Время на прочтение10 мин
Количество просмотров356K
Микрософт с помощью пасьянса и косынки учила пользователей пользоваться мышью,
теперь с помощью windows 10 учит читать лицензионное соглашение.
После выхода windows 10 сразу появились сообщения о сборе информации о действиях пользователей и много обсуждений, что делать. Достаточно быстро пользователи составили список основных серверов, собирающих информацию и попытались их заблокировать через файл hosts. Но скептики сразу выдвинули здравое предположение, что MS мог предусмотреть этот метод и некоторые адреса прописать в коде. Тем более, что MS всегда может актуализировать адреса серверов через windows update.
В нашей компании начали появляться первые пользователи windows 10, и мы решили опробовать блокировку передачи телеметрии через встроенный windows firewall.
Итак, собран простой тестовый стенд:
Два ноутбука, на один из них ставим Windows 10 и подключим его к интернету через второй ноутбук, используя internet sharing. На втором ноутбуке, который работает как NAT роутер, поставим Wireshark и определим исходящий трафик на сервера MS с первого ноутбука.
Что получилось:
- Да, Windows 10 отправляет данные;
- Список серверов почти полностью совпал с указанным в статье habrahabr.ru/company/pt/blog/264763 и forums.untangle.com/web-filter/35894-blocking-windows-10-spying-telemetry.html
- Встроенный Windows Firewall полностью блокирует передачу данных на эти узлы.
Правила для Firewall
После того как мы получили список IP и убедились в эффективности их блокировки, можно, с помощью Powershell скрипта, внести их в настройки.
Для добавления правила в Firewall необходимо выполнить следующую команду (в качестве примера возьмем сервер «watson.telemetry.microsoft.com»):
netsh advfirewall firewall add rule name="telemetry_watson.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.43,65.52.108.29 enable=yes
Где:
name – имя правила и по совместимости название сервера Microsoft;
dir = out – параметр указывающий, что правило соответствует только исходящему сетевому трафику;
action=block – сетевые пакеты, указанные в этом правиле, будут отбрасываются firewall;
remoteip – IP-адрес получателя области исходящего сетевого пакета;
enable=yes – указывает на то, что правило в настоящее время включено.
Аналогично этому будут прописаны и другие правила. В итоге, скрипт будет иметь примерно следующий вид:
Firewall rules
Set-NetFirewallProfile -all
netsh advfirewall firewall add rule name=«telemetry_vortex.data.microsoft.com» dir=out action=block remoteip=191.232.139.254 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telecommand.telemetry.microsoft.com» dir=out action=block remoteip=65.55.252.92 enable=yes
netsh advfirewall firewall add rule name=«telemetry_sqm.telemetry.microsoft.com» dir=out action=block remoteip=65.55.252.93 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.telemetry.microsoft.com» dir=out action=block remoteip=65.55.252.43,65.52.108.29 enable=yes
netsh advfirewall firewall add rule name=«telemetry_redir.metaservices.microsoft.com» dir=out action=block remoteip=194.44.4.200,194.44.4.208 enable=yes
netsh advfirewall firewall add rule name=«telemetry_choice.microsoft.com» dir=out action=block remoteip=157.56.91.77 enable=yes
netsh advfirewall firewall add rule name=«telemetry_df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.7 enable=yes
netsh advfirewall firewall add rule name=«telemetry_reports.wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.91 enable=yes
netsh advfirewall firewall add rule name=«telemetry_wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.93 enable=yes
netsh advfirewall firewall add rule name=«telemetry_services.wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.92 enable=yes
netsh advfirewall firewall add rule name=«telemetry_sqm.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.94 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.9 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.ppe.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.11 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telemetry.appex.bing.net» dir=out action=block remoteip=168.63.108.233 enable=yes
netsh advfirewall firewall add rule name=«telemetry_telemetry.urs.microsoft.com» dir=out action=block remoteip=157.56.74.250 enable=yes
netsh advfirewall firewall add rule name=«telemetry_settings-sandbox.data.microsoft.com» dir=out action=block remoteip=111.221.29.177 enable=yes
netsh advfirewall firewall add rule name=«telemetry_vortex-sandbox.data.microsoft.com» dir=out action=block remoteip=64.4.54.32 enable=yes
netsh advfirewall firewall add rule name=«telemetry_survey.watson.microsoft.com» dir=out action=block remoteip=207.68.166.254 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.live.com» dir=out action=block remoteip=207.46.223.94 enable=yes
netsh advfirewall firewall add rule name=«telemetry_watson.microsoft.com» dir=out action=block remoteip=65.55.252.71 enable=yes
netsh advfirewall firewall add rule name=«telemetry_statsfe2.ws.microsoft.com» dir=out action=block remoteip=64.4.54.22 enable=yes
netsh advfirewall firewall add rule name=«telemetry_corpext.msitadfs.glbdns2.microsoft.com» dir=out action=block remoteip=131.107.113.238 enable=yes
netsh advfirewall firewall add rule name=«telemetry_compatexchange.cloudapp.net» dir=out action=block remoteip=23.99.10.11 enable=yes
netsh advfirewall firewall add rule name=«telemetry_cs1.wpc.v0cdn.net» dir=out action=block remoteip=68.232.34.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_a-0001.a-msedge.net» dir=out action=block remoteip=204.79.197.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_statsfe2.update.microsoft.com.akadns.net» dir=out action=block remoteip=64.4.54.22 enable=yes
netsh advfirewall firewall add rule name=«telemetry_sls.update.microsoft.com.akadns.net» dir=out action=block remoteip=157.56.77.139 enable=yes
netsh advfirewall firewall add rule name=«telemetry_fe2.update.microsoft.com.akadns.net» dir=out action=block remoteip=134.170.58.121,134.170.58.123,134.170.53.29,66.119.144.190,134.170.58.189,134.170.58.118,134.170.53.30,134.170.51.190 enable=yes
netsh advfirewall firewall add rule name=«telemetry_diagnostics.support.microsoft.com» dir=out action=block remoteip=157.56.121.89 enable=yes
netsh advfirewall firewall add rule name=«telemetry_corp.sts.microsoft.com» dir=out action=block remoteip=131.107.113.238 enable=yes
netsh advfirewall firewall add rule name=«telemetry_statsfe1.ws.microsoft.com» dir=out action=block remoteip=134.170.115.60 enable=yes
netsh advfirewall firewall add rule name=«telemetry_pre.footprintpredict.com» dir=out action=block remoteip=204.79.197.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_i1.services.social.microsoft.com» dir=out action=block remoteip=104.82.22.249 enable=yes
netsh advfirewall firewall add rule name=«telemetry_feedback.windows.com» dir=out action=block remoteip=134.170.185.70 enable=yes
netsh advfirewall firewall add rule name=«telemetry_feedback.microsoft-hohm.com» dir=out action=block remoteip=64.4.6.100,65.55.39.10 enable=yes
netsh advfirewall firewall add rule name=«telemetry_feedback.search.microsoft.com» dir=out action=block remoteip=157.55.129.21 enable=yes
netsh advfirewall firewall add rule name=«telemetry_rad.msn.com» dir=out action=block remoteip=207.46.194.25 enable=yes
netsh advfirewall firewall add rule name=«telemetry_preview.msn.com» dir=out action=block remoteip=23.102.21.4 enable=yes
netsh advfirewall firewall add rule name=«telemetry_dart.l.doubleclick.net» dir=out action=block remoteip=173.194.113.220,173.194.113.219,216.58.209.166 enable=yes
netsh advfirewall firewall add rule name=«telemetry_ads.msn.com» dir=out action=block remoteip=157.56.91.82,157.56.23.91,104.82.14.146,207.123.56.252,185.13.160.61,8.254.209.254 enable=yes
netsh advfirewall firewall add rule name=«telemetry_a.ads1.msn.com» dir=out action=block remoteip=198.78.208.254,185.13.160.61 enable=yes
netsh advfirewall firewall add rule name=«telemetry_global.msads.net.c.footprint.net» dir=out action=block remoteip=185.13.160.61,8.254.209.254,207.123.56.252 enable=yes
netsh advfirewall firewall add rule name=«telemetry_az361816.vo.msecnd.net» dir=out action=block remoteip=68.232.34.200 enable=yes
netsh advfirewall firewall add rule name=«telemetry_oca.telemetry.microsoft.com.nsatc.net» dir=out action=block remoteip=65.55.252.63 enable=yes
netsh advfirewall firewall add rule name=«telemetry_reports.wes.df.telemetry.microsoft.com» dir=out action=block remoteip=65.52.100.91 enable=yes
netsh advfirewall firewall add rule name=«telemetry_ssw.live.com» dir=out action=block remoteip=207.46.101.29 enable=yes
netsh advfirewall firewall add rule name=«telemetry_msnbot-65-55-108-23.search.msn.com» dir=out action=block remoteip=65.55.108.23 enable=yes
netsh advfirewall firewall add rule name=«telemetry_a23-218-212-69.deploy.static.akamaitechnologies.com» dir=out action=block remoteip=23.218.212.69 enable=yes
Выполнение созданного скрипта
Чтобы не проходить долгий путь по запуску этого power shell скрипта с правами администратора, проще создать .bat файл и запустить его. UAC сам запросит подтверждение прав.
@echo off
cls
echo Telemetry
echo Rules of Firewall
echo.
echo press any key to continue...
pause > NUL
echo Rules of Firewall
echo.
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%~dp0.\ms_new.ps1""' -Verb RunAs}"
echo Rules included in Firewall...
echo.
pause
Где ms_new.ps1 – имя созданного файла с power shell командами.
После этого, добавленные правила будут отображаться в Windows Firewall, как на скриншоте ниже:
И, дополнительно, информация, не относящиеся к firewall, но относящаяся к сбору телеметрии
Windows 7/8/8.1
Также стоит отметить, что пользователи ОС Windows 7/8/8.1 получили обновления, которые расширяют возможности системы по сбору и отправке телеметрических данных. Соответственно, к этим пользователям также можно применить рекомендации, представленные в этой статье, или удалить обновления habrahabr.ru/post/265283.
Key logger
Надо отключить «DiagTrack» (сбор данных в компонентах Windows) и «dmwappushservice» (cлужба маршрутизации push-сообщений WAP). Для этого запускаем командную строку от имени администратора и отключаем службы:
sc stop DiagTrack
sc stop dmwappushserviceИли же вообще их удаляем:
sc delete DiagTrack
sc delete dmwappushservice
Планировщик отправки телеметрии
В консоли Taskschd.msc надо запретить задания:
Заголовок спойлера
REM *** Task that collects data for SmartScreen in Windows ***
schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable
REM *** Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
REM *** Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
REM *** Aggregates and uploads Application Telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /Disable
REM *** This task collects and uploads autochk SQM data if opted-in to the Microsoft Customer Experience Improvement Program ***
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
REM *** If the user has consented to participate in the Windows Customer Experience Improvement Program, this job collects and sends usage data to Microsoft ***
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
REM *** The Kernel CEIP (Customer Experience Improvement Program) task collects additional information about the system and sends this data to Microsoft. ***
REM *** If the user has not consented to participate in Windows CEIP, this task does nothing ***
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable
REM *** The Bluetooth CEIP (Customer Experience Improvement Program) task collects Bluetooth related statistics and information about your machine and sends it to Microsoft ***
REM *** The information received is used to help improve the reliability, stability, and overall functionality of Bluetooth in Windows ***
REM *** If the user has not consented to participate in Windows CEIP, this task does not do anything.***
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /Disable
REM *** Create Object Task ***
schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable
REM *** The Windows Disk Diagnostic reports general disk and system information to Microsoft for users participating in the Customer Experience Program ***
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
REM *** Measures a system's performance and capabilities ***
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
REM *** Network information collector ***
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
REM *** Initializes Family Safety monitoring and enforcement ***
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
REM *** Synchronizes the latest settings with the Family Safety website ***
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable
REM *** SQM (Software Quality Management) ***
schtasks /Change /TN "Microsoft\Windows\IME\SQM data sender" /Disable
REM *** This task initiates the background task for Office Telemetry Agent, which scans and uploads usage and error information for Office solutions ***
schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable
REM *** This task initiates Office Telemetry Agent, which scans and uploads usage and error information for Office solutions when a user logs on to the computer ***
schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable
также подозриетльные задачи в планировщике, рекомендую отключить:
Заголовок спойлера
REM *** Scans startup entries and raises notification to the user if there are too many startup entries ***
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
REM *** Protects user files from accidental loss by copying them to a backup location when the system is unattended ***
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
REM *** This task gathers information about the Trusted Platform Module (TPM), Secure Boot, and Measured Boot ***
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
REM *** This task analyzes the system looking for conditions that may cause high energy use ***
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
Все вышесказанное не 100% панацея, но одно из компромиссных решений.
Мы будем обновлять в этой статье список серверов и PS скрипт для них.
update 1: Обновили список планировщика задач.
Как фаерволом защитится от зловредов, можно прочитать в моей статье:
Простой, но надежный способ защитить свой компьютер от вирусов и троянов.
C уважением коллектив компании Servilon.ru Servilon.com
Win10Debloat
Win10Debloat is a simple and lightweight powershell script that removes pre-installed windows 10/11 bloatware apps, disables telemetry and declutters the experience by disabling or removing intrusive interface elements, ads and context menu items. No need to painstakingly go through all the settings yourself, or removing apps one by one. Win10Debloat makes the process quick and simple!
You can pick and choose exactly which modifications you want the script to make, but the default settings should be fine for most people. All of the changes can be easily reverted using the registry files that are included in the ‘Regfiles’ folder, and all of the apps that are removed by default can be reinstalled from the microsoft store.
The windows 10 default settings will:
- Remove all bloatware apps from this list.
- Disable telemetry, diagnostic data & targeted ads.
- Disable bing & cortana in windows search.
- Disable tips & tricks on the lockscreen. (This may change your lockscreen wallpaper to the windows default)
- Disable tips, tricks and suggestions in the startmenu and settings, and sync provider ads in windows explorer.
- Hide the Chat (meet now) & Widget (news and interests) icons from the taskbar.
- Hide the 3D objects folder under ‘This pc’ in windows explorer.
- Disable the ‘Include in library’ from context menu.
- Disable the ‘Give access to’ from context menu.
- Disable the ‘Share’ from context menu. (Does not remove the onedrive share option)
The windows 11 default settings will:
- Remove all bloatware apps from this list.
- Disable telemetry, diagnostic data & targeted ads.
- Disable bing & cortana in windows search.
- Disable tips & tricks on the lockscreen. (This may change your lockscreen wallpaper to the windows default)
- Disable tips, tricks and suggestions in the startmenu and settings, and sync provider ads in windows explorer.
- Hide the Chat & Widget icons from the taskbar.
Or select the ‘Custom’ option in the menu to customize the script to your needs.
Donate a cup of coffee to support my work
Usage
Disclaimer: I believe this script to be completely safe to run, but use this script at your own risk!
Easy method:
- Download the latest version of the script, and extract the .ZIP file to your desired location.
- Navigate to the Win10Debloat folder
- Double click the ‘Run.bat’ file to start the script.
- Accept the windows UAC prompt to run the script as administrator, this is required for the script to function.
- Select either default, or custom setup depending on what changes you want to make. Custom setup will allow you to choose exactly which changes you want to make, and which changes you want to skip.
Advanced method:
This method gives you the option to run the script with certain arguments to tailor the behaviour of the script to your needs without requiring any user input during runtime, making it quicker and easier to deploy on a large number of systems.
- Download the latest version of the script, and extract the .ZIP file to your desired location.
- Open powershell as an administrator.
- Enable powershell execution by entering the following command:
Set-ExecutionPolicy Unrestricted -Force - In powershell, navigate to the directory where the files were extracted. Example:
cd c:\Win10Debloat - Enter this into powershell to run the script:
.\Win10Debloat.ps1To run the script without any user input you can add arguments at the end, for example:.\Win10Debloat.ps1 -RemoveApps -DisableBing
| Argument | Description |
|---|---|
| -RunDefaults | Run the script with windows 10 default settings. |
| -RunWin11Defaults | Run the script with windows 11 default settings. |
| -RemoveApps | Remove all bloatware apps from this list. |
| -DisableTelemetry | Disable telemetry, diagnostic data & targeted ads. |
| -DisableBing | Disable bing & cortana in windows search. |
| -DisableLockscreenTips | Disable tips & tricks on the lockscreen. |
| -DisableWindowsSuggestions | Disable tips, tricks and suggestions in the startmenu and settings, and sync provider ads in windows explorer. |
| -DisableChat | Hide the chat (meet now) icon on the taskbar. |
| -DisableWidgets | Hide the widget (news and interests) icon on the taskbar. |
| -DisableOnedrive | Hide the onedrive folder in the windows explorer sidepanel. |
| -Disable3dObjects | Hide the 3D objects folder under ‘This pc’ in windows explorer. |
| -DisableMusic | Hide the music folder under ‘This pc’ in windows explorer. |
| -DisableIncludeInLibrary | Disable the ‘Include in library’ option in the context menu. |
| -DisableGiveAccessTo | Disable the ‘Give access to’ option in the context menu. |
| -DisableShare | Disable the ‘Share’ option in the context menu. |
Debloat Windows 10/11
By default, this script only removes apps that most people are unlikely to ever need or use. You can of course customize which apps are removed by this script by editing the apps list found in the ‘Win10Debloat.ps1’ file.
These apps will be deleted by default:
- AdobeSystemsIncorporated.AdobePhotoshopExpress
- Clipchamp.Clipchamp
- Dolby
- Duolingo-LearnLanguagesforFree
- HULULLC.HULUPLUS
- Microsoft.3DBuilder
- Microsoft.549981C3F5F10 (Cortana)
- Microsoft.Asphalt8Airborne
- Microsoft.BingFinance
- Microsoft.BingNews
- Microsoft.BingSports
- Microsoft.BingTranslator
- Microsoft.BingWeather
- Microsoft.GetHelp
- Microsoft.Getstarted
- Microsoft.Messaging
- Microsoft.Microsoft3DViewer
- Microsoft.MicrosoftOfficeHub
- Microsoft.MicrosoftSolitaireCollection
- Microsoft.MicrosoftStickyNotes
- Microsoft.MixedReality.Portal
- Microsoft.NetworkSpeedTest
- Microsoft.News
- Microsoft.Office.OneNote
- Microsoft.Office.Sway
- Microsoft.OneConnect
- Microsoft.Print3D
- Microsoft.RemoteDesktop
- Microsoft.SkypeApp
- Microsoft.Todos
- Microsoft.WindowsAlarms
- Microsoft.WindowsFeedbackHub
- Microsoft.WindowsMaps
- Microsoft.WindowsSoundRecorder
- Microsoft.ZuneMusic
- Microsoft.ZuneVideo
- PandoraMediaInc
- Picsart-Photostudio
- Royal Revolt
- Speed test
- Spotify
- Wunderlist
- king.com.BubbleWitch3Saga
- king.com.CandyCrushSaga
- king.com.CandyCrushSodaSaga
These apps will NOT be deleted by default:
- Microsoft.GamingApp
- Microsoft.MSPaint (Paint 3D)
- Microsoft.People
- Microsoft.PowerAutomateDesktop
- Microsoft.ScreenSketch
- Microsoft.Windows.Photos
- Microsoft.WindowsCalculator
- Microsoft.WindowsCamera
- microsoft.windowscommunicationsapps (Mail & Calendar)
- Microsoft.WindowsStore (NOTE: This app cannot be reinstalled!)
- Microsoft.Xbox.TCUI
- Microsoft.XboxApp
- Microsoft.XboxGameOverlay
- Microsoft.XboxGamingOverlay
- Microsoft.XboxIdentityProvider
- Microsoft.XboxSpeechToTextOverlay (NOTE: This app cannot be reinstalled from the microsoft store!)
