💻 PowerShell script for automation of routine tasks done after fresh installations of Windows 10, Server 2016 & 2019
Ссылки
- AwesomeDPT — Вернуться в основной список.
Contents
- Description
- Usage
- FAQ
- Windows builds overview
- Advanced usage
- Maintaining own forks
- Contribution guidelines
Description
This is a PowerShell script for automation of routine tasks done after fresh installations of Windows 10 and Windows Server 2016 / 2019. This is by no means any complete set of all existing Windows tweaks and neither is it another «antispying» type of script. It’s simply a setting which I like to use and which in my opinion make the system less obtrusive.
Usage
If you just want to run the script with the default preset, download and unpack the latest release and then simply double-click on the Default.cmd file and confirm User Account Control prompt. Make sure your account is a member of Administrators group as the script attempts to run with elevated privileges.
The script supports command line options and parameters which can help you customize the tweak selection or even add your own custom tweaks, however these features require some basic knowledge of command line usage and PowerShell scripting. Refer to Advanced usage section for more details.
FAQ
Q: Can I run the script safely?
A: Definitely not. You have to understand what the functions do and what will be the implications for you if you run them. Some functions lower security, hide controls or uninstall applications. If you’re not sure what the script does, do not attempt to run it!
Q: Can I run the script repeatedly?
A: Yes! In fact the script has been written to support exactly that, as it’s not uncommon that big Windows Updates reset some of the settings.
Q: Which versions and editions of Windows are supported?
A: The script aims to be fully compatible with the most up-to-date 64bit version of Windows 10 receiving updates from semi-annual channel, however if you create your own preset and exclude the incompatible tweaks, it will work also on LTSB/LTSC and possibly also on 32bit systems. Vast majority of the tweaks will work on all Windows editions. Some of them rely on group policy settings, so there may be a few limitations for Home and Education editions.
Q: Can I run the script on Windows Server 2016 or 2019?
A: Yes. Starting from version 2.5, Windows Server is supported. There are even few tweaks specific to Server environment. Keep in mind though, that the script is still primarily designed for Windows 10, so you have to create your own preset.
Q: Can I run the script on Windows 7, 8, 8.1 or other versions of Windows?
A: No. Although some tweaks may work also on older versions of Windows, the script is developed only for Windows 10 and Windows Server 2016 / 2019. There are no plans to support older versions.
Q: Can I run the script in multi-user environment?
A: Yes, to certain extent. Some tweaks (most notably UI tweaks) are set only for the user currently executing the script. As stated above, the script can be run repeatedly; therefore it’s possible to run it multiple times, each time as different user. Due to the nature of authentication and privilege escalation mechanisms in Windows, most of the tweaks can be successfully applied only by users belonging to Administrators group. Standard users will get an UAC prompt asking for admin credentials which then causes the tweaks to be applied to the given admin account instead of the original non-privileged one. There are a few ways how this can be circumvented programmatically, but I’m not planning to include any as it would negatively impact code complexity and readability. If you still wish to try to use the script in multi-user environment, check this answer in issue #29 for some pointers.
Q: Did you test the script?
A: Yes. I’m testing new additions on up-to-date 64bit Home and Enterprise editions in VMs. I’m also regularly using it for all my home installations after all bigger updates.
Q: I’ve run the script and it did something I don’t like, how can I undo it?
A: For every tweak, there is also a corresponding function which restores the default settings. The default is considered freshly installed Windows 10 or Windows Server 2016 with no adjustments made during or after the installation. Use the tweaks to create and run new preset. Alternatively, since some functions are just automation for actions which can be done using GUI, find appropriate control and modify it manually.
Q: I’ve run the script and some controls are now greyed out and display message «Some settings are hidden or managed by your organization«, why?
A: To ensure that system-wide tweaks are applied smoothly and reliably, some of them make use of Group Policy Objects (GPO). The same mechanism is employed also in companies managing their computers in large scale, so the users without administrative privileges can’t change the settings. If you wish to change a setting locked by GPO, apply the appropriate restore tweak and the control will become available again.
Q: I’ve run the script and it broke my computer / killed neighbor’s dog / caused world war 3.
A: I don’t care. Also, that’s not a question.
Q: I’m using a tweak for <feature> on my installation, can you add it?
A: Submit a PR, create a feature request issue or drop me a message. If I find the functionality simple, useful and not dependent on any 3rd party modules or executables (including also Chocolatey, NuGet, Ninite or other automation solutions), I might add it.
Q: Can I use the script or modify it for my / my company’s needs?
A: Sure, knock yourself out. Just don’t forget to include copyright notice as per MIT license requirements. I’d also suggest including a link to this GitHub repo as it’s very likely that something will be changed, added or improved to keep track with future versions of Windows 10.
Q: Why are there repeated pieces of code throughout some functions?
A: So you can directly take a function block or a line from within a function and use it elsewhere, without elaborating on any dependencies.
Q: For how long are you going to maintain the script?
A: As long as I use Windows 10.
Q: I really like the script. Can I send a donation?
A: Feel free to send donations via PayPal. Any amount is appreciated, but keep in mind that donations are completely voluntary and I’m not obliged to make any script adjustments in your favor regardless of the donated amount. You can also drop me a mail to discuss an alternative way.
Windows builds overview
| Version | Code name | Marketing name | Build |
|---|---|---|---|
| 1507 | Threshold 1 (TH1 / RTM) | N/A | 10240 |
| 1511 | Threshold 2 (TH2) | November Update | 10586 |
| 1607 | Redstone 1 (RS1) | Anniversary Update | 14393 |
| 1703 | Redstone 2 (RS2) | Creators Update | 15063 |
| 1709 | Redstone 3 (RS3) | Fall Creators Update | 16299 |
| 1803 | Redstone 4 (RS4) | April 2018 Update | 17134 |
| 1809 | Redstone 5 (RS5) | October 2018 Update | 17763 |
| 1903 | 19H1 | May 2019 Update | 18362 |
Advanced usage
powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 [-include filename] [-preset filename] [-log logname] [[!]tweakname]
-include filename load module with user-defined tweaks
-preset filename load preset with tweak names to apply
-log logname save script output to a file
tweakname apply tweak with this particular name
!tweakname remove tweak with this particular name from selection
Presets
The tweak library consists of separate idempotent functions, containing one tweak each. The functions can be grouped to presets. Preset is simply a list of function names which should be called. Any function which is not present or is commented in a preset will not be called, thus the corresponding tweak will not be applied. In order for the script to do something, you need to supply at least one tweak library via -include and at least one tweak name, either via -preset or directly as command line argument.
The tweak names can be prefixed with exclamation mark (!) which will instead cause the tweak to be removed from selection. This is useful in cases when you want to apply the whole preset, but omit a few specific tweaks in the current run. Alternatively, you can have a preset which «patches» another preset by adding and removing a small amount of tweaks.
To supply a customized preset, you can either pass the function names directly as arguments.
powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -include Win10.psm1 EnableFirewall EnableDefender
Or you can create a file where you write the function names (one function name per line, no commas or quotes, whitespaces allowed, comments starting with #) and then pass the filename using -preset parameter.
Example of a preset file mypreset.txt:
# Security tweaks
EnableFirewall
EnableDefender
# UI tweaks
ShowKnownExtensions
ShowHiddenFiles # Only hidden, not system
Command using the preset file above:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -include Win10.psm1 -preset mypreset.txt
Includes
The script also supports inclusion of custom tweaks from user-supplied modules passed via -include parameter. The content of the user-supplied module is completely up to the user, however it is strongly recommended to have the tweaks separated in respective functions as the main tweak library has. The user-supplied scripts are loaded into the main script via Import-Module, so the library should ideally be a .psm1 PowerShell module.
Example of a user-supplied tweak library mytweaks.psm1:
Function MyTweak1 { Write-Output "Running MyTweak1..." # Do something } Function MyTweak2 { Write-Output "Running MyTweak2..." # Do something else }
Command using the script above:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -include mytweaks.psm1 MyTweak1 MyTweak2
Combination
All features described above can be combined. You can have a preset which includes both tweaks from the original script and your personal ones. Both -include and -preset options can be used more than once, so you can split your tweaks into groups and then combine them based on your current needs. The -include modules are always imported before the first tweak is applied, so the order of the command line parameters doesn’t matter and neither does the order of the tweaks (except for RequireAdmin, which should always be called first and Restart, which should be always called last). It can happen that some tweaks are applied more than once during a singe run because you have them in multiple presets. That shouldn’t cause any problems as the tweaks are idempotent.
Example of a preset file otherpreset.txt:
MyTweak1
MyTweak2
!ShowHiddenFiles # Will remove the tweak from selection
WaitForKey
Command using all three examples combined:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -include Win10.psm1 -include mytweaks.psm1 -preset mypreset.txt -preset otherpreset.txt Restart
Logging
If you’d like to store output from the script execution, you can do so using -log parameter followed by a filename of the log file you want to create. For example:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File Win10.ps1 -include Win10.psm1 -preset mypreset.txt -log myoutput.log
The logging is done using PowerShell Start-Transcript cmdlet, which writes extra information about current environment (date, machine and user name, command used for execution etc.) to the beginning of the file and logs both standard output and standard error streams.
Maintaining own forks
The easiest way to customize the script settings it is to create your own preset and, if needed, your own tweak scripts as described above. For easy start, you can base the modifications on the Default.cmd and Default.preset and maintain just that. If you choose to fork the script anyway, you don’t need to comment or remove the actual functions in Win10.psm1, because if they are not called, they are not used.
If you wish to make more elaborate modifications of the basic script and incorporate some personal tweaks or adjustments, then I suggest doing it in a following way:
-
Fork the repository on GitHub (obviously).
-
Clone your fork on your computer.
git clone https://github.com/<yournamehere>/Win10-Initial-Setup-Script cd Win10-Initial-Setup-Script -
Add the original repository as a remote (upstream).
git remote add upstream https://github.com/Disassembler0/Win10-Initial-Setup-Script -
Commit your modifications as you see fit.
-
Once there are new additions in the upstream, create a temporary branch, fetch the changes and reset the branch to be identical with this repository.
git branch upstream git checkout upstream git fetch upstream git reset --hard upstream/master -
When you have the upstream branch up to date, check back your master and rebase it based on the upstream branch. If there are some conflicts between the changesets, you’ll be asked to resolve them manually.
git checkout master git rebase upstream -
Eventually, delete the upstream branch and force push your changes back onto GitHub.
git branch -D upstream git push -f master
Word of warning: Rebasing and force-pushing will change the history of your commits. The upside is that your adjustments will always stay on top of the commit history. The downside is that everybody remote-tracking your repository will always have to rebase and force-push too, otherwise their commit history will not match yours.
Contribution guidelines
Following is a list of rules which I’m trying to apply in this project. The rules are not binding and I accept pull requests even if they don’t adhere to them, as long as their purpose and content are clear. In cases when there are too many rule violations, I might simply redo the whole functionality and reject the PR while still crediting you. If you’d like to make my work easier, please consider adhering to the following rules too.
Function naming
Try to give a function a meaningful name up to 25 characters long, which gives away the purpose of the function. Use verbs like Enable/Disable, Show/Hide, Install/Uninstall, Add/Remove in the beginning of the function name. In case the function doesn’t fit any of these verbs, come up with another name, beginning with the verb Set, which indicates what the function does, e.g. SetCurrentNetworkPrivate and SetCurrentNetworkPublic.
Revert functions
Always add a function with opposite name (or equivalent) which reverts the behavior to default. The default is considered freshly installed Windows 10 or Windows Server 2016 / 2019 with no adjustments made during or after the installation. If you don’t have access to either of these, create the revert function to the best of your knowledge and I will fill in the rest if necessary.
Function similarities
Check if there isn’t already a function with similar purpose as the one you’re trying to add. As long as the name and objective of the existing function is unchanged, feel free to add your tweak to that function rather than creating a new one.
Function grouping
Try to group functions thematically. There are already several major groups (privacy, security, services etc.), but even within these, some tweaks may be related to each other. In such case, add a new tweak below the existing one and not to the end of the whole group.
Default preset
Always add a reference to the tweak and its revert function in the Default.preset. Add references to both functions on the same line (mind the spaces) and always comment out the revert function. Whether to comment out also the tweak in the default preset is a matter of personal preference. The rule of thumb is that if the tweak makes the system faster, smoother, more secure and less obtrusive, it should be enabled by default. Usability has preference over performance (that’s why e.g. indexing is kept enabled).
Repeatability
Unless applied on unsupported system, all functions have to be applicable repeatedly without any errors. When you’re creating a registry key, always check first if the key doesn’t happen to already exist. When you’re deleting registry value, always append -ErrorAction SilentlyContinue to prevent errors while deleting already deleted values.
Input / output hiding
Suppress all output generated by commands and cmdlets using | Out-Null or -ErrorAction SilentlyContinue where applicable. Whenever an input is needed, use appropriate arguments to suppress the prompt and programmatically provide values for the command to run (e.g. using -Confirm:$false). The only acceptable output is from the Write-Output cmdlets in the beginning of each function and from non-suppressible cmdlets like Remove-AppxPackage.
Registry
Create the registry keys only if they don’t exist on fresh installation if Windows 10 or Windows Server 2016 / 2019. When deleting registry, delete only registry values, not the whole keys. When you’re setting registry values, always use Set-ItemProperty instead of New-ItemProperty. When you’re removing registry values, choose either Set-ItemProperty or Remove-ItemProperty to reinstate the same situation as it was on the clean installation. Again, if you don’t know what the original state was, let me know in PR description and I will fill in the gaps. When you need to use HKEY_USERS registry hive, always add following snippet before the registry modification to ensure portability.
If (!(Test-Path "HKU:")) { New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null }
Force usage
Star Wars jokes aside, don’t use -Force option unless absolutely necessary. The only permitted case is when you’re creating a new registry key (not a value) and you need to ensure that all parent keys will be created as well. In such case always check first if the key doesn’t already exist, otherwise you will delete all its existing values.
Comments
Always add a simple comment above the function briefly describing what the function does, especially if it has an ambiguous name or if there is some logic hidden under the hood. If you know that the tweak doesn’t work on some editions of Windows 10 or on Windows Server, state it in the comment too. Add a Write-Output cmdlet with the short description of action also to the first line of the function body, so the user can see what is being executed and which function is the problematic one whenever an error occurs. The comment is written in present simple tense, the Write-Output in present continuous with ellipsis (resp. three dots) at the end.
Coding style
Indent using tabs, enclose all string values in double quotes (") and strictly use PascalCase wherever possible. Put opening curly bracket on the same line as the function name or condition, but leave the closing bracket on a separate line for readability.
Examples
Naming example: Consider function EnableFastMenu. What does it do? Which menu? How fast is fast? A better name might be EnableFastMenuFlyout, so it’s a bit clearer that we’re talking about the menu flyouts delays. But the counterpart function would be DisableFastMenuFlyouts which is not entirely true. We’re not disabling anything, we’re just making it slow again. So even better might be to name them SetFastMenuFlyouts and SetSlowMenuFlyouts. Or better yet, just add the functionality to already existing SetVisualFXPerformance/SetVisualFXAppearance. Even though the names are not 100% match, they aim to tweak similar aspects and operate within the same registry keys.
Coding example: The following code applies most of the rules mentioned above (naming, output hiding, repeatability, force usage, comments and coding style).
# Enable some feature Function EnableSomeFeature { Write-Output "Enabling some feature..." If (!(Test-Path "HKLM:\Some\Registry\Key")) { New-Item -Path "HKLM:\Some\Registry\Key" -Force | Out-Null } Set-ItemProperty -Path "HKLM:\Some\Registry\Key" -Name "SomeValueName" -Type String -Value "SomeValue" } # Disable some feature Function DisableSomeFeature { Write-Output "Disabling some feature..." Remove-ItemProperty -Path "HKLM:\Some\Registry\Key" -Name "SomeValueName" -ErrorAction SilentlyContinue }
Время на прочтение
10 мин
Количество просмотров 346K
Микрософт с помощью пасьянса и косынки учила пользователей пользоваться мышью,
теперь с помощью windows 10 учит читать лицензионное соглашение.
После выхода windows 10 сразу появились сообщения о сборе информации о действиях пользователей и много обсуждений, что делать. Достаточно быстро пользователи составили список основных серверов, собирающих информацию и попытались их заблокировать через файл hosts. Но скептики сразу выдвинули здравое предположение, что MS мог предусмотреть этот метод и некоторые адреса прописать в коде. Тем более, что MS всегда может актуализировать адреса серверов через windows update.
В нашей компании начали появляться первые пользователи windows 10, и мы решили опробовать блокировку передачи телеметрии через встроенный windows firewall.
Итак, собран простой тестовый стенд:
Два ноутбука, на один из них ставим Windows 10 и подключим его к интернету через второй ноутбук, используя internet sharing. На втором ноутбуке, который работает как NAT роутер, поставим Wireshark и определим исходящий трафик на сервера MS с первого ноутбука.
Что получилось:
- Да, Windows 10 отправляет данные;
- Список серверов почти полностью совпал с указанным в статье habrahabr.ru/company/pt/blog/264763 и forums.untangle.com/web-filter/35894-blocking-windows-10-spying-telemetry.html
- Встроенный Windows Firewall полностью блокирует передачу данных на эти узлы.
Правила для Firewall
После того как мы получили список IP и убедились в эффективности их блокировки, можно, с помощью Powershell скрипта, внести их в настройки.
Для добавления правила в Firewall необходимо выполнить следующую команду (в качестве примера возьмем сервер «watson.telemetry.microsoft.com»):
netsh advfirewall firewall add rule name="telemetry_watson.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.43,65.52.108.29 enable=yes
Где:
name – имя правила и по совместимости название сервера Microsoft;
dir = out – параметр указывающий, что правило соответствует только исходящему сетевому трафику;
action=block – сетевые пакеты, указанные в этом правиле, будут отбрасываются firewall;
remoteip – IP-адрес получателя области исходящего сетевого пакета;
enable=yes – указывает на то, что правило в настоящее время включено.
Аналогично этому будут прописаны и другие правила. В итоге, скрипт будет иметь примерно следующий вид:
Firewall rules
Set-NetFirewallProfile -all
netsh advfirewall firewall add rule name=«telemetry_vortex.data.microsoft.com» dir=out action=block remoteip=191.232.139.254 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telecommand.telemetry.microsoft.com» dir=out action=block remoteip=65.55.252.92 enable=yes
netsh advfirewall firewall add rule name=«telemetry_sqm.telemetry.microsoft.com» dir=out action=block remoteip=65.55.252.93 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.telemetry.microsoft.com» dir=out action=block remoteip=65.55.252.43,65.52.108.29 enable=yes
netsh advfirewall firewall add rule name=«telemetry_redir.metaservices.microsoft.com» dir=out action=block remoteip=194.44.4.200,194.44.4.208 enable=yes
netsh advfirewall firewall add rule name=«telemetry_choice.microsoft.com» dir=out action=block remoteip=157.56.91.77 enable=yes
netsh advfirewall firewall add rule name=«telemetry_df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.7 enable=yes
netsh advfirewall firewall add rule name=«telemetry_reports.wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.91 enable=yes
netsh advfirewall firewall add rule name=«telemetry_wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.93 enable=yes
netsh advfirewall firewall add rule name=«telemetry_services.wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.92 enable=yes
netsh advfirewall firewall add rule name=«telemetry_sqm.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.94 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.9 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.ppe.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.11 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telemetry.appex.bing.net» dir=out action=block remoteip=168.63.108.233 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telemetry.urs.microsoft.com» dir=out action=block remoteip=157.56.74.250 enable=yes
netsh advfirewall firewall add rule name=«telemetry_settings-sandbox.data.microsoft.com» dir=out action=block remoteip=111.221.29.177 enable=yes
netsh advfirewall firewall add rule name=«telemetry_vortex-sandbox.data.microsoft.com» dir=out action=block remoteip=64.4.54.32 enable=yes
netsh advfirewall firewall add rule name=«telemetry_survey.watson.microsoft.com» dir=out action=block remoteip=207.68.166.254 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.live.com» dir=out action=block remoteip=207.46.223.94 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.microsoft.com» dir=out action=block remoteip=65.55.252.71 enable=yes
netsh advfirewall firewall add rule name=«telemetry_statsfe2.ws.microsoft.com» dir=out action=block remoteip=64.4.54.22 enable=yes
netsh advfirewall firewall add rule name=«telemetry_corpext.msitadfs.glbdns2.microsoft.com» dir=out action=block remoteip=131.107.113.238 enable=yes
netsh advfirewall firewall add rule name=«telemetry_compatexchange.cloudapp.net» dir=out action=block remoteip=23.99.10.11 enable=yes
netsh advfirewall firewall add rule name=«telemetry_cs1.wpc.v0cdn.net» dir=out action=block remoteip=68.232.34.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_a-0001.a-msedge.net» dir=out action=block remoteip=204.79.197.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_statsfe2.update.microsoft.com.akadns.net» dir=out action=block remoteip=64.4.54.22 enable=yes
netsh advfirewall firewall add rule name=«telemetry_sls.update.microsoft.com.akadns.net» dir=out action=block remoteip=157.56.77.139 enable=yes
netsh advfirewall firewall add rule name=«telemetry_fe2.update.microsoft.com.akadns.net» dir=out action=block remoteip=134.170.58.121,134.170.58.123,134.170.53.29,66.119.144.190,134.170.58.189,134.170.58.118,134.170.53.30,134.170.51.190 enable=yes
netsh advfirewall firewall add rule name=«telemetry_diagnostics.support.microsoft.com» dir=out action=block remoteip=157.56.121.89 enable=yes
netsh advfirewall firewall add rule name=«telemetry_corp.sts.microsoft.com» dir=out action=block remoteip=131.107.113.238 enable=yes
netsh advfirewall firewall add rule name=«telemetry_statsfe1.ws.microsoft.com» dir=out action=block remoteip=134.170.115.60 enable=yes
netsh advfirewall firewall add rule name=«telemetry_pre.footprintpredict.com» dir=out action=block remoteip=204.79.197.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_i1.services.social.microsoft.com» dir=out action=block remoteip=104.82.22.249 enable=yes
netsh advfirewall firewall add rule name=«telemetry_feedback.windows.com» dir=out action=block remoteip=134.170.185.70 enable=yes
netsh advfirewall firewall add rule name=«telemetry_feedback.microsoft-hohm.com» dir=out action=block remoteip=64.4.6.100,65.55.39.10 enable=yes
netsh advfirewall firewall add rule name=«telemetry_feedback.search.microsoft.com» dir=out action=block remoteip=157.55.129.21 enable=yes
netsh advfirewall firewall add rule name=«telemetry_rad.msn.com» dir=out action=block remoteip=207.46.194.25 enable=yes
netsh advfirewall firewall add rule name=«telemetry_preview.msn.com» dir=out action=block remoteip=23.102.21.4 enable=yes
netsh advfirewall firewall add rule name=«telemetry_dart.l.doubleclick.net» dir=out action=block remoteip=173.194.113.220,173.194.113.219,216.58.209.166 enable=yes
netsh advfirewall firewall add rule name=«telemetry_ads.msn.com» dir=out action=block remoteip=157.56.91.82,157.56.23.91,104.82.14.146,207.123.56.252,185.13.160.61,8.254.209.254 enable=yes
netsh advfirewall firewall add rule name=«telemetry_a.ads1.msn.com» dir=out action=block remoteip=198.78.208.254,185.13.160.61 enable=yes
netsh advfirewall firewall add rule name=«telemetry_global.msads.net.c.footprint.net» dir=out action=block remoteip=185.13.160.61,8.254.209.254,207.123.56.252 enable=yes
netsh advfirewall firewall add rule name=«telemetry_az361816.vo.msecnd.net» dir=out action=block remoteip=68.232.34.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_oca.telemetry.microsoft.com.nsatc.net» dir=out action=block remoteip=65.55.252.63 enable=yes
netsh advfirewall firewall add rule name=«telemetry_reports.wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.91 enable=yes
netsh advfirewall firewall add rule name=«telemetry_ssw.live.com» dir=out action=block remoteip=207.46.101.29 enable=yes
netsh advfirewall firewall add rule name=«telemetry_msnbot-65-55-108-23.search.msn.com» dir=out action=block remoteip=65.55.108.23 enable=yes
netsh advfirewall firewall add rule name=«telemetry_a23-218-212-69.deploy.static.akamaitechnologies.com» dir=out action=block remoteip=23.218.212.69 enable=yes
Выполнение созданного скрипта
Чтобы не проходить долгий путь по запуску этого power shell скрипта с правами администратора, проще создать .bat файл и запустить его. UAC сам запросит подтверждение прав.
@echo off
cls
echo Telemetry
echo Rules of Firewall
echo.
echo press any key to continue...
pause > NUL
echo Rules of Firewall
echo.
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%~dp0.\ms_new.ps1""' -Verb RunAs}"
echo Rules included in Firewall...
echo.
pause
Где ms_new.ps1 – имя созданного файла с power shell командами.
После этого, добавленные правила будут отображаться в Windows Firewall, как на скриншоте ниже:
И, дополнительно, информация, не относящиеся к firewall, но относящаяся к сбору телеметрии
Windows 7/8/8.1
Также стоит отметить, что пользователи ОС Windows 7/8/8.1 получили обновления, которые расширяют возможности системы по сбору и отправке телеметрических данных. Соответственно, к этим пользователям также можно применить рекомендации, представленные в этой статье, или удалить обновления habrahabr.ru/post/265283.
Key logger
Надо отключить «DiagTrack» (сбор данных в компонентах Windows) и «dmwappushservice» (cлужба маршрутизации push-сообщений WAP). Для этого запускаем командную строку от имени администратора и отключаем службы:
sc stop DiagTrack
sc stop dmwappushserviceИли же вообще их удаляем:
sc delete DiagTrack
sc delete dmwappushservice
Планировщик отправки телеметрии
В консоли Taskschd.msc надо запретить задания:
Заголовок спойлера
REM *** Task that collects data for SmartScreen in Windows ***
schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable
REM *** Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
REM *** Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
REM *** Aggregates and uploads Application Telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /Disable
REM *** This task collects and uploads autochk SQM data if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
REM *** If the user has consented to participate in the Windows Customer Experience Improvement Program, this job collects and sends usage data to Microsoft ***
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
REM *** The Kernel CEIP (Customer Experience Improvement Program) task collects additional information about the system and sends this data to Microsoft. ***
REM *** If the user has not consented to participate in Windows CEIP, this task does nothing ***
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable
REM *** The Bluetooth CEIP (Customer Experience Improvement Program) task collects Bluetooth related statistics and information about your machine and sends it to Microsoft ***
REM *** The information received is used to help improve the reliability, stability, and overall functionality of Bluetooth in Windows ***
REM *** If the user has not consented to participate in Windows CEIP, this task does not do anything.***
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /Disable
REM *** Create Object Task ***
schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable
REM *** The Windows Disk Diagnostic reports general disk and system information to Microsoft for users participating in the Customer Experience Program ***
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
REM *** Measures a system's performance and capabilities ***
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
REM *** Network information collector ***
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
REM *** Initializes Family Safety monitoring and enforcement ***
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
REM *** Synchronizes the latest settings with the Family Safety website ***
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable
REM *** SQM (Software Quality Management) ***
schtasks /Change /TN "Microsoft\Windows\IME\SQM data sender" /Disable
REM *** This task initiates the background task for Office Telemetry Agent, which scans and uploads usage and error information for Office solutions ***
schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable
REM *** This task initiates Office Telemetry Agent, which scans and uploads usage and error information for Office solutions when a user logs on to the computer ***
schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable
также подозриетльные задачи в планировщике, рекомендую отключить:
Заголовок спойлера
REM *** Scans startup entries and raises notification to the user if there are too many startup entries ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
REM *** Protects user files from accidental loss by copying them to a backup location when the system is unattended ***
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
REM *** This task gathers information about the Trusted Platform Module (TPM), Secure Boot, and Measured Boot ***
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
REM *** This task analyzes the system looking for conditions that may cause high energy use ***
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
Все вышесказанное не 100% панацея, но одно из компромиссных решений.
Мы будем обновлять в этой статье список серверов и PS скрипт для них.
update 1: Обновили список планировщика задач.
Как фаерволом защитится от зловредов, можно прочитать в моей статье:
Простой, но надежный способ защитить свой компьютер от вирусов и троянов.
C уважением коллектив компании Servilon.ru Servilon.com
1. Отправляйтесь в раздел «Параметры» > «Конфиденциальность» и отключите все. В разделе отзывов и диагностики выставите: Никогда/Базовые сведения.
2. В разделе «Параметры» найдите «Обновление и безопасность» — отключите автоматическое обновление Windows 10.
3. Отключите Кортану и поиск в интернете.
4. Переименуйте ваш ПК. Поиск > Наберите «О компьютере» > Переименовать.
5. Самое время отключить телеметрию, но для этого нам понадобится «Командная строка» Windows 10. Нажимаем сочетание клавиш Win + X или правой кнопкой мыши по «Пуску» > «Командная строка (администратор)» — прописываем:
sc delete DiagTrack
sc delete dmwappushservice
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
Примечание: после ввода каждой из команд необходимо нажимать клавишу Enter.
6. Разбираемся с «Конфигурацией компьютера», нажимаем «Выполнить» (win+R) > gpedit.msc (нужны права администратора) и:
Групповые политики: Идем по адресу Конфигурация компьютера > Административные шаблоны > Компоненты Windows > Сборки для сбора данных и предварительные сборки > Разрешить телеметрию — Отключена.
Использование OneDrive: Конфигурация компьютера > Административные шаблоны > Компоненты Windows > OneDrive > Запретить использование OneDrive для хранения файлов — Включена
Отключаем Windows Defender: Конфигурация компьютера > Административные шаблоны > Компоненты Windows > Windows Defender > Вырубить его — Включена.
7. В файле Hosts (путь: C:\Windows\System32\drivers\etc\hosts) необходимо прописать следующие значения:
/* Прописываем запреты в файл Hosts */
127.0.0.1 localhost
127.0.0.1 localhost.localdomain
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 local
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 vortex-win.data.microsoft.com
127.0.0.1 telecommand.telemetry.microsoft.com
127.0.0.1 telecommand.telemetry.microsoft.com.nsatc.net
127.0.0.1 oca.telemetry.microsoft.com
127.0.0.1 oca.telemetry.microsoft.com.nsatc.net
127.0.0.1 sqm.telemetry.microsoft.com
127.0.0.1 sqm.telemetry.microsoft.com.nsatc.net
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com.nsatc.net
127.0.0.1 redir.metaservices.microsoft.com
127.0.0.1 choice.microsoft.com
127.0.0.1 choice.microsoft.com.nsatc.net
127.0.0.1 df.telemetry.microsoft.com
127.0.0.1 reports.wes.df.telemetry.microsoft.com
127.0.0.1 wes.df.telemetry.microsoft.com
127.0.0.1 services.wes.df.telemetry.microsoft.com
127.0.0.1 sqm.df.telemetry.microsoft.com
127.0.0.1 telemetry.microsoft.com
127.0.0.1 watson.ppe.telemetry.microsoft.com
127.0.0.1 telemetry.appex.bing.net
127.0.0.1 telemetry.urs.microsoft.com
127.0.0.1 telemetry.appex.bing.net:443
127.0.0.1 settings-sandbox.data.microsoft.com
127.0.0.1 vortex-sandbox.data.microsoft.com
127.0.0.1 survey.watson.microsoft.com
127.0.0.1 watson.live.com
127.0.0.1 watson.microsoft.com
127.0.0.1 statsfe2.ws.microsoft.com
127.0.0.1 corpext.msitadfs.glbdns2.microsoft.com
127.0.0.1 compatexchange.cloudapp.net
127.0.0.1 cs1.wpc.v0cdn.net
127.0.0.1 a-0001.a-msedge.net
127.0.0.1 statsfe2.update.microsoft.com.akadns.net
127.0.0.1 sls.update.microsoft.com.akadns.net
127.0.0.1 fe2.update.microsoft.com.akadns.net
127.0.0.1 65.55.108.23
127.0.0.1 65.39.117.230
127.0.0.1 23.218.212.69
127.0.0.1 134.170.30.202
127.0.0.1 137.116.81.24
127.0.0.1 diagnostics.support.microsoft.com
127.0.0.1 corp.sts.microsoft.com
127.0.0.1 statsfe1.ws.microsoft.com
127.0.0.1 pre.footprintpredict.com
127.0.0.1 204.79.197.200
127.0.0.1 23.218.212.69
127.0.0.1 i1.services.social.microsoft.com
127.0.0.1 i1.services.social.microsoft.com.nsatc.net
127.0.0.1 feedback.windows.com
127.0.0.1 feedback.microsoft-hohm.com
127.0.0.1 feedback.search.microsoft.com
Примечание: по возможности не используйте браузер EDGE, Windows Media Player, Groove Music и штатное средство просмотра изображений.
Most of the Windows 10 telemetry settings rely on registry settings, services, and scheduled tasks. The PowerShell script introduced in this post allows you disable Windows 10 telemetry.
- Author
- Recent Posts
Alex Chaika is a Microsoft Certified Solution Expert (MCSE) with more than 15 years of experience in IT systems engineering. He currently focuses on PowerShell and VMware PowerCLI.
It is important to note that that this script does not remove all Windows 10 telemetry. However, you can use the script to add more registry keys and disable services or scheduled tasks related to telemetry.
Privacy Options in Windows 10
Function ChangeReg {
param ([string] $RegKey,
[string] $Value,
[string] $SvcName,
[Int] $CheckValue,
[Int] $SetData)
Write-Host "Checking if $SvcName is enabled" -ForegroundColor Green
if (!(Test-Path $RegKey)){
Write-Host "Registry Key for service $SvcName does not exist, creating it now" -ForegroundColor Yellow
New-Item -Path (Split-Path $RegKey) -Name (Split-Path $RegKey -Leaf)
}
$ErrorActionPreference = 'Stop'
try{
Get-ItemProperty -Path $RegKey -Name $Value
if((Get-ItemProperty -Path $RegKey -Name $Value).$Value -eq $CheckValue) {
Write-Host "$SvcName is enabled, disabling it now" -ForegroundColor Green
Set-ItemProperty -Path $RegKey -Name $Value -Value $SetData -Force
}
if((Get-ItemProperty -Path $RegKey -Name $Value).$Value -eq $SetData){
Write-Host "$SvcName is disabled" -ForegroundColor Green
}
} catch [System.Management.Automation.PSArgumentException] {
Write-Host "Registry entry for service $SvcName doesn't exist, creating and setting to disable now" -ForegroundColor Yellow
New-ItemProperty -Path $RegKey -Name $Value -Value $SetData -Force
}
}
# Disabling Advertising ID
$RegKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo"
$Value = "Enabled"
$SvcName = "Advertising ID"
$CheckValue = 1
$SetData = 0
ChangeReg -RegKey $RegKey -Value $Value -SvcName $SvcName -CheckValue $CheckValue -SetData $SetData
#Telemetry Disable
$RegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection"
$Value = "AllowTelemetry"
$SvcName = "Telemetry"
$CheckValue = 1
$SetData = 0
ChangeReg -RegKey $RegKey -Value $Value -SvcName $SvcName -CheckValue $CheckValue -SetData $SetData
#SmartScreen Disable
$RegKey = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\EnableWebContentEvaluation"
$Value = "Enabled"
$SvcName = "Smart Screen"
$CheckValue = 1
$SetData = 0
ChangeReg -RegKey $RegKey -Value $Value -SvcName $SvcName -CheckValue $CheckValue -SetData $SetData
Write-Host "Disabling DiagTrack Services" -ForegroundColor Green
Get-Service -Name DiagTrack | Set-Service -StartupType Disabled | Stop-Service
Get-Service -Name dmwappushservice | Set-Service -StartupType Disabled | Stop-Service
Write-Host "DiagTrack Services are disabled" -ForegroundColor Green
Write-Host "Disabling telemetry scheduled tasks" -ForegroundColor Green
$tasks ="SmartScreenSpecific","ProgramDataUpdater","Microsoft Compatibility Appraiser","AitAgent","Proxy","Consolidator",
"KernelCeipTask","BthSQM","CreateObjectTask","Microsoft-Windows-DiskDiagnosticDataCollector","WinSAT",
"GatherNetworkInfo","FamilySafetyMonitor","FamilySafetyRefresh","SQM data sender","OfficeTelemetryAgentFallBack",
"OfficeTelemetryAgentLogOn"
$ErrorActionPreference = 'Stop'
$tasks | %{
try{
Get-ScheduledTask -TaskName $_ | Disable-ScheduledTask
} catch [Microsoft.PowerShell.Cmdletization.Cim.CimJobException] {
"task $($_.TargetObject) is not found"
}
}
Now I’ll go line by line through this script.
Function ChangeReg {
param ([string] $RegKey, [string] $Value, [string] $SvcName, [Int] $CheckValue, [Int] $SetData)
Because more than one registry key needs modification, I decided to write this part as a function. The function accepts the following parameters:
$RegKey – represents the registry
$Value –name of the registry entry
$SvcName – name of the service
$CheckValue – initial value of the registry entry
$SetData – desired value of the registry entry
Write-Host "Checking if $SvcName is enabled" -ForegroundColor Green
if (!(Test-Path $RegKey)){
Write-Host "Registry Key for service $SvcName does not exist, creating it now" -ForegroundColor Yellow
New-Item -Path (Split-Path $RegKey) -Name (Split-Path $RegKey -Leaf)
}
This section informs the user what the script is currently doing using the Write-Host cmdlet. Then it checks if the registry key that we have to change exists using Test-Path. If not, I create this key, spitting the original $RegKey value into the parent and leaf with the help of the Split-Path cmdlet. I’m doing this while bearing in mind that a lot of Windows services are enabled by default but don’t have registry keys or values for disabling them. This seems to be true for some telemetry services as well.
$ErrorActionPreference = 'Stop'
try{
Get-ItemProperty -Path $RegKey -Name $Value
if((Get-ItemProperty -Path $RegKey -Name $Value).$Value -eq $CheckValue) {
Write-Host "$SvcName is enabled, disabling it now" -ForegroundColor Green
Set-ItemProperty -Path $RegKey -Name $Value -Value $SetData -Force
}
if((Get-ItemProperty -Path $RegKey -Name $Value).$Value -eq $SetData){
Write-Host "$SvcName is disabled" -ForegroundColor Green
}
} catch [System.Management.Automation.PSArgumentException] {
Write-Host "Registry entry for service $SvcName doesn't exist, creating and setting to disable now" -ForegroundColor Yellow
New-ItemProperty -Path $RegKey -Name $Value -Value $SetData -Force
}
}
}
Now I need to check whether the registry entry that is responsible for disabling a particular telemetry option already exists. I did this using a try-catch block to avoid errors that the Get-ItemProperty cmdlet would generate if the item I’m trying to read does not exist. To accomplish this, I have to set $ErrorActionPreference to ‘Stop’ before the try clause because try-catch only reacts to fatal errors. [System.Management.Automation.PSArgumentException] is not one of them. Thus, I ensure that any error is considered fatal using the $ErrorActionPreference variable.
If the registry entry exists, I use an if-statement to check whether the value of this entry equals one, which means that the corresponding telemetry service is enabled. In this case, I let the user know that this particular telemetry option is enabled and that it is going to be disabled. Then I set the registry entry value to $SetData, which disables the telemetry option.
The second if-statement verifies whether the value was changed successfully and then informs the user that it was. The catch statement comes into play if there was an exception, which means that the registry entry does not exist. If this happens, I create a new entry using the New-ItemProperty cmdlet and assign the value that disables the telemetry option.
# Disabling Advertising ID $RegKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" $Value = "Enabled" $SvcName = "Advertising ID" $CheckValue = 1 $SetData = 0 ChangeReg -RegKey $RegKey -Value $Value -SvcName $SvcName -CheckValue $CheckValue -SetData $SetData #Telemetry Disable $RegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" $Value = "AllowTelemetry" $SvcName = "Telemetry" $CheckValue = 1 $SetData = 0 ChangeReg -RegKey $RegKey -Value $Value -SvcName $SvcName -CheckValue $CheckValue -SetData $SetData #SmartScreen Disable $RegKey = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\EnableWebContentEvaluation" $Value = "Enabled" $SvcName = "Smart Screen" $CheckValue = 1 $SetData = 0 ChangeReg -RegKey $RegKey -Value $Value -SvcName $SvcName -CheckValue $CheckValue -SetData $SetData
As you can see, all this bunch of code does is set the variables to the values that correspond to the most obvious telemetry components and then uses the ChangeReg function to disable them.
Write-Host "Disabling DiagTrack Services" -ForegroundColor Green Get-Service -Name DiagTrack | Set-Service -StartupType Disabled | Stop-Service Get-Service -Name dmwappushservice | Set-Service -StartupType Disabled | Stop-Service Write-Host "DiagTrack Services are disabled" -ForegroundColor Green Now I disabling two system services which send telemetry data to Microsoft.. $tasks ="SmartScreenSpecific","ProgramDataUpdater","Microsoft Compatibility Appraiser","AitAgent","Proxy","Consolidator", "KernelCeipTask","BthSQM","CreateObjectTask","Microsoft-Windows-DiskDiagnosticDataCollector","WinSAT", "GatherNetworkInfo","FamilySafetyMonitor","FamilySafetyRefresh","SQM data sender","OfficeTelemetryAgentFallBack", "OfficeTelemetryAgentLogOn"
Finally, I’m coming to the scheduled tasks that are used for telemetry processes. I store them into a string array. Below is a short description of each task:
SmartScreenSpecific – collects data for Microsoft SmartScreen
ProgramDataUpdater – collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program (CEIP)
Microsoft Compatibility Appraiser – ollects program telemetry information if opted-in to the CEIP
AitAgent – aggregates and uploads application telemetry information if opted-in to the CEIP
Proxy – collects and uploads Software Quality Management (SQM) data if opted-in to the CEIP
Consolidator – collects and sends usage data to Microsoft (if the user has consented to participate in the CEIP)
KernelCeipTask (Kernel Customer Experience Improvement Program) – collects additional information related to customer experience and sends it to Microsoft (if the user consented to participate in the Windows CEIP)
BthSQM (Bluetooth Customer Experience Improvement Program) – collects Bluetooth-related statistics and information about your machine and sends it to Microsoft (if you have consented to participate in the Windows CEIP). The information received is used to help improve the reliability, stability, and overall functionality of Bluetooth in Windows.
DiskDiagnosticDataCollector (Windows Disk Diagnostic reports) – collects general disk and system information and sends it to Microsoft (if the user users participates in the CEIP)
WinSAT – measures system performance and capabilities
GatherNetworkInfo – collects network information
FamilySafetyMonitor – initializes family safety monitoring and enforcement
FamilySafetyRefresh – synchronizes the latest settings with the family safety website
SQM data sender — sends SQM data to Microsoft
OfficeTelemetryAgentFallBack – initiates the background task for the Office Telemetry Agent that scans and uploads usage and error information for Office solutions
OfficeTelemetryAgentLogOn – initiates the Office Telemetry Agent that scans and uploads usage and error information for Office solutions when a user logs on to the computer
$ErrorActionPreference = 'Stop'
$tasks | %{
try{
Get-ScheduledTask -TaskName $_ | Disable-ScheduledTask
}
catch [Microsoft.PowerShell.Cmdletization.Cim.CimJobException] {
"task $($_.TargetObject) is not found"
}
}
Some tasks might be absent on different Windows 10 installations, so I added a try-catch block to avoid error messages’ being displayed on the console. «$ErrorActionPreference = ‘Stop'» serves the same purpose as it did in the previous case; that is, it ensures that any error calls the Stop instruction.
Subscribe to 4sysops newsletter!
At the end of the script, I’m trying to disable the task from the $tasks array using the Get-ScheduledTask cmdlet. First, I get the task object, and then, if this operation is successful, I pipe this object to Disable-ScheduledTask. If there is no task with such a name, the catch section generates and catches a Microsoft.PowerShell.Cmdletization.Cim.CimJobException exception . In this case, the message that the task was not found will be produced.
В этой статье мы будем разбираться, что компания Microsoft узнаёт от нас, когда мы работаем или не работаем за своим компьютером. И как личную жизнь оставить личной.
После первого запуска операционной системы в июле 2015 года, посыпался шквал критики в отношении Microsoft, которые были связаны с обработкой персональных данных пользователей. Например, Microsoft edge (встроенный браузер) собирает информацию с поисков в интернете, Ваше местоположение обрабатывается встроенными сервисами телеметрии, вводимая информация с клавиатуры/рукописным вводом или голосовыми командами считывается и запоминается, постоянное «подслушивание» по микрофону, обработка контактов, текстовых сообщений, чтение жестких дисков и передача ключей шифрования на сервера Microsoft. Все негативно сказалось на первые впечатления об операционной системе
Ни в коем случае не хочу Вас запугать, что все так страшно и невозможно исправить. Раз добровольно согласились на обработку данных при первом запуске операционной системы, также добровольно возможно и отказаться без потерь гарантий компьютера или обслуживания со стороны компаний.
Если вы только планируете ставить операционную систему
Выбирайте ручные настройки, и самостоятельно убирайте все галочки, которые будут встречать нас по пути. Необходимо обязательно создать локальную учетную запись (без наличия интернета), пропустив шаг подключения к Вашему Wi-Fi, либо не вставлять интернет провод в компьютер.
Если Вы уже создали учетную запись Microsoft, то лучше удалить её и пересоздать без привязки к почтовому адресу. Так вы будете оставаться анонимным.
Конфиденциальность и обновления
После того, как мы увидели рабочий стол нашего компьютера, надо изменить политику конфиденциальности. Проходим дальше: Пуск – Параметры – Конфиденциальность. Здесь в разделе: «Общие» запрещаем все манипуляции.
Ниже слева заходим в «диагностики и отзывы» Выбираем Базовый. Отключить весь сбор информации, к сожалению, нельзя, так как большинство вещей являются обычной диагностикой самого устройства.
Пролистав ниже, убираем все галочки. Раз мы не можем отключить диагностику полностью, можем запретить отправлять эти данные самой Майкрософт. В самому низу есть пункт «Частота формирования отзывов», там в выпадающем окне выбираем «Никогда».
Дальше мы отключим обновления. Так как обновления выходят часто, то наши манипуляции будут терять актуальность, в связи с тем, что параметры будут принудительно включаться. Переходим к:
Пуск – Параметры – Обновление и безопасность Windows – Дополнительные параметры. Там убрать галочки с первых 4 пунктов, дальше можно оставить как есть.
Дальше переименуем ПК. Для этого рядом с кнопкой «Пуск» есть значок лупы (поиск).
Нажимаем и вписываем в поле запроса «О компьютере». Заходим в раздел «о компьютере», который находится в строке «Лучшее соответствие».
Пролистав, чуть ниже увидим кнопку «Переименовать этот ПК». Пишем на латыни удобное для нас имя. Это необходимо сделать, так как Windows автоматически раздает имена ПК, и, если ваш компьютер окажется в публичной сети, его будет сложнее идентифицировать.
Это оказалось просто? Тогда давайте повысим сложность.
Изменяем настройки рекламы
Правой кнопкой мыши по меню Пуск – Windows PowerShell Администратор.
начинаем вводить скрипт:
sc delete DiagTrack
sc delete dmwappushservice
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
notepad C:\Windows\System32\drivers\etc\hosts
Каждый скрипт подтверждаем нажатием «Enter», после чего наш PowerShell должен выглядеть как на приведённом скриншоте ниже.
После ввода скрипта. Появится окно нашего блокнота.
В конце текстовика вписываем следующее:
127.0.0.1 localhost
127.0.0.1 localhost.localdomain
255.255.255.255 broadcasthost
Будет все выглядеть, как на картинке ниже. Сохраняем этот файл. Этим мы отключаем работу с внешними ресурсами и отключением рекламы во многих встроенных или выпущенных программах самой Microsoft.
Встроенная защита и телеметрия
Теперь будем изменять локальные групповые политики, чтобы отключить OneDrive, встроенный антивирус и часть телеметрии.
Нажимаем сочетание клавиш: Win+R, открывается окно «Выполнить»:
в нем непосредственно уже пишем в строке «открыть» следующий запрос:
gpedit.msc
У нас откроется Конфигурация компьютера. В этом разделе выбираем Административные шаблоны, практически в самом низу выбираем «Компоненты Windows», далее папку «Сборки для сбора данных и предварительные сборки» и отключаем телеметрию.
В меню Компоненты сборки выбираем OneDrive и отключаем его.
Следом тут же отключаем Защитника Windows. Советую воспользоваться посторонним антивирусом, а не в первоначальный встроенный.
Дальше находим в компонентах Windows – Антивирус программа. Выключаем параметр, выделенный на приведённом скриншоте ниже.
Один из последних моментов – в реестре нужно отключить телеметрию полностью, чтобы ваш ПК меньше собирал технической информации. Нажимаем уже привычные нам Win+R. Пишем regedit. Откроется окно, где нам нужно будет перейти:
нажимая каждый раз на значок стрелочки, и под конец кликаем уже на саму папку «DataCollection»:
Где меняем значение 1 на 0. После нажимаем ОК.
Самое последнее, что мы сделаем, так это проверим нет ли нашего голоса, записанного нашим же ПК. Для этого проследуем по пути:
C:\Windows\Temp
Там можно обнаружить записанный голос в формате WAV. Если есть – можете смело удалять. Как показала практика, слежкой занималась не сама Windows, а фильтры, установленные в микрофон. Самый действующий вариант – отключение микрофона через панель задач.
Вывод
Итак, мы научились контролировать свои действия, как в интернете, так и за его пределами. Необходимо понимание того, что компании действуют в целях больше рекламных, нежели наблюдательных.
Для лучшего эффекта, советуем также не использовать встроенные программы наподобие GrooveMusic, просмотр фотографий, а использовать посторонний софт.