Privacy in Windows 10

windows_10_logo-600x338

Intro

Windows 10 was officially released last week.  In the wake of the release, concerns have surfaced about privacy and control issues which are enabled by default in all popular versions of the new Windows – including Enterprise edition.  We’ll take a look at what reasonable steps you could (or should) make to your install.

First off, it is worth taking note of what edition you are running.  Right clicking on the Start menu and selecting ‘System’ will yield the pertinent info:

Your edition of Windows 10

System

I am running Windows 10 Enterprise N, however most of what follows should apply to Pro and perhaps even Home edition.

Windows 10 Settings

Your first stop should be the Settings dialog.  Note that if you’d prefer to import registry settings, jump to the bottom of this article.

This shouldn’t be confused with the traditional Control Panel.  You can navigate easily here by clicking on the notifications icon in the system tray, or by right clicking on the Start menu and selecting ‘Settings’.

SysTray-Settings

The Windows 10 Settings

Settings

We’ll look at the most important places from this menu.

Privacy

You’ll want to read carefully through each tab in the Privacy dashboard.  I have taken screenshots of each one from the RTM build, showing what I’ve disabled.  I don’t like sharing my personal info as a general rule, so I’ve been quite liberal in disabling mostly everything.

Privacy-General Privacy-Location

Privacy-CameraPrivacy-Mic

Privacy-CortanaPrivacy-Account

Privacy-ContactsPrivacy-Calendar

Privacy-MessagingPrivacy-Radios

Privacy-OtherPrivacy-Feedback

Privacy-Apps

These are suggestions, you may or may not want some of the options enabled, depending on what apps and applications you are running.

Updates & Security

Some big things in this new version – the biggie being the Automatic download and installation of Windows Update patches,  You might want to disable how you receive your updates, you can do this by going into the Advanced settings.

Updates-Security-Installing  Updates-Security 

Updates-UpdateSettings  Updates-UpdateSettings-Advanced

I’d recommend disabling some of these settings.  They aren’t necessarily as nefarious as some have made out on the Internet, but there’s some value in taking some control over when and how your system updates.  More on this in the Group Policy section, below.

Windows Defender

Unless you have a really good reason to do so, I DO NOT recommend disabling Windows Defender.  However, there’s no harm in disabling the sharing of Defender information with Microsoft or others:

Updates-Defender

Accounts

If you use (or plan to use) a Microsoft Account, you might want to review what you share with the ‘Cloud’.

Accouints-Sync  Accounts-Signin

Network & Internet

WiFi Settings – WiFi Sense

If you don’t want to inadvertently share your WiFi details with contacts, you may want to disable WiFi Sense.  You do this through the Network & Internet settings.

wifi-settings  wifi-settings-sense 

Advanced

The next section requires a bit more work.

Group Policy

Policy is usually used by Network Administrators or Power Users to take more control over PCs.  You’ll need to run the Group Policy Editor with elevated permissions (i.e as Administrator).

Here is the Group Policy Editor (gpedit.msc.  Note that you can export to text file all the options.  This is recommended if you want to free search for specific values.

Export

Exported text

ExportedList

First off, why not use the policy to disable sending of diagnostic data (Windows Enterprise only):

Disable Telemetry (Sending Diagnostic Information)

Simply locate the “Allow telemetry” policy and enable, then set to zero (0) – applies to Enterprise edition only.

For non-Enterprise edition folks, you can try to disable Telemetry by modifying a registry value.

Open up the Registry Editor by launching regedit as an administrator.  Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection, select AllowTelemetry, change its value to 0, then apply.

GroupPolicy GroupPolicy-Telemetry

Disable auto-install of Windows Updates

[Updated: 06/08/2015]

I couldn’t verify that the group policies below were actually having any effect, so I took a look at previous registry settings instead.  I’ll leave these policy bits in for reference, but you may want to try the registry option instead.

This one may or may not work, you need to ensure you have configured both “Configure Automatic Updates” and “Allow Automatic Updates immediate installation” policies:

GroupPolicy-Updates GroupPolicy-WindowsUpdates-AutoInstall

Workaround – Registry

I took a look at previous OSes – particularly registry settings and then applied them to Windows 10 Pro and Enterprise editions. 
Lo and behold, they abided by the settings!

