Re-write of Windows Page #166
Comments
dngray
added
status:approved
|
I would recommend adding a guide to disable telemetry as indicated here: https://github.com/privacyguides/privacyguides.org/discussions/169#discussioncomment-1474036
It would also be a good idea for those who want more security (and also performance) at the expense of some functionality (in particular, it will only be possible to install apps from Microsoft Store*) to switch to Windows S mode.
|
|
The S mode has a lot of things to be noted btw :
Overall I don't think it's a good thing unless it's been set up in a school or something |
|
I would recommend ThisIsWindows11 |
|
Regarding shutup10, we might want to see if the same thing is possible with the https://docs.microsoft.com/en-us/windows/privacy/windows-10-and-privacy-compliance |
|
Another thing regarding this we should mention uninstalling Cortana, which was made possible as of May 2020 (build 2004). It's possible via PowerShell: Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackageOr if you have Winget: |
|
I really think you guys should look into Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11). As far as I know, most (if not all) of the privacy changes can be made via group policy or the settings so there's really no need for 3rd party tools. |
Pretty sure that is the Windows Restricted Traffic Limited Functionality Baseline. |
|
Another thing we have to look into is recommending that if people eill be using Windows, is that they shoild try and choose computers which support the neccesary features for hardware based security. Things like intel vt-d for iommu and uefi/tpm for secureboot. The best is that peoppe choose devuces which are certified by the windows secure core program. |
Not exactly. I got to play around and level 0 telemetry is only a part of the group policies that the restricted functionality baseline deploys (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics). A lot of the policies also seem to be privacy/security regressive (e.g no windows update, no Microsoft store - i.e. no UWP apps, etc.). Perhaps we should try to pick out what policies aren't regressive (e.g. cortana related policies) and go on from there. I think I've been saying things that you already know so I'll leave it at that. |
|
Recommeding things, like Windows Enterprise, that are not legally available for consumers, is probably not a good idea for privacy or security. Bootleg software is pretty notorious for malware. |
|
You can get Windows Enterprise straight from the media creation tool. |
|
The thing with installing anything other than windows 11 pro is very minimum . Another thing is we could recommend simplefirewall ( it has a custom config to block some specific windows thing iirc ) And This And then above this all we can utilise winget to uninstall Microsoft teams or edge and stuff |
To add to what @xibeifenghenhaohe was saying, many students are able to get Education Edition (almost identical to enterprise) for free. |
|
I would recommend using BulkCrap Uninstaller for uninstalling things such as Cortana and Many UWP apps. |
|
There is some good material here https://github.com/beerisgood/Windows11_Hardening We should see if @beerisgood would like to contribute to this page. I know they used to hang around old PTIO back in the day. |
|
Thanks for the link to my repository 🍺 However, I have no interest in working on this or other PTIO project(s). |
|
https://www.windowslatest.com/2022/03/30/windows-11-to-get-smart-clipboard-and-actions-features/ - Need to cut off Telemetry and Internet Connection of Clipboard. |
|
When using with MS Account, windows recommends you to use Device Encryption which is nothing but Bitlocker but Encryption keys linked to MS account. Be carefult to note that. Say a proper way to use Bitlocker Encryption in the guide. |
|
Consider using this tool : https://www.ghacks.net/2022/04/09/bloatware-removal-tool-remove-pre-installed-windows-applications-and-more/ for removing Bloatware |
|
We currently don't have any Windows-specific recommendations at the moment. @dngray are we interested in re-introducing this page, or can this issue be closed? |
|
@jonaharagon Seriously!? Only Linux Fanboys can have Privacy not Windows ? I know you are writing for MacOS. But you should consider Windows too. Privacy Guides is actually to give advice for People on Privacy. The Thing is AFAIK, dngray do not have Windows. So, He aint' testing it out. You can ask for Windows users to contribute. |
|
Microsoft Windows still has a significant market share and is the dominant desktop OS (73% of the desktop market)1. IMO, creating a Windows page should be high on our list. Footnotes |
|
It is also evident from the website statistics that most visitors use Windows OS. |
I guess that it uses user agent for OS detection which is not reliable since people here probably spoof it. |
|
Recommend using TPM + Pin on Boot to prevent Cold boot attacks. More Context - https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/ Also here - https://www.kapilarya.com/enable-bitlocker-pin-in-windows-11 (Guide for How to Set it up) |
|
I think that this Guide should be focused on Windows 11 mainly not 'Only' as Windows 10 will be discontinued in 3yrs. Though there are no differences between them just UI. A suggestion though. |
|
Configure TPM + PIN as below in Group Policy.
|
|
Very important reference according to me: https://www.makeuseof.com/windows-10-11-disable-telemetry/ |
So had another look at S-Mode today, and found this article from 2 June 2022.
If we do mention it, it's worth mentioning that it is not available for Windows 11 Professional.
This will likely change in the future:
Maybe we'd like to write a guide a simple SRP policy or, a more advanced guide with WDAC/AppLocker. |
|
What about W10 Privacy that was previously recommended by Privacytools? |
|
The r/piracy section regarding windows might be useful. |
|
As discussed in the macOS privacy and security guide, thoughts on having a separate admin and standard user account for windows? |
|
It will also be added. I might update the PR this weekend. |
|
This issue has been mentioned on Privacy Guides. There might be relevant details there: https://discuss.privacyguides.org/t/remove-bitlocker-as-windows-fde-recommendation/237/7 |
|
Some other associated links that might be worth including in the text where we explain things:
|
|
Some other things we might want to discuss:
By default BitLocker is 128bit, so for 256 there is this GUI method https://www.maketecheasier.com/set-bitlocker-encryption-aes-256/ There is this registry method: I'd prefer to specify it with Group Policy command and not mess with registry. |
|
We should also remind people not to backup their encryption keys to the Microsoft cloud etc, that this can be used for recovery and should be considered very carefully. |
|
Corrections for #1659 line 14: criticised > criticized |
|
Using Microsoft's answer files should definitely be under our radar for research to secure Windows. Can easily be dropped into an ISO and burned to a USB stick for installation. Would save a lot time for users wanting to configure their system. UnattendedWinstall developed by memstechtips is something we could look into. |
Description
https://privacyguides.org/operating-systems/#win10
This page does need to be re-written. It is quite a bit out of date. I think we could benefit from bringing privacytools/privacytools.io#926 forward into this PR.
Additionally regarding removal of Cortana, (something that wasn't possible when that page was written), we should provide instruction privacytools/privacytools.io#926 (comment).
It's worth noting O&O ShutUp10, already supports Windows 11.
Closes: #172 (comment)
The text was updated successfully, but these errors were encountered: