I’ve been trying to find a specific answer to this question the last couple days, take what I say as personal anecdote. Try this yourself if you’re curious. I don’t have a lot of experience with packet analysis.
- Run mitmproxy on the host with the SSLKEYLOGFILE env variable set. Load the key log file on wireshark. Start listening on the virtual machine’s network interface once windows is booted to desktop.
- Install Windows in a virtual machine with no network device. Once booted to the main desktop, install mitmproxy’s cert to Windows’ Trusted Root CAs (I loaded the .cer onto an ISO using genisoimage on linux to load it into the VM, but you can use a shared filesystem feature).
- Set the proxy inside Windows to the gateway at mitmproxy’s port on libvirt this was 192.168.122.1:8080 (might be different on other virtual machine software). mitmproxy also has a transparent mode but I don’t know how to use it best atm.
- Enable the virtual machine network device.
Even on required or optional settings I didn’t see a lot. I can say for certain that Edge collects a lot of data. I was only scanning only for like 30 minutes, maybe telemetry gets transferred at odd times. I didn’t see any dns requests for the telemetry domains Microsoft lists, or any string match for telemetry or ‘performance’ stuff like that (except for Edge).
What’s important, is that my mitmproxy method isn’t foolproof and apps can choose to only use verified and trusted certs. So there was a lot of traffic I couldn’t decrypt. So that’s probably worrying. Some of the domains it connected to had encrypted traffic, i list some of them here(and the process I could find)
client.wns.windows.com
svchost.exe - push notifications
api.iris.microsoft.com - windows spotlight
settings-win.data.microsoft.com* - Used for Windows apps to dynamically update their configuration
go.microsoft.com - Windows Defender
login.live.com - Device Authentication
JG shared an article the other day here Microsoft Defender Vulnerabilities Allow Attackers to Bypass Authentication that shows how researchers modified some Microsoft binaries to disable this cert verification, making it possible to decrypt their traffic, but the article is unrelated to telemetry.