Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-write of Windows Page #166

Open
dngray opened this issue Oct 5, 2021 · 43 comments
Open

Re-write of Windows Page #166

dngray opened this issue Oct 5, 2021 · 43 comments
Labels
c:guides full-length guides and content c:os operating systems and related topics status:approved issues that are immediately approved, submit a PR!

Comments

@dngray
Copy link
Member

dngray commented Oct 5, 2021

Description

https://privacyguides.org/operating-systems/#win10

This page does need to be re-written. It is quite a bit out of date. I think we could benefit from bringing privacytools/privacytools.io#926 forward into this PR.

Additionally regarding removal of Cortana, (something that wasn't possible when that page was written), we should provide instruction privacytools/privacytools.io#926 (comment).

It's worth noting O&O ShutUp10, already supports Windows 11.

Closes: #172 (comment)

@dngray dngray added status:approved issues that are immediately approved, submit a PR! c:guides full-length guides and content c:os operating systems and related topics labels Oct 5, 2021
@jnton
Copy link

jnton commented Oct 15, 2021

I would recommend adding a guide to disable telemetry as indicated here: https://github.com/privacyguides/privacyguides.org/discussions/169#discussioncomment-1474036

  1. The first step is to activate Windows, it can be followed the official way or the "unofficial one" (parenthesis points refer to the "unofficial", be aware that depending on the place you live this operation may be not completely legal and that the following activation procedure is made for Windows 10 but with the right changes can be easily adapted to Windows 11):
    (2.) Go to Settings ------> Update & security ------> Activation --------> Change product key
    (3.) Enter the following generic product key and click Next. Follow the prompts all the way through.
    (4.) XGVPP-NMH47-7TTHJ-W3FW7-8HV2C [source]
    (5.) Now reboot the computer
    (6.) Use massgravel's HWID activation method: https://github.com/massgravel/Microsoft-Activation-Scripts§
  2. (7.) Follow the official guidelines to deactivate telemetry: https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization

It would also be a good idea for those who want more security (and also performance) at the expense of some functionality (in particular, it will only be possible to install apps from Microsoft Store*) to switch to Windows S mode.
At the moment Windows 11 in S mode is available only for the Home edition, while Windows 10 in S mode is available for all its editions: Home, Enterprise, Education and Pro.

*Note: If you switch out of S mode, you can install 32-bit (x86) Windows apps that aren’t available in the Microsoft Store in Windows. If you make this switch, it's permanent, and 64-bit (x64) apps still won't run.

@ghost
Copy link

ghost commented Nov 14, 2021

The S mode has a lot of things to be noted btw :

  • you can only install apps from microsoft store

  • you can't change your default browser ( edge will always stay as the default ) . You can however install other web browsers

  • also you cannot change the search engine of microsoft edge to anything other than bing . It forces people to use bing .

  • you can't use powershell ,cmd etc

  • you don't have access to windows registry through registry editor either ...

Overall I don't think it's a good thing unless it's been set up in a school or something

@ghost
Copy link

ghost commented Nov 15, 2021

I would recommend ThisIsWindows11
It's an open source software and is visually appealing and user friendly to use

@dngray
Copy link
Member Author

dngray commented Dec 19, 2021

Regarding shutup10, we might want to see if the same thing is possible with the https://docs.microsoft.com/en-us/windows/privacy/windows-10-and-privacy-compliance

@dngray
Copy link
Member Author

dngray commented Dec 19, 2021

Another thing regarding this we should mention uninstalling Cortana, which was made possible as of May 2020 (build 2004). It's possible via PowerShell:

Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage

Or if you have Winget:

winget uninstall cortana

@ghost
Copy link

ghost commented Dec 20, 2021

I really think you guys should look into Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11). As far as I know, most (if not all) of the privacy changes can be made via group policy or the settings so there's really no need for 3rd party tools.

@dngray
Copy link
Member Author

dngray commented Dec 20, 2021

Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11

Pretty sure that is the Windows Restricted Traffic Limited Functionality Baseline.

@blacklight447
Copy link
Member

Another thing we have to look into is recommending that if people eill be using Windows, is that they shoild try and choose computers which support the neccesary features for hardware based security. Things like intel vt-d for iommu and uefi/tpm for secureboot.

The best is that peoppe choose devuces which are certified by the windows secure core program.

