df.telemetry.microsoft.com route -p add 65.52.100.94/32 0.0.0.0 :: sqm.telemetry.microsoft.com route -p add 65.55.252.93/32 0.0.0.0 :: sqm.telemetry.microsoft.com.nsatc.net route -p add 65.55.252.93/32 0.0.0.0 :: statsfe1.ws.microsoft.com route -p add 134.170.115.60/32 0.0.0.0 route -p add 207.46.114.61/32 0.0.0.0 :: statsfe2.update.microsoft.com.akadns.net route -p add 65.52.108.153/32 0.0.0.0 :: statsfe2.ws.microsoft.com route -p add 64.4.54.22/32 0.0.0.0 :: storeedgefd.dsx.mp.microsoft.com // Disabled for Tron, required for the Microsoft App Store to connect :: route -p add 104.79.153.53/32 0.0.0.0 :: telecommand.telemetry.microsoft.com route -p add 65.55.252.92/32 0.0.0.0 :: telecommand.telemetry.microsoft.com.nsatc.net route -p add 65.55.252.92/32 0.0.0.0 :: telemetry.appex.bing.net route -p add 168.62.187.13/32 0.0.0.0 :: telemetry.microsoft.com route -p add 65.52.100.9/32 0.0.0.0 :: telemetry.urs.microsoft.com route -p add 131.253.40.37/32 0.0.0.0 :: vortex.data.microsoft.com route -p add 64.4.54.254/32 0.0.0.0 :: vortex-sandbox.data.microsoft.com route -p add 64.4.54.32/32 0.0.0.0 :: vortex-win.data.microsoft.com route -p add 64.4.54.254/32 0.0.0.0 :: watson.live.com route -p add 207.46.223.94/32 0.0.0.0 :: watson.microsoft.com route -p add 65.55.252.71/32 0.0.0.0 :: watson.ppe.telemetry.microsoft.com route -p add 65.52.100.11/32 0.0.0.0 :: watson.telemetry.microsoft.com route -p add 65.52.108.29/32 0.0.0.0 :: watson.telemetry.microsoft.com.nsatc.net route -p add 65.52.108.29/32 0.0.0.0 :: wes.df.telemetry.microsoft.com route -p add 65.52.100.93/32 0.0.0.0 ) else ( :: a-0001.a-msedge.net route -p add 204.79.197.200/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: a23-218-212-69.deploy.static.akamaitechnologies.com route -p add 23.218.212.69/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: a.ads1.msn.com route -p add 204.160.124.125/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.253.14.126/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.254.25.126/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: a.ads2.msads.net route -p add 93.184.215.200/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: a.ads2.msn.com route -p add 198.78.194.252/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 198.78.209.253/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.254.23.254/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: ac3.msn.com route -p add 131.253.14.76/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: ads1.msads.net route -p add 23.201.58.73/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: ads1.msn.com route -p add 204.160.124.125/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.253.14.126/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.254.25.126/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: adsmockarc.azurewebsites.net route -p add 191.236.16.12/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: ads.msn.com route -p add 157.56.91.82/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: auth.gfx.ms route -p add 23.61.72.70/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: b.ads1.msn.com route -p add 204.160.124.125/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.253.14.126/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 8.254.25.126/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: b.ads2.msads.net route -p add 93.184.215.200/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: df.telemetry.microsoft.com route -p add 65.52.100.7/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: help.bingads.microsoft.com route -p add 207.46.202.114/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: oca.telemetry.microsoft.com route -p add 65.55.252.63/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: oca.telemetry.microsoft.com.nsatc.net route -p add 65.55.252.63/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: pre.footprintpredict.com route -p add 204.79.197.200/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: reports.wes.df.telemetry.microsoft.com route -p add 65.52.100.91/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: sb.scorecardresearch.com route -p add 104.79.156.195/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: services.wes.df.telemetry.microsoft.com route -p add 65.52.100.92/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: settings-win.data.microsoft.com route -p add 65.55.44.108/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: s.gateway.messenger.live.com route -p add 157.56.106.210/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: sgmetrics.cloudapp.net route -p add 168.62.11.145/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: spynet2.microsoft.com route -p add 23.96.212.225/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: spynetalt.microsoft.com route -p add 23.96.212.225/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: sqm.df.telemetry.microsoft.com route -p add 65.52.100.94/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: sqm.telemetry.microsoft.com route -p add 65.55.252.93/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: sqm.telemetry.microsoft.com.nsatc.net route -p add 65.55.252.93/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: statsfe1.ws.microsoft.com route -p add 134.170.115.60/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 route -p add 207.46.114.61/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: statsfe2.update.microsoft.com.akadns.net route -p add 65.52.108.153/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: statsfe2.ws.microsoft.com route -p add 64.4.54.22/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: storeedgefd.dsx.mp.microsoft.com // Disabled for Tron. Required for the Microsoft App Store to connect :: route -p add 104.79.153.53/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: telecommand.telemetry.microsoft.com route -p add 65.55.252.92/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: telecommand.telemetry.microsoft.com.nsatc.net route -p add 65.55.252.92/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: telemetry.appex.bing.net route -p add 168.62.187.13/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: telemetry.microsoft.com route -p add 65.52.100.9/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: telemetry.urs.microsoft.com route -p add 131.253.40.37/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: vortex.data.microsoft.com route -p add 64.4.54.254/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: vortex-sandbox.data.microsoft.com route -p add 64.4.54.32/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: vortex-win.data.microsoft.com route -p add 64.4.54.254/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: watson.live.com route -p add 207.46.223.94/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: watson.microsoft.com route -p add 65.55.252.71/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: watson.ppe.telemetry.microsoft.com route -p add 65.52.100.11/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: watson.telemetry.microsoft.com route -p add 65.52.108.29/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: watson.telemetry.microsoft.com.nsatc.net route -p add 65.52.108.29/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1 :: wes.df.telemetry.microsoft.com route -p add 65.52.100.93/32 0.0.0.0 >> "%LOGPATH%\%LOGFILE%" 2>&1
If I run Essential Net Tools with logging and leave it running I don't see any connections to telemetry ip's.
Where did the IPs come from? Becasue just looking at that I know it's no where near complete based on Microsoft's ASNs and their use of the Akamai CDN which are even harder to block because many websites use Akamai. So you have to block that CDN one IP or maybe CIDR at a time...
And that's not a remap of the routing table... LOL That's just blocking IPs in a firewall. A remap involves router core functionality. But I digress.
Edit-
Okay, I see now. Where is that script from?
The one I posted is part of "Tron" script but I don't use it and never have. The ip's are only "telemetry" ip's. Not a complete list of everything MS.
The original script was here but I don't think that it is still available. See Posts #27 * #28
Static Routes - Create or Remove - Page 3 - | Tutorials
That still assumes an offline install declining all privacy sensitive options along with disabling/ removing certain features and services like CEIP Spynet and so on.
Undo tool for original script lists routes:
DWS_Neutralizer/DWS_Neutralizer.cmd at master . NetwOrchestration/DWS_Neutralizer . GitHub
I added some others found elsewhere but I don't remember the source.
It's interesting and a start in lieu of the Akamai CDN I talked about, but I'd add them in a hardware based firewall like OPNsense or pfSesne because code (especially in UEFI) can execute prior to boot up and thus the hosts file is null and void.
GitHub - Jamesits/dropWPBT: Disables the Windows Platform Binary Table (WPBT) in your UEFI firmware.