How private is Windows 11 Enterprise with a local account and telemetry disabled compared to macOS or other Linux distributions?
If you do a dual boot with Windows + Fedora and install them on different hard drives, both encrypted, does Windows have any kind of access to the drive where Fedora is installed?
Thanks a lot!!
On what tangible metric would you like the two to be evaluated? There is none if you ask me. It’s an arbitrary. MSFT still collects way too much telemetry no matter what so you’re much better off with macOS and even better, desktop Linux.
Absolutely not. This is ideally the best way to go about dual booting the operating systems if you must.
–
But PG staff can answer these questions in more detail if need be.
The problem with Windows telemetry is that, since it’s a closed source operating system, there is no way to validate whether or not they are collecting telemetry on you. You can block all the DNS stuff you want or disable all sorts of things, but if they are bundling telemetry and metadata in with their packets for Windows Update or Windows Security, you are going to get scraped for data either way.
MacOS runs into the same issue of being closed source, but has the upside of (generally) being more secure and having less stupid things shoved in your face all the time. I’d give them an overall 8/10 on usability/cybersecurity/privacy, whereas Windows sits at a solid 2/10.
Linux ups the game of privacy significantly, being open source with many people inspecting it, but you lose out on usability and cybersecurity. Assuming you aren’t doing anything ridiculous though, the odds of you getting a virus on Linux is low. You just don’t have Windows or Mac backing you up with antivirus software. I would give Linux a 7.5/10.
These are arbitrary ratings in my brain. Please don’t ask me how I measure them lol.
I’ve been trying to find a specific answer to this question the last couple days, take what I say as personal anecdote. Try this yourself if you’re curious. I don’t have a lot of experience with packet analysis.
Even on required or optional settings I didn’t see a lot. I can say for certain that Edge collects a lot of data. I was only scanning only for like 30 minutes, maybe telemetry gets transferred at odd times. I didn’t see any dns requests for the telemetry domains Microsoft lists, or any string match for telemetry or ‘performance’ stuff like that (except for Edge).
What’s important, is that my mitmproxy method isn’t foolproof and apps can choose to only use verified and trusted certs. So there was a lot of traffic I couldn’t decrypt. So that’s probably worrying. Some of the domains it connected to had encrypted traffic, i list some of them here(and the process I could find)
client.wns.windows.com
svchost.exe - push notifications
api.iris.microsoft.com - windows spotlight
settings-win.data.microsoft.com* - Used for Windows apps to dynamically update their configuration
go.microsoft.com - Windows Defender
login.live.com - Device Authentication
JG shared an article the other day here Microsoft Defender Vulnerabilities Allow Attackers to Bypass Authentication that shows how researchers modified some Microsoft binaries to disable this cert verification, making it possible to decrypt their traffic, but the article is unrelated to telemetry.
If you apply the tweaks from https://privacy.sexy, uninstall edge and block svchost.exe and msedgewebview2.exe in your firewall, you’re probably good to go. Of course, there are many other processes which try to connect, like explorer.exe (to verify certificates on UAC prompts and when u right click properties on a file and go to the digital signatures tab), systemsettings.exe, lsass.exe, taskhostw.exe, System, sptextcomobj.exe, rundll32.exe, and some update-related ones like wusvc.exe, winsowspackagemanagerserver.exe, sihclient.exe, mousocoreworker.exe.
I have done some tests with simplewall and i think u can technically block everything above except for System and some svchost.exe connections and ur pc will work just fine. If u fully block both of the above u wont have internet connection tho. Also, u technically dont need to ever allow updates. U can have a 2nd pc that mirrors the first that u never use. Use it to check for updates then manually download the KB updates from Microsoft’s web Update Catalog on ur main pc. As long as the hardware for both pcs is the same, the updates should be the same too.
From what i’ve tested, the absolutely mandatory allowances for ur internet connection to work on Windows 11 are the following:
System (ntoskrnl.exe)
svchost.exe - [dns]:443 (so 1.1.1.1:443 for cloudflare)
svchost.exe - 192.168.0.1 (might be 1.1 on some routers)
svchost.exe - 255.255.255.255:67 (dhcp)
It depends. It’s like comparing Chrome to Firefox, where maximum privacy is just not possible in Chrome because of the engine.
It is not possible to disable all telemetry with a single click. By removing most of the preinstalled applications and configuring group policies, you can make the system private, but this is quite difficult for the average user.
They have documentation about connection management.
All these massive tech companies are so in bed with each other, it seems silly to think you are somehow more private with one then the other, when its shown time and again whatever data they don’t take from you directly they buy off their competitors.
The reality is if you are not using Linux you are probably giving up the same amount of data. Whether it makes sense for you to use Linux is a personal matter.
These hosts are not of much use. Instead of playing a cat and mouse game that u will never win by trying to blacklist all the bad hosts, instead, just block everything in ur firewall and only allow hosts that u know for sure are needed (like the ones i mentioned above). This is what’s called zero trust default-deny setup.