@ghost
Copy link

ghost commented Jan 18, 2022

Windows Enterprise and level 0 telemetry (they renamed to diagnostic data something in W11

Pretty sure that is the Windows Restricted Traffic Limited Functionality Baseline.

Not exactly. I got to play around and level 0 telemetry is only a part of the group policies that the restricted functionality baseline deploys (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).

A lot of the policies also seem to be privacy/security regressive (e.g no windows update, no Microsoft store - i.e. no UWP apps, etc.). Perhaps we should try to pick out what policies aren't regressive (e.g. cortana related policies) and go on from there.

I think I've been saying things that you already know so I'll leave it at that.

@ilmaisin
Copy link

Recommeding things, like Windows Enterprise, that are not legally available for consumers, is probably not a good idea for privacy or security. Bootleg software is pretty notorious for malware.

@ghost
Copy link

ghost commented Feb 13, 2022

You can get Windows Enterprise straight from the media creation tool.

@Guardian-Dusty
Copy link

The thing with installing anything other than windows 11 pro is very minimum .
Like for example if you install the workstation version and above ( the enterprise ones ) ,it doesn't come installed with the Extra bloat like Photoshop and stuff .

Another thing is we could recommend simplefirewall ( it has a custom config to block some specific windows thing iirc )

And This
Essentially simplefirewall utilises this only anyways

And then above this all we can utilise winget to uninstall Microsoft teams or edge and stuff

@0rdinant
Copy link
Contributor

Recommeding things, like Windows Enterprise, that are not legally available for consumers, is probably not a good idea for privacy or security. Bootleg software is pretty notorious for malware.

To add to what @xibeifenghenhaohe was saying, many students are able to get Education Edition (almost identical to enterprise) for free.

@IkelAtomig
Copy link
Contributor

I would recommend using BulkCrap Uninstaller for uninstalling things such as Cortana and Many UWP apps.

@dngray
Copy link
Member Author

dngray commented Mar 26, 2022

There is some good material here https://github.com/beerisgood/Windows11_Hardening

We should see if @beerisgood would like to contribute to this page. I know they used to hang around old PTIO back in the day.

@beerisgood
Copy link

Thanks for the link to my repository 🍺
Also see https://github.com/beerisgood/Windows11_Privacy

However, I have no interest in working on this or other PTIO project(s).

@IkelAtomig
Copy link
Contributor

https://www.windowslatest.com/2022/03/30/windows-11-to-get-smart-clipboard-and-actions-features/ - Need to cut off Telemetry and Internet Connection of Clipboard.

@IkelAtomig
Copy link
Contributor

When using with MS Account, windows recommends you to use Device Encryption which is nothing but Bitlocker but Encryption keys linked to MS account. Be carefult to note that. Say a proper way to use Bitlocker Encryption in the guide.

@IkelAtomig
Copy link
Contributor

@jonaharagon
Copy link
Member

We currently don't have any Windows-specific recommendations at the moment. @dngray are we interested in re-introducing this page, or can this issue be closed?

@IkelAtomig
Copy link
Contributor

@jonaharagon Seriously!? Only Linux Fanboys can have Privacy not Windows ?

I know you are writing for MacOS. But you should consider Windows too.

Privacy Guides is actually to give advice for People on Privacy.

The Thing is AFAIK, dngray do not have Windows. So, He aint' testing it out.

You can ask for Windows users to contribute.

@elitejake
Copy link
Contributor

Microsoft Windows still has a significant market share and is the dominant desktop OS (73% of the desktop market)1. IMO, creating a Windows page should be high on our list.

Footnotes

  1. https://gs.statcounter.com/os-market-share/desktop/worldwide/#monthly-202112-202112-bar

@elitejake
Copy link
Contributor

It is also evident from the website statistics that most visitors use Windows OS.

@pm4rcin
Copy link

pm4rcin commented May 5, 2022

It is also evident from the website statistics that most visitors use Windows OS.

I guess that it uses user agent for OS detection which is not reliable since people here probably spoof it.

@IkelAtomig
Copy link
Contributor

IkelAtomig commented May 6, 2022

Recommend using TPM + Pin on Boot to prevent Cold boot attacks.

More Context - https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/

Also here - https://www.kapilarya.com/enable-bitlocker-pin-in-windows-11 (Guide for How to Set it up)

@IkelAtomig
Copy link
Contributor

I think that this Guide should be focused on Windows 11 mainly not 'Only' as Windows 10 will be discontinued in 3yrs. Though there are no differences between them just UI. A suggestion though.