- Microsoft.YourPhone
Declutter Windows 10/11
This script can also make various changes to declutter windows 10/11, such as:
- Disable telemetry, diagnostic data & targeted ads.
- Disable bing & cortana in windows search.
- Disable tips & tricks on the lockscreen. (This changes your lockscreen wallpaper to the windows default)
- Disable tips, tricks and suggestions in the startmenu and settings, and sync provider ads in windows explorer.
- Hide the chat (meet now) icon on the taskbar.
- Hide the widget (news and interests) icon on the taskbar.
- Hide the onedrive folder in the windows explorer sidepanel.
- Hide the 3D objects folder under ‘This pc’ in windows explorer.
- Hide the music folder under ‘This pc’ in windows explorer.
- Disable the ‘Include in library’ option in the context menu.
- Disable the ‘Give access to’ option in the context menu.
- Disable the ‘Share’ from context menu. (Does not remove the onedrive share option)
All of these changes can be reverted with the registry files that are included in the ‘Regfiles’ folder.
Most users are not comfortable sharing their activity or data on the computers with anyone, Microsoft included. However, Microsoft gathers the user’s data through a feature called Telemetry, where your computer collects and sends your data to Microsoft, which is then presumably used to make your Windows experience better.
The Telemetry and Data Collection feature in Windows is enabled by default. This feature collects data of user’s activity and sends it to Microsoft as feedback. It is used to:
- Keep Windows up to date.
- Keep Windows secure and reliable.
- Improve Windows through analyzing.
The data which is recorded includes the type of hardware, applications being used, application and network usage, and much more.
Let us now discuss how to manage and disable Telemetry in Windows.
Table of Contents
How to Manage Telemetry in Windows
Sometimes other data is also shared with Microsoft, such as the user’s current location, searches performed online, wallpapers or screen savers being used, etc. Some users might be uncomfortable with this and want to disable the feature entirely.
Unfortunately, you cannot disable it using the conventional method. However, you can choose to send only the required data, or the required data plus the optional data to Microsoft.
Follow the steps below to manage your Telemetry preferences via Windows Settings.
In Windows 11
- Navigate to the following:
Settings app >> Privacy and Security >> Disgnostics and feedback - Expand Diagnostic Data.
- Now toggle the slider under “Send optional diagnostic data” into the Off position to disable sending optional data.
In Windows 10
- Navigate to the following:
Settings app >> Privacy >> Disgnostics and feedback - Here, select “Required diagnostics data” to disable the optional data from sending to Microsoft.
If you are using an older version of Windows 10, you may see the following 3 options on the Feedback and Diagnostics page:
- Basic: This will give basic data of your device to Microsoft.
- Enhanced: This includes the basic data plus data about how you use Windows, which apps you use frequently, etc.
- Full (Recommended): This includes Enhanced data plus the advanced diagnostics information.
As you may find, the actions performed above will only disable Windows from sending the optional data. However, the required data will still be available to Microsoft. Which is why, if you wish to disable Telemetry and Data Collection entirely, you must perform any of the given solutions below in this post.
How to Disable Telemetry and Data Collection in Windows
Using Group Policy
This method is only valid for Windows 11. If you are using Windows 10, continue to the next section of this post.
Perform the following steps to disable Telemetry entirely on your Windows 11 PC using the Group Policy Editor:
- Launch the Group Policy Editor by typing in gpedit.msc in Run.
- Navigate to the following using the left pane:
Computer Configuration >> Administrative Templates >> Windows Components >> Data collection and Preview Builds - Now double-click the following Group Policy “Allow Diagnostic Data” in the right pane.
- From the popup window, select Enabled, then select Diagnostic data off under Options, and then click Apply and Ok.
- Now run the following command in Command Prompt with administrative rights for the changes to take effect:
gpupdate /force
You will now find that Telemetry has been disabled for your PC. This can be confirmed when you see “Your organization prevents sending diagnostic data to Microsoft” written on the Diagnostics and Feedback Settings page.
From Windows Registry
Misconfiguration of critical values in the system’s registry could be fatal for your operating system. Therefore, we insist that you create a system restore point before proceeding forward with the process.
Perform the following steps to disable Telemetry on your PC using the Registry Editor:
- Open the Registry Editor by typing in regedit in Run.
- Now paste the following in the address bar at the top for quick navigation:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
- Right-click DataCollection key, expand New from the context menu, and then click DWORD (32-bit) Value.
- Name this DWORD “AllowTelemetry.”
- Double-click AllowTelemetry and set its Value Data to 0. Then click Ok.
- Now restart your computer for the changes to take effect.
You will now find that Telemetry has been disabled and the respective options in the Settings app have been greyed out.
By Disabling Services
You can also disable the Telemetry and Data Collection feature in Windows by disabling the respective service. Here is how:
- Open the Windows services page by typing in services.msc in Run.
- Here, double-click the service “Connected User Experience and Telemetry.” (If you are using an older version of Windows 10, the service’s name might be “Dignostics Tracking Service.”)
- From the popup properties window, select Startup Type as Disabled, then click Apply and Ok.
- Now restart the computer for the changes to take effect.
Once the computer restarts, the changes will be applied to your Registry settings and now your data won’t be accessible to Microsoft.
From Command Prompt
You can also disable Telemetry by performing the following task using Command Prompt. This is easier for the people who are familiar with the Command Line Interface (CLI) of Windows.
Launch the Command Prompt with administrative rights and then enter the following commands one after the other:
sc delete DiagTrack sc delete dmwappushservice echo “” > C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection” /v AllowTelemetry /t REG_DWORD /d 0 /f
Now restart your computer for the changes to take effect. When it does, you will find that the Diagnostics and Feedback Settings page has been greyed out as Telemetry has been disabled.
Disable Microsoft Compatibility Appraiser
Using Task Scheduler
As with every automated process in Windows, the Task Scheduler run a task that manages Telemetry on your Windows PC. Once this task is disabled, as will telemetry. Follow the steps below to disable the scheduled task:
- Open Task Scheduler by typing in taskschd.msc in Run.
- Now navigate to the following from the left pane:
Task Scheduler Library >> Microsoft >> Windows >> Application Experience - Here, in the middle pane, right-click “Microsoft Compatibility Appraiser” and then click Disable from the context menu.
Windows Telemetry will now be disabled. You can also perform the same task via Windows PowerShell.
Using PowerShell
To disable Microsoft Compatibility Appraiser using PowerShell, launch Windows PowerShell with administrative privileges and then run the following command:
Disable-ScheduledTask -TaskName "Microsoft Compatibility Appraiser" -TaskPath "\Microsoft\Windows\Application Experience"
Closing Words
These methods are necessary for users for whom privacy and security are more important than any update or improvement by the manufacturer. That’s why they can easily disable the Telemetry feature from their system.
Although Microsoft has been pushing telemetry data collection since Windows 7, nothing was as comprehensive a the one on Windows 10. By default, Windows 10 comes with the telemetry feature enabled by default which collects all sorts of user activity and sends it directly to Microsoft. As Microsoft provides no way of disabling it completely from the GUI menu (unless you own an Enterprise edition), some users have been searching for alternatives on preventing their Windows OS installation from gathering telemetry data.
How to Disable Telemetry Data collection on Windows 10
When it comes to stopping Windows 10 from gathering telemetry data, there are only one GUI setting that regular users have access to – By setting the Diagnostic and usage data to feature to Basic, you will limit the amount of telemetry data that gets collected based on you. You can also inhibit telemetry data collection via Registry Editor, but this is only a little more effective than the GUI equivalent.
However, if you want to limit this feature even more, you should also consider disabling the Microsoft Compatibility telemetry service via an elevated CMD and disabling the Microsoft Compatibility Appraiser (either via the Task Scheduler or via Powershell).
But if you have Windows 10 PRO or Windows 10 Enterprise, the best way to do this is via Group Policy Editor.
Method 1: Changing Privacy Options
Although many telemetry settings are “on” by default, it is comforting for Windows 10 users that they can turn them off. Follow these steps to tweak telemetry options in Windows 10 privacy settings.
Go to Windows 10 settings and select Privacy. You will find a number of tabs on the left-hand side. Explore the tabs and you will find many options that you can tweak according to your preferences.
However, not all the options can be accessed through the Windows 10 settings. To disable telemetry in Windows 10, you need to use some hacks for these additional options.
If you’re looking for a different way of disabling the telemetry service, move down to the next potential fix below.
Method 2: Disabling Diagnostic and usage data
If you are contempt with limiting the amount of data you send to Microsoft, you might consider setting the Diagnostic and usage data to Basic from the Feedback & Diagnostics menu (in Windows Settings).
Although this operation doesn’t stop the telemetry data from being collected, it will force your Windows 10 installation to only collect the basic information that is vital to the operating system. Data collected includes hardware capabilities, average running parameters and critical errors that bring your system to a halt.
Keep in mind that going this route will still allow the installation of new Windows updates, but some UWP apps might not function correctly after some time.
If you decide to go this route, here are the step by step instructions that will allow you to modify the Diagnostic and usage data settings in order to limit the amount of telemetry data that is collected from your Windows 10 computer:
- Press Windows key + R to open up a Run dialog box. Next, type ‘ms-settings:privacy-feedback‘ and press Enter to open up the Feedback & diagnostics tab of the Settings app.
- Once you arrive to the correct location, move over to the right-hand section and scroll down to the Diagnostic data section.
- After you identify the Diagnostic data tab, set it’s associated toggle to Basic.
- Restart your computer to save the modification.
In case you’re looking for a way to completely stop the telemetry data collection of Windows 10, move down to the next method below.
Method 3: Disable Microsoft Compatibility telemetry via CMD
If you are willing to get a little technical, you can also disable the telemetry data collection on Windows 10 by disabling the main service that is being used for this task.
This method will only work on Windows 10, will affect any other applications that are designed to call upon the Microsoft Compatibility Telemetry services.
Several affected users have confirmed that this operation finally allowed them to stop telemetry data collection from their system. Here’s a quick guide on disabling telemetry data collection on Windows 10 from an elevated CMD prompt:
- Press Windows key + R to open up a Run dialog box. Next, type ‘cmd’ and press Ctrl + Shift + Enter to open up an elevated CMD prompt. When you’re prompted by the UAC (User Account Control), click Yes to grant administrative privileges.