Controlling Windows Updates with WSUS

Therefore, it stands to reason that if you operate a Windows Server Update Services (WSUS) server and you want Windows 10 clients to get updates from your WSUS server, you might want to apply this registry change.  Windows 10 operating systems appear to WSUS as ‘Windows Vista’ (for Windows 10 Pro) or ‘Windows Vista Enterprise (N) Edition’ for Windows 10 Enterprise (N):

image

Computers running Windows 10 listed in the WSUS Computers list

When configured successfully to use WSUS, there’s a slight change to the Windows 10 Windows Update settings page:

image image

It stands to reason that you could omit the WSUS values to control how Windows Updates are applied.  Here are the registry settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
“WUServer”=”http://<your WSUS server>:8530”
“WUStatusServer”=”http://<your WSUS server>:8530”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate”=dword:00000000
“AUOptions”=dword:00000003
“ScheduledInstallDay”=dword:00000000
“ScheduledInstallTime”=dword:00000003
“UseWUServer”=dword:00000001

I located the possible values and meanings for the above settings via TechNet:

Entry Name Value Range and Meanings Data Type
AUOptions Range = 2|3|4|5 Reg_DWORD
2 = Notify before download.  
3 = Automatically download and notify of
installation.
 
4 = Automatic download and scheduled
installation. (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime
.)
 
5 = Automatic Updates is required, but end
users can configure it.
 
NoAutoUpdate Range = 0|1 Reg_DWORD
0 = Enable Automatic Updates.
1 = Disable Automatic Updates.
ScheduledInstallDay Range = 0|1|2|3|4|5|6|7 Reg_DWORD
0 = Every day.
1 through 7 = The days of the week from
Sunday (1) to Saturday (7).
(Only valid if AUOptions equals
4.)
ScheduledInstallTime Range = n; where n = the time of day in 24-hour format
(0-23).
Reg_DWORD
UseWUServer The WUServer value
is not respected unless this key is set.
Reg_DWORD
AutoInstallMinorUpdates Range = 0|1 Reg_DWORD
0 = Treat minor updates like other
updates.
1 = Silently install minor updates.

For more information on these settings and what their values represent, check out TechNet.

Controlling Windows Updates without WSUS

If you do not use WSUS, try just setting these values in the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate”=dword:00000000
“AUOptions”=dword:00000003
“ScheduledInstallDay”=dword:00000000
“ScheduledInstallTime”=dword:00000003
“UseWUServer”=dword:00000000

Disable Web Search from Start Menu

Finally, I found disabling the obligatory “desktop and web” search in the Start Menu significantly speeds up the Start Menu.  Policy = “Do not allow web search”:

image

Cleanup: Remove Services

There are two key Windows Services which appear to participate in the sending of diagnostic data, Diagnostic Tracking Service “DiagTrack”and WAP Push Message Routing Service “dmwappushservice”.

image

Launch a Command Prompt as Administrator and execute the following:

sc delete DiagTrack

sc delete dmwappushservice

I haven’t noticed any ill-effects from removing these two Windows Services.

Registry Import

If you’d prefer to simply import that changes I made, copy this text and save it into a text file on your system (filename with a .reg extension) and import into the registry.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\AllowAutoUpdate]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000005

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000001

“PolicyType”=dword:00000004

“value”=dword:00000002


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\AllowNonMicrosoftSignedUpdate]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000001

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000001

“PolicyType”=dword:00000004

“value”=dword:00000001

“WNFStateName1″=dword:a3bd3075

“WNFStateName2″=dword:13920028


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\AllowUpdateService]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000001

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000001

“PolicyType”=dword:00000004

“value”=dword:00000001

“WNFStateName1″=dword:a3bd2075

“WNFStateName2″=dword:13920028


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\PhoneUpdateRestrictions]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000004

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000001

“PolicyType”=dword:00000004

“PreCheckDLLPath”=”%SYSTEMROOT%\\system32\\PolicyManagerPrecheck.dll”

“value”=dword:00000004

“WNFNotificationMask”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000001

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000003

“PolicyType”=dword:00000004

“value”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireUpdateApproval]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000001

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000002

“PolicyType”=dword:00000004

“value”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\ScheduledInstallDay]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000007

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000001

“PolicyType”=dword:00000004

“value”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\ScheduledInstallTime]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“HighRange”=dword:00000017

“LowRange”=dword:00000000

“MergeAlgorithm”=dword:00000001

“PolicyType”=dword:00000004

“value”=dword:00000003


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\UpdateServiceUrl]

“AllowedEnrollmentTypes”=hex(b):ff,ff,ff,ff,00,00,00,00

“MergeAlgorithm”=dword:00000003

“PolicyType”=dword:00000001

“value”=”CorpWSUS”

“WNFStateName1″=dword:a3bd2875

“WNFStateName2″=dword:13920028

Inspiration(s)

The following links were helpful in compiling this article

https://www.reddit.com/r/Windows10/comments/3f38ed/guide_how_to_disable_data_logging_in_w10/

http://prntscr.com/7ykzbh


Installing Windows 10 on bare metal

As long time readers of Sanders Technology are no doubt are aware, I rarely install operating systems on bare metal (non-virtual) systems.  Partly this is a practical measure, there are a lot of releases if you take into account pre-release and beta versions, and partly an issue of convenience.  Therefore, it is something special when I install to bare metal, I put on some vinyl and get to work..

IMG_2688_Small

For this version of Windows, I had purchased a new laptop the previous month and it had been sitting somewhat idle with the news of the imminent release of Windows 10.  So I waited, and once the RTM build hit MSDN, I began the process of installing onto the Dell XPS 15.  Here’s a pictorial of the installation process and some handy installation tips.

Beginning

I booted the system via USB, and squinted at the tiny, tiny font.  Evidentially Microsoft haven’t fixed the screen scaling on 4K monitors.  Luckily for me, I have exceptional vision for tiny fonts, and was able to move on to the main installation.  I blew away the primary disk, and formatted for install.  I opted for a clean install over an upgrade because that’s become my default modus operandi of the past decade or so.

IMG_2728_Small IMG_2729_Small

The new boot sequence makes use of the manufacturer logo during the boot process, just in case you forgot you were sitting in front of a Dell.  After the initial boot loading of the setup files, we’re treated to a new progress clock screen which ticks up to 100% complete.  On this brand new laptop, it did not take long.

IMG_2730_Small IMG_2732_Small

Once the initial image is ready, we’re into familiar territory, being asked “Express” or “customize”.  No brainer, always go the customize route, which allows you to toggle off some of the more invasive data sharing “features”.  You’ll need to do a lot more later on, once the OS is up and running proper.

IMG_2733_Small

Finally, you’ll be prompted to create an initial account.  As I was domain-joining my machine, it asked me to create a local account, which is easy enough.  Once the setup had finalized, I authenticated with the local account and then changed the computer name and joined it to my domain.  Then I rebooted and prepared to authenticate as a Domain Admin to complete my personalized settings.

Logging in

IMG_2734_Small

This edition of Windows 10 is exceptionally striking, visually.  The UX design is impressive and looks far superior than the predecessor, Windows 8/8.1.  Once you’re authenticated, Windows will attempt to contact Windows Updates to finish off the remainder of the installation – my recommendation: allow this to happen.  For why, see below.

Troubleshooting

Nearly every bare metal install I’ve completed in the past required me to locate OS-specific drivers to complete the installation.  In cases where the manufacturer has not published newer drivers, I’ve been able to get away with using the previous edition’s drivers – provided the CPU architecture matches (e.g. 64 bit drivers for 64 bit OSes). 

The first time I installed Windows 10, I did not join the laptop to my WiFi (mistake #1).  The Dell website did not list any new drivers for Windows 10 despite assurances the laptop had been tested and was compatible with the new OS.  Curious.  So I did what I’ve always done – installed the previous versions (mistake #2).

The drivers installed fine, and all the unidentified devices were installed.  Then I rebooted the system.  That’s when the black screen of death occurred:

IMG_2735_Small

Windows 10 boots, and leaves you stuck on a black screen with a mouse cursor constantly in the “spinning circle” mode.  It turns out that the previous Windows 8.1 NVidia driver was the cause of this OS-limbo, and there wasn’t anything I could do about it.  I tried to get into Safe Mode, no dice. 

In the end I had to reinstall the OS, but this time I connected to WiFi.  Windows Update’s Driver Store, as it turns out, had valid and appropriate drivers (must have been supplied by Dell) so everything installed fine.  There were a few odd devices not identified which I was able to install using the old drivers.  It’s been fine since.

Therefore, if you encounter the black screen of death – I’d suggest attempting to get into some kind of protected mode (safe mode) and uninstall any custom drivers.  Worst case scenario, you might be looking at an OS-reinstall.


Windows 10 Launched

The big news today is the launch of Microsoft Windows 10.

About eight hours ago, the RTM builds were made available to MSDN subscribers, although network congestion has made it very difficult to get a clean download.

image

You can also look at upgrading via the free upgrade route as well.  Check back soon, we’ll have some new articles on Windows 10 coming soon.