@IkelAtomig
Copy link
Contributor

Configure TPM + PIN as below in Group Policy.

image

@IkelAtomig IkelAtomig mentioned this issue Jun 2, 2022
3 tasks
@cryptocat8
Copy link

Very important reference according to me: https://www.makeuseof.com/windows-10-11-disable-telemetry/

@dngray
Copy link
Member Author

dngray commented Jun 10, 2022

  • you can't change your default browser ( edge will always stay as the default ) . You can however install other web browsers

So had another look at S-Mode today, and found this article from 2 June 2022.

Another limitation it puts on the user includes the web browser. Windows 11 S mode makes Microsoft Edge the default browser on your system. Now, here’s how it differs from Windows 10 S. In Windows 10 S, you cannot install any browser other than Microsoft Edge. Windows 11 provides some leeway in this area.

You can install other browsers, like Chrome and Firefox as long as they’re available in the Microsoft Store, on your Windows 11 S device. But, and that’s a big but, you cannot make any of them your default browser. Edge safely takes up that mantle; it will always be your default browser, come what may.

If we do mention it, it's worth mentioning that it is not available for Windows 11 Professional.

Windows 11 in S mode is only available in the Windows 11 Home edition. If you have the Pro, Enterprise, or Education editions of Windows 10 in S mode, Windows Update will not offer Windows 11 because S mode is not available in those editions of Windows 11. Therefore, if you have the Pro, Enterprise or Education editions of Windows 10 in S mode, you'll need to switch out of S mode to upgrade to Windows 11.

This will likely change in the future:

The upgrade rollout for Windows 11 begins in October 2021 and will continue into 2022. Specific timing will vary by device. After the upgrade has been tested and validated for your specific PC, Windows Update will indicate that it's ready for installation.

Maybe we'd like to write a guide a simple SRP policy or, a more advanced guide with WDAC/AppLocker.

@sith-on-mars
Copy link

What about W10 Privacy that was previously recommended by Privacytools?

@ghost
Copy link

ghost commented Aug 13, 2022

The r/piracy section regarding windows might be useful.

@ghost
Copy link

ghost commented Sep 22, 2022

As discussed in the macOS privacy and security guide, thoughts on having a separate admin and standard user account for windows?

@IkelAtomig
Copy link
Contributor

It will also be added. I might update the PR this weekend.

@privacyguides-bot
Copy link
Collaborator

This issue has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.org/t/remove-bitlocker-as-windows-fde-recommendation/237/7

@dngray
Copy link
Member Author

dngray commented Oct 22, 2022

Some other things we might want to discuss:

By default BitLocker is 128bit, so for 256 there is this GUI method https://www.maketecheasier.com/set-bitlocker-encryption-aes-256/

There is this registry method:

cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

I'd prefer to specify it with Group Policy command and not mess with registry.
https://docs.microsoft.com/en-us/archive/blogs/dubaisec/bitlocker-aes-xts-new-encryption-type

@dngray
Copy link
Member Author

dngray commented Oct 22, 2022

We should also remind people not to backup their encryption keys to the Microsoft cloud etc, that this can be used for recovery and should be considered very carefully.

@efb4f5ff-1298-471a-8973-3d47447115dc
Copy link
Contributor

efb4f5ff-1298-471a-8973-3d47447115dc commented Nov 3, 2022

Corrections for #1659

line 14: criticised > criticized
line 26: having > Having
line 32: systemf > system
line 32: Telemtry > Telemetry
line 40: Bitlocker > BitLocker 2x
line 68: in the website > on the website

@IkelAtomig
Copy link
Contributor

@efb4f5ff-1298-471a-8973-3d47447115dc Thanks !

@IkelAtomig
Copy link
Contributor

@IkelAtomig
Copy link
Contributor

@realguyman
Copy link
Contributor

Using Microsoft's answer files should definitely be under our radar for research to secure Windows. Can easily be dropped into an ISO and burned to a USB stick for installation. Would save a lot time for users wanting to configure their system.

UnattendedWinstall developed by memstechtips is something we could look into.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c:guides full-length guides and content c:os operating systems and related topics status:approved issues that are immediately approved, submit a PR!
Projects
None yet
Development

Successfully merging a pull request may close this issue.