Running the Command Prompt - Once you’re inside the elevated CMD prompt, type the following commands successfully and press Enter after each line to effectively disable the Microsoft Compatibility Telemetry:
sc delete DiagTrack sc delete dmwappushservice echo “” > C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl reg add “HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection” /v AllowTelemetry /t REG_DWORD /d 0 /f
- Once every command has been successfully processed, restart your computer.
If you’re looking for a different way of disabling Telemetry data collection on Windows 10, move down to the next method below.
Method 4: Disable Microsoft Compatibility Appraiser
If you’re experiencing an unusually high CPU usage whenever your Windows 10 installation is collecting telemetry data, you’ll probably need to disable the task associated with CompatTelRunner.exe (Microsoft Compatibility Appraiser.
When it comes to doing this, you have two ways forward – you can either do it directly from the Task Scheduler windows or you can do it from an elevated Powershell prompt.
Disable Microsoft Compatibility Appraiser via Task Scheduler
The least intrusive operation that will allow you to do this is to use Task Scheduler to disable the Microsoft Compatibility Appraiser located under \Microsoft\Windows\Application Experience.
Here’s a quick guide on using Task Scheduler to disable the Microsoft Compatibility Appraiser scheduled task:
- Press Windows key + R to open up a Run dialog box. Next, type’ taskschd.msc” and press Enter to open up Task Scheduler. When you’re prompted by the UAC (User Account Control), click Yes to grant admin access.
Running the Task Scheduler utility from the Run dialog box - Once you’re inside Task Scheduler, use the left-hand section to navigate to Microsoft > Windows > Application Experience.
- After you get to the correct location, move over to the right-hand section, right-click on the task named Microsoft Compatibility Appraiser and choose Disable from the newly appeared context menu.
Disabling the Microsoft Compatibility Appraiser task
Disable Microsoft Compatibility Appraiser via Powershell
If you aren’t afraid to get technical, you can also disable this task from a Powershell terminal. But unless you open it with elevated privileges, the command will trigger an error.
Here’s a quick guide on disabling the Microsoft Compatibility Appraiser from an elevated Powershell prompt:
- Press Windows key + R to open up a Run dialog box. Inside the text box, type ‘powershell’ and press Ctrl + Shift + Enter to open up an elevated Powershell terminal window.
Typing in “Powershell” and pressing “Shift” + “Alt” + “Enter” Note: When you’re prompted by the UAC (User Account Control), click Yes to grant administrative privileges.
- Once you’re inside the elevated Powershell window, type or paste the following commands and press Enter to disable the Microsoft Compatibility Appraiser task:
Disable-ScheduledTask -TaskName "Microsoft Compatibility Appraiser" -TaskPath "\Microsoft\Windows\Application Experience"
- After the command is successfully processed, restart your computer and see if the issue is resolved.
In case, you’re looking for a different way of disabling telemetry data collection on Windows 10, move down to the next method below.
Method 5: Disabling Telemetry collection via Registry Editor
If you’re not afraid of going through the registry and disabling telemetry collection this way, you can force the data collection to stop using Registry Editor. But the operation will only be complete after you open up the Services screen and disable the Diagnostics Tracking Service.
This method will only work on Windows 10, but a lot of affected users have reported that this operation was the only one that allowed them to completely stop telemetry collection on their computer.
Note: Going this route may inhibit your machine’s ability to fetch and install OS updates.
If you decide to go this route, here’s a quick guide on disabling telemetry collection via Registry Editor and Services utility:
- Press Windows key + R to open up a Run dialog box. Next, type ‘regedit’ inside the text box and press Enter. Once you are prompted by the UAC (User Account Control) prompt, click Yes to grant administrative privileges.
Open Regedit - Once you’re inside the Registry Editor, use the left-hand section to navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
Note: You can either browse to this location manually or you can paste it directly into the nav box and press Enter to get there instantly.
- With the DataCollection key selected, move down to the right panel, right-click on an empty space and choose New > Dword value (32-bit). Next, name the newly created Dword value AllowTelemetry and press Enter to save the changes.
Creating the AllowTelemetry Dword value - After the new Dword value is created, double-click on AllowTelemetry and set the Base to Hexadecimal and the Value Data to 0.
Creating the AllowTelemetry value Note: This modification will set the telemetry settings to security only, meaning that no other type of data will be sent to Microsoft.
- Save the change by clicking on Ok, then close the Registry Editor utility.
- Press Windows key + R to open up another Run dialog box. Inside the text box, type ‘services.msc’ and press Enter to open up the Services utility.
Type “services.msc” into the Run dialog and press Enter Note: When you’re prompted by the UAC (User Account Control), click Yes to grant administrative privileges.
- Once you’re inside the Services screen, scroll down through the list of local Services and locate the entry associated with Connected User Experiences and Telemetry. Once you manage to locate it, right-click on the entry and choose Properties from the context menu.
