Let's be honest: Windows 10 is AWESOME, but it has raised several privacy concerns because it has several online features that are flat out malware, such as Windows Defender and Telemetry, both of which send your data (sensitive and not) to Microsoft and can't be disabled. Windows Update also can't be disabled... which means Microsoft can:
Fortunately, all these "features" can be removed relatively easily by experienced users by following this guide.
Let's see how!
At the end of the setup process, it will ask you to use Express settings or customize them. Choose customize and disable everything, then create a local account and don't activate Cortana.
Once you get to the desktop, open the settings, go to updates, and let it download all the updates. Reboot and repeat until no more updates are available.
This is important because Windows Update may interfere with our activities.
Now open the Store app, and let it download updates too.
Again, this is important because it may interfere with our activities.
This may take some time, and it may even get stuck. If it happens, reboot and try again.
Now that the system is fully updated, make sure Windows is activated with your license (or your favorite crack, such as KMSPico).
Open the start menu and remove all the applications. Some of them, such as Microsoft Edge, will not have an uninstall option; we'll remove them later.
What's important now is to remove all the OEM software and the shitty games like Candy Crush and Farmville.
Here's what we need:
Open that folder on your desktop and run a command prompt as administrator.
We will also need PowerShell, so click start, type PowerShell and run it as administrator
In the command prompt, type:
This will take 1-2 minutes. After that, reboot and reopen our command prompt and PowerShell, because we're not done yet.
Windows will keep reminding us that the system is unprotected. Right click start, open the Control Panel, go to Security, then Security and Maintenance, and turn off messages about virus protection and SmartScreen.
We will use our command prompt and PowerShell to remove everything we can.
The commands in green are for the command prompt; the ones in blue are for PowerShell.
Additionally, you should remove Windows Media Player: Right click start, select "Programs and Features", then on the left "Turn Windows features on or off", untick "Media Features" and confirm.
You can ignore any error that pops up
Alternatives: JPEGView, or the old Windows Photo Viewer
Additionally, you should remove IE11: Right click start, select "Programs and Features", then on the left "Turn Windows features on or off", untick Internet Explorer 11 and confirm.
Reboot the system. Hopefully everything is still in place.
With the Anniversary Update, Microsoft hid the option to disable Cortana.
Warning: Do not attempt to remove the Cortana package using install_wim_tweak or the PowerShell, as it will break Windows Search and you will have to reinstall Windows!
Open our command prompt again and use this command:
Reboot again and Cortana is gone. The icon is still there, but it will open the regular search instead.
Open the command prompt again and get ready to type
We will remove the service later, but in case an update reinstalls it, this will at least keep it turned off
This will notify when updates are available, and you decide when to install them
By default, Windows will check your license every time you turn on your PC, this will prevent it
It doesn't really affect you if you're not using a Microsoft Account, but it will at least disable the Sync settings from the Settings app
Reboot the system and reopen our command prompt for the next step.
If you don't use OneDrive (and you shouldn't), you can remove it from your system with these commands, entered in the command prompt:
If you're on 32 bit Windows:
If you're on 64 bit Windows:
Now reboot, and reopen the command prompt:
Don't worry if some of these commands fail, it is normal if you haven't used OneDrive.
Reboot once again, and get reopen the command prompt for the next step
First, click start, type "Services" and open it. You will find a huge list of Windows Services, most of which are fine and safe, but others send data to Microsoft.
Find a service called CDPUserSvc_xxxxx, where xxxxx are 5 randomly generated character (yes, Windows is using literal malware techniques to prevent automated removal of this trash). Write down these 5 characters.
And now it's time to punch in some commands to delete them:
Reboot, press Win+R, type regedit, press enter, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Here we need to delete the following keys:
You may also find traces of the previously removed services: if you do, delete themSome of the keys that we have to delete are "protected" by messed up permissions. To delete them, you must fix them, here' a video showing how to do it:
Right click the key and select Permissions, then click Advanced, change the Owner to your username, check "Replace owner on subcontainers and objects" and "Replace all child object permission entries with inheritable permission entries from this object", if inheritance is enabled, disable it and convert to explicit permissions, apply, remove all the permission entries and add one for your username with Full control, confirm everything and delete the key.
You guessed it, reboot!
We must disable Windows Spotlight, and other "Suggestions".
Open the settings, go to Personalization, then Lock screen, and choose Picture instead of Windows Spotlight, turn off the "Fun facts" too.
In the Start menu settings, turn off "Occasionally show suggestions in start". They're literally ads.
If you give your Wifi password to a friend who has Wifi Sensor turned on (it was turned on by default in the previous versions of Windows 10), it will share your password with his Skype, Outlook, ... contacts, which means your Wifi password will be sent to Microsoft.
You can disable this by adding _optout to the name of your network.
For some applications (such as the settings app), the only way to prevent them from reporting data is to block them with a firewall. This is why you should use a small firewall software, such as TinyWall to block all traffic except the one you explicitly allow.
Personally, I allow Windows Update, Network discovery and sharing, DHCP, DNS, my web browser and nothing more. This will limit the traffic of undesired applications to DNS queries, they won't be able to send or receive anything.
Setting up the firewall may take some time, but you'll be as safe as you could possibly be when using Windows. Tinywall's autolearn feature is very useful when you install a new application: it will learn its patterns and allow them through the firewall
One thing to know however is that at the moment you cannot allow/block individual UWP apps using a firewall. Blocking WWAHost.exe (recommended) will block all of them, while allowing it will allow all of them to go through. Microsoft Edge is the only exception and has its own exe files.
Things will change in the future, and I'll do what I can to keep this guide updated.
As of January 2017, this guide works on Windows 10 Pro.
There are a few things that can revert the changes we made here: