Restricted Traffic Limited Functionality (Windows/Office/Telemetry/Privacy)

[Velocet]

Since everyone is freaking out about privacy, data collection, disabling services and other stuff it's time to finally get a solution that works with the least amount of work and no third-party apps like WPD, O&O ShutUp, etc. What most users forget and the apps won't tell you: Most of these settings only work on Enterprise editions.

Microsoft provides an overview of all settings and endpoints that you need to change/block:
Manage connections from Windows 10 operating system components to Microsoft services - This site is the main entry point for Windows.
Overview of privacy controls for Microsoft 365 Apps for enterprise - This site is the main entry point for Office 365 (also applies to Office 2016/2019)

For all you crazy people out there with zero knowledge about what you are doing (like using the hosts file to block IPs...) Microsoft is providing a list which endpoint is responsible for which functionality:
Manage connection endpoints for Windows 10 Enterprise, version 2004 - Just click on Learn how to turn off traffic to the following endpoint(s) and you will know which setting it is.

nuhi
To make it as easy as possible for you to implement Microsoft provides a set of files which hold the corresponding GPOs/registry keys. You can always find the latest version of this file (which includes settings for all Windows 10 and Server versions) here:
Windows Restricted Traffic Limited Functionality Baseline
With the provided ADMX and ADML files you also don't have to write any text or explanation. Just parse these XML files. I hope that this will make it less painful for you to implement.

 

[netefu]

For all you crazy (more like wise) people out there
1. Play around with NTLite and remove components as much as you can by trial and error.
(OPTIONAL STEP) Install a paid and trustworthy VPN with killswitch. Use bitcoin for purchase.
2. Install Sphinx Windows 10 Firewall Control
3. Make hostprocess (svchost.exe) zone: "svchost+noupdates" (this won't let services to connect to the internet, but your programs -ie browser, games etc. will work fine. You'll have to MANUALLY update your PC after that preferably month to month)
4. Make System zone: Localsystem (this will also block MS Windows shenanigans)
5. Make that stupid operating system your bitc*. When you tell him to shut up it will SHUT THE f**k UP.

0 bytes per second on idle. 0 spying.

 

[Brutser]

It's not a bad idea, but 1 and 3 don't work together, if you remove as much components as you can, forget about updating after that, it just won't work anymore. But I guess you can do your setup and then block everything else and allow program by program access, then you don't need to remove any components, especially if you can use an already cleaner Windows, like enterprise.

But this is for sure an interesting idea, because it takes away the need for knowledge about what things do what in the full Windows package, you can just ignore all that, except for when it can bypass the firewall somehow, that is still valuable information to know if that would be possible.

> More ideas are welcomed here, but this should also part of the privacy thread that exists elsewhere <