Accessing the Properties screen of the Diagnostics Tracking Service - Once you’re inside the Properties screen of Connected User Experiences and Telemetry, select the General tab from the horizontal menu at the top and change the Startup type to Disabled and click on Apply to save the configuration.
Disabling the Connected User Experiences and Telemetry service - Next, repeat steps 7 and 8 with the Diagnostics Tracking Service and restart your computer to enforce the changes that you just made.
In case you’re looking for a different way of disabling telemetry collection on Windows 10, move down to the next method below.
Method 6: Disabling Telemetry data collection via Group Policy Editor
If you want to disable telemetry data collection on a Windows 10 Pro or Windows 10 Enterprise, you can do it in a convenable way by using the Local Group Policy Editor to stop the policy associated with Data Collection and Preview Builds.
But keep in mind that if you’re using Windows 10 Home, the Local Group Policy Editor will not be available by default. In this case, you will need to enable the Local Group Policy Editor on Windows 10 Home first.
If you have access to your GPEDIT utility and you want to disable data collection using this tool, here’s what you need to do:
- Press Windows key + R to open up a Run dialog box. Next, type ‘gpedit.msc’ and press Enter to open up the Local Group Policy Editor. When you see the User Account Control (UAC) prompt, click Yes to grant administrative privileges.
Typing gpedit.msc in RUN - Once you’re inside the Local Group Policy Editor, use the left-hand section to navigate to the following location:
Computer Configuration -> Administrative Templates -> Windows Components -> Data Collection and Preview Builds
- Once you’re inside the Data Collection and Preview Builds key, move over to the right-hand side and double-click on Allow Telemetry.
Navigating to the Allow Telemetry policy - Once you get to the correct location, double-click on Allow Telemetry and set it’s status to Disabled before clicking Apply to save the changes.
Disabling the Allow Telemetry policy - Close the Local Group Policy Editor and restart your computer to enforce the changes.
This article also applies to Microsoft Windows 10 and Windows Server 2019.
Microsoft collects data from their users through a program called telemetry system. They collect data on Windows Operating System, Microsoft programs and third-party programs. It also collects data on some user behaviour. They use this information to improve products and help diagnose issues as well as to recommend apps and features to the end user. Microsoft is not hiding anything from their end users but it requires the users to take action on their part to change limit or block telemetry system once the initial setup process is done.
Disabling or limiting telemetry on your system should not have any adverse impact on your user experience. There are multiple ways to update your preferences on the telemetry system after the initial setup. If you would like to see a detailed demonstration of the following items, please watch my YouTube video.
System Settings
Go to Start > Privacy & security > Diagnostic & feedback
Change the settings for Diagnostic data, Improve inking and typing, and Tailored experiences to off.
You can also delete the data that is locally stored on your drive if you have the View diagnostic data turned on. It basically create a copy of all the data that has been sent to the Microsoft on your local hard drive. One you have disabled the options above; you should also disable and delete the stored data.
Group Policy Editor
Go to Start and search “run” to open Run application. You can also open the Run application by pressing Windows key + R. On the Open entry, type: gpedit.msc. It should open the Local Group Policy Editor.
Under Local Computer Policy, under Computer Configuration, navigate to Data Collection and Preview Builds.
Administrative Template > Windows Components > Data Collection and Preview Builds
You should change the item listed as: Allow Diagnostic Data to Disabled.
Registry Editor
Go to Start and search “run” to open Run application. You can also open the Run application by pressing Windows key + R. On the Open entry, type: regedit. It should result in a User Account Control (UAC) warning for Administrative privileges. You must either have been logged in as the System or Domain Administrator in order to edit Registry entries. Click yes to open the Registry Editor.
Navigate to the following location by expanding items from the left-hand menu.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
The add a key by right clicking on the right hand panel and selecting DWORD (32-bit) value. The key should be named Allow Telemetry.
Set the Allow Telemetry key to the value of 0 (zero).
Reboot your computer.
Services
Go to Start and search “run” to open Run application. You can also open the Run application by pressing Windows key + R. On the Open entry, type: services.msc. It should open the Services window. Find a open Connected User Experiences and Telemetry.
Change the Startup type to Disabled and click “Stop” under Service status. Apply and close.
You can also stop and disable services from Command Prompt (CMD). The Command Prompt must be open with administrative privileges (Run as administrator). Open Start menu and type “cmd”, then click “Run as administrator” from the right hand menu.
Then enter the following commands on your Command Prompt. Each entry should return with a success message.
sc config DiagTrack start= disabled sc config dmwappushservice start= disabled
Task Scheduler
Go to Start menu and type Task Scheduler and open the application. Inside the Task Scheduler program, under the Task Scheduler (Local), navigate to the following location.
Task Scheduler Library > Microsoft > Windows > Customer Experience Improvement Program
Right click on the item named, Consolidator inside the Customer Experience Improvement Program and select Disable.
Again, you cannot break any processes or software on your Windows computer by disabling telemetry services. With user personal data related issues at all-time high, disabling telemetry may help protect you and your family from data breaches.
If you are confused on any of the above items, please refer to the demonstration on my YouTube channel. It may help you further clarify items described above.