I am running Windows 10 pro. I deleted all the telemetric services and all the scheduled tasks (except defragment). With some digging I make a list of telemetric executable files and blocked them in firewall.
Is Windows firewall sufficient to block Windows telemetry fully and forever ??
The actual answer to your question is "Yes". See this widely mentioned article:
Stop Windows 10 spying on you using just Windows Firewall.
But I would like to throw some light of sanity on this question. The big hype of "Windows is spying on you" is sensational enough to make good headlines, but the truth is much less interesting.
First, telemetry data is not used for commercial purposes. Most of it is even deleted within 30 days of its transmission.
Second, Microsoft has become quite transparent about telemetry, and its latest versions have exposed most of the functions through PC Settings so they have become optional and controllable by the user.
Third, some parts of this telemetry data are even essential to the correct functioning of Windows. Without these parts, for example Windows Update may install incorrect patches with very bad results for the health of your computer. It is impossible to tell which "telemetric executable files" are essential for the correct functioning of your computer.
My best advice for you is to turn off telemetry via PC Settings. Do not give in to the hype.
As a remark: Microsoft is not the only one that is "spying" on you. For example see Disable NVIDIA Telemetry. I really think that stopping it all is Cutting off the nose to spite the face.
See also :
Things to do before: Activate Windows OS before this tweak. Gather full path of every executable files that need to be connected. Make sure to have backup. Otherwise try in virtual machine. Below I mentioned my process with batch files command. Read also the pros and cons.
Procedure (with explanation):
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess. Another way is to delete those rules in Windows Firewall (WF.msc).for %%X in (
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules"
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces"
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices") do (
reg delete %%X /F
)
for %%X in (
Defaults
Parameters ) do (
for %%Y in (
DomainProfile
PublicProfile
StandardProfile ) do (
reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\%%X\FirewallPolicy\%%Y /V "EnableFirewall" /T REG_DWORD /D "1" /F
reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\%%X\FirewallPolicy\%%Y /V "DisableNotifications" /T REG_DWORD /D "0" /F
reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\%%X\FirewallPolicy\%%Y /V "DefaultInboundAction" /T REG_DWORD /D "1" /F
reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\%%X\FirewallPolicy\%%Y /V "DefaultOutboundAction" /T REG_DWORD /D "1" /F
)
)
Restart PC to apply that previous registry settings. Shut down or sign out does not work.
Allow apps to outbound rules: First add allow system outbound rule. Then other apps including antivirus software.
Powershell New-NetFirewallRule -DisplayName "~System" -Name "~System" -Direction Outbound -Program "System" -Action Allow
Delete DNS cache service: This command first stops and then deletes DNS caching service. As windows firewall will block svchost.exe, delete this service. Otherwise it would not be possible to enable DNS for other apps.
sc stop "Dnscache" & sc delete "Dnscache"
Pros: This procedure does not require to edit hosts file. One has not configured all the telemetry IPs and URLs in hosts file. Block entirely telemetry apps. Try this with enabling full telemetry and Cortana allowed. Does not require to delete any other services. No telemetry network activity has shown with WireShark, GlassWire, tcpview, CurrPorts and SmartSniff (i.e. no Microsoft web address or IP is shown).
Cons: Block metro apps including Cortana, Edge, Store, Mail, Maps etc. Block any apps that want to update silently.
