Windows 10 has raised several concerns about privacy due to the fact that it has a lot of telemetry and online features. In response to these concerns, Microsoft released a document explaining exactly what data they collect, and now Windows 10 even has a Diagnostic Data Viewer. Most of it seems pretty legit stuff when telemetry is set to basic, but still, if you don't trust them, here's how to prevent Windows 10 from sending your data to Microsoft.
Please note that not all of these changes can be reverted. If you mess up, you'll have to reinstall Windows.
Last update: April 3, 2018
Do not use the default settings
At the end of the setup process, create a local account, don't use Cortana and turn off everything in the privacy settings.
If you already installed Windows with the default settings, go to Start > Settings > Privacy to turn them off. You should also go to Account and disconnect your Microsoft account because this guide will prevent it from working properly.
Let it download all the updates
Once you get to the desktop, go to Settings > Updates and security, and let it download all the updates. Reboot and repeat until no more updates are available.
This is important because Windows Update may interfere with our activities.
Now open the Store app, and let it download updates too.
Again, this is important because updates would interfere with our activities.
This may take some time, and it may even get stuck. If it happens, reboot and try again.
Now that the system is fully updated, make sure Windows is activated with your license (or KMSPico).
Remove everything you can
Open the start menu and remove all the applications. Some of them, such as Microsoft Edge, will not have an uninstall option; we'll remove them later.
What's important now is to remove all the OEM software and the shitty games like Candy Crush and Minecraft.
Here's what we need:
Install_Wim_Tweak: Download this archive and extract it to C:\Windows\System32. This is a very handy tool that allows us to remove Windows components with a single command. You can delete it from System32 when you're finished with this guide.
We need a command prompt, so click start, type cmd and run it as administrator
We will also need PowerShell, so click start, type PowerShell and run it as administrator
This will take 1-2 minutes.
Now, go to Start and right click Windows Defender Security Center, select More > App settings, and click Reset. This will remove the icon from the start menu.
After a while, Windows will remind us that the system is unprotected. When it does, click Start, type Control Panel, open it, go to System and Security > Security and Maintenance, and turn off messages about virus protection.
We will now remove almost all UWP features in Windows. The only UWP app you'll have left will be the settings app.
If you manually install UWP apps later (like cracked UWP games) they may not work properly.
Note: if some of the apps reappear after a few minutes, it's because you didn't wait for the updates to finish. You can simply remove them again using the same commands.
We will use our command prompt and PowerShell to remove everything we can.
The commands in green are for the command prompt; the ones in blue are for PowerShell.
Reboot the system and you're now free of UWP garbage.
With the Anniversary Update, Microsoft hid the option to disable Cortana. Warning: Do not attempt to remove the Cortana package using install_wim_tweak or the PowerShell, as it will break Windows Search and you will have to reinstall Windows!
Open our command prompt again and use this command:
Note: since version 1803, the Task View feature depends on CDPUserSvc and its other services. They can no longer be removed without breaking this feature.
Press Win+R, type regedit, press enter, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Here we need to locate the follwing keys:
These keys have messed up permissions. To delete them, we must fix them, here's a video showing how to do it:
Right click the key and select Permissions, then click Advanced, change the Owner to your username, check "Replace owner on subcontainers and objects" and "Replace all child object permission entries with inheritable permission entries from this object", if inheritance is enabled, disable it and convert to explicit permissions, apply, remove all the permission entries and add one for your username with Full control, confirm everything and delete the key.
Repeat for the 3 keys and you're done.
Windows 10 has a huge amount of scheduled tasks that may report some data. Type these commands in the command prompt to remove them:
We must disable Windows Spotlight, and other "Suggestions".
Go to Start > Settings > Personalization:
Under Lock screen and set the background to Picture
Under Start set Show suggestions occasionally in Start to off (They're literally ads)
Go back to Settings and go to System > Notifications and actions
Set Get tips, tricks, and suggestions as you use Windows to off
Set Show me the Windows welcome... to off
Go back to Settings and go to Privacy
Under General, turn off everything
Under Activity history, turn off everything
Under App diagnostics, set Let apps access diagnostic information to off
Go back to Settings and go to Search
Under Permissions & History, turn off everything
On the taskbar
Right click the people icon and uncheck "Show People button"
Recommended: use a firewall!
For some applications (such as the settings app), the only way to prevent them from reporting data is to block them with a firewall. This is why you should use a firewall to block all traffic except what you explicitly allow.
Personally, I allow Windows Update, Network discovery and sharing, DHCP, DNS, my web browser and nothing more. This will limit the traffic of undesired applications to DNS queries, they won't be able to send or receive anything.
Option 1: TinyWall
TinyWall is my favorite, but the installer no longer works on Windows 10 1803 because of an issue with digital signatures. I'm sure the author will fix this soon, but in the meanwhile, I made a modified installer without the problematic signature.
Setting up the firewall may take some time, but you'll be as safe as you could possibly be when using Windows. Tinywall's autolearn feature is very useful when you install a new application: it will learn its patterns and allow them through the firewall.
A big limitation of Tinywall, if you decide to use it, is that you cannot allow/block individual UWP apps (for instance, allow Facebook but not Candy Crush). Blocking C:\Windows\System32\WWAHost.exe (recommended) will block all of them, while allowing it will allow all of them to go through.
Microsoft Edge is the only exception and has its own exe files. The same thing happens if you use the UNIX subsystem, there is no way to block specific applications.
Option 2: SimpleWall
SimpleWall works pretty much in the same way that TinyWall does but the UI is a bit more basic, it doesn't have the autolearn feature of TinyWall, and exe files must be added one by one for apps like Steam or git that have many executables.
Unlike TinyWall however, this firewall can block individual UWP apps, which is a nice feature.
Congratulations! Your copy of Windows is now Debotnetted!
Things will change in the future, and I'll do what I can to keep this guide updated.
As of April 2018, this guide works on Windows 10 Pro.
Can Windows revert these changes?
There are a few things that can revert the changes we made here:
Major updates: when a major update is installed it's like reinstalling Windows. It keeps your programs and settings but the system is reinstalled, and all the botnet with it. Major updates usually come out every 8-12 months. I will keep the guide updated every time a new major update comes out.
Using dism /Online /Cleanup-Image /RestoreHealth: if you run this command, it will revert almost all changes
Using System Restore: if you go back to before the changes were made, it will revert changes