Discussion: Component Policies

[Hellbovine]

I noticed while making images that NTLite will perform some registry tweaks silently. For example, if I uninstall the OneDrive component, NTLite will also add in a group policy (GPO) registry tweak that disables OneDrive, in case the component ever returns, such as during a Windows Update. The idea there is to keep the feature disabled in the event its files get reinstalled.

What I want to discuss in this thread is the transparency of NTLite because this concept has actually created some issues for people, since they didn't realize NTLite was setting policies as it uninstalls components or does other tweaking, and later it caused headaches for users and helpers as we tried to figure out what hidden tweak was causing the problem and where it came from.

UPDATE (AUGUST 31ST, 2023)

Spoiler: click here to reveal text

To increase the transparency of NTLite registry tweaks, edit a saved NTLite XML, look at <Tweak name="Path\Example">X</Tweak> and the part where it says "Example" will contain the registry key name, with "X" being the value that NTLite is going to set. You can then use this information to research that tweak further on Google. While this tip is useful, keep in mind that the group policy key in the OneDrive scenario will not appear in the XML, since it's tied to a component removal, and it isn't the only NTLite tweak that installs a hidden policy that the XML doesn't reveal.

 

[garlin]

Thanks to EU privacy laws, it's published but no one knows to read it.
https://docs.microsoft.com/en-us/wi...-windows-diagnostic-data-in-your-organization

	Diagnostic data off (Security)	Required (Basic)	Enhanced	Optional (Full)
Diagnostic data events	No Windows diagnostic data sent.	Minimum data required to keep the device secure, up to date, and performing as expected.	Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users.	Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
Crash Metadata	N/A	Yes	Yes	Yes
Crash Dumps	N/A	No	Triage dumps only For more information about crash dumps, see Windows Error Reporting.	Full and triage memory dumps For more information about crash dumps, see Windows Error Reporting.
Diagnostic logs	N/A	No	No	Yes
Data collection	N/A	100%	Sampling applies	Sampling applies

---

Allow Telemetry -> Security/Disabled
Let Microsoft provide more tailored experiences with relevant tips and recommendations by using your diagnostic data -> Disabled
Personalize your speech, typing, and inking input by sending your input data to Microsoft -> Disabled

Google search for the tweak name, it's usually the last part of a well-known GPO or registry key.

<Tweak name="DataCollection\AllowTelemetry">4</Tweak>
<Tweak name="Privacy\TailoredExperiencesWithDiagnosticDataEnabled">0</Tweak>
<Tweak name="Settings\AcceptedPrivacyPolicy">0</Tweak>

These settings prevent Windows from sending personal data, but it won't stop local data collection for Windows' own needs. You'd have to learn all the weird reg keys for that, or disable ETL logging.

Obviously you can't use MS Account for any reason (Store, Office, OneDrive), because it has tracking by authentication cookies.

 

[garlin]

Improving the tool tips has been discussed.
https://www.ntlite.com/community/index.php?threads/request-better-inbuilt-tooltips-docs.2684/

 

[Hellbovine]

This diagnostics is another good example to discuss, since it looks like NTLite is trying to use a value that doesn't fit the scenario.

1) "Security" is actually a 0 dword, so "AllowTelemetry" should be set as 0, but according to your reply it tries to set it as 4, which isn't a valid option? <Tweak name="DataCollection\AllowTelemetry">4</Tweak>

2) According to Microsoft the option of "Security" isn't usable by anyone except Enterprise editions. How can I manually check to verify if a version such as W10 Home or Pro, successfully disables the diagnostics feature using a value of 0 versus 1?

 

[Hellbovine]

I do see what you mean about the XML trick though, I'll look into that going forward (making changes in NTLite, then look at the XML preset to figure out what reg keys it may be tweaking, by imagining the tail end of the text as a reg key and Googling).

 

[garlin]

1) "Security" is actually a 0 dword, so "AllowTelemetry" should be set as 0, but according to your reply it tries to set it as 4, which isn't a valid option?
"<Tweak name="DataCollection\AllowTelemetry">4</Tweak>"

My bad, clicked too many times. I believe (Policy) is NTLite's shorthand for applying as GPO vs reg key.

Security/Disable = 0
Basic = 1
Enhanced = 2
Full = 3
Security/Disable (Policy) = 4
Basic (Policy) = 5
Enhanced (Policy) = 6
Full (Policy) = 7

2) According to Microsoft the option of "Security" isn't usable by anyone except Enterprise editions. How can I manually check to verify if a version such as W10 Home or Pro, successfully disables the diagnostics feature using a value of 0 versus 1?

• 0 – Off (Security) This value turns Windows diagnostic data off.
  Note
  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.

You would block the endpoints by Firewall rules.
https://docs.microsoft.com/en-us/wi...iagnostic-data-in-your-organization#endpoints

104.208.16.93
13.89.179.9
20.189.173.20
20.189.173.21
20.190.154.136
20.190.154.137
20.190.154.139
20.190.154.16
20.190.154.19
23.96.225.71
40.126.26.132
40.126.26.134
40.126.26.135
52.137.106.217
52.168.112.66
52.168.117.173