I have been researching how to block Windows 11 telemetry and I think a better way to do it is to block the network traffic using your firewall/security appliance instead of dealing with each windows device. Much less management and less PC hacks. Just like the client methodes, the network blocking rules will have to be updated if MS changes. the destination addresses or methods used to transmit the data. Luckily there are projects out there doing that. Has anyone successfully done this? Below is an example from Claude AI:
For blocking Windows telemetry an Ubiquiti firewall:
How to Block Windows Telemetry on Ubiquiti
The Ubiquiti device offers multiple methods to block telemetry at the network perimeter:
Method 1: Content/Domain Filtering (Easiest)
UniFi gateways have built-in DNS-level content filtering:
Content filtering works by redirecting DNS traffic to the UniFi Gateway for inspection, comparing requests against internal blocklists, and denying access before the browser can connect to the site Ubiquiti.
Setup Path:
Settings → CyberSecure → Content Filter
Create custom domain blocking rules
Apply to specific networks or devices
Best Telemetry Blocklists for Ubiquiti:
HaGeZi’s Windows/Office Tracker List (Highly Recommended)
URL: https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/domains/native.winoffice.txt
Blocks Windows/Office native broadband tracker that track your activity Eleven Forum
Contains ~258 domains (updated regularly)
HaGeZi’s Multi PRO++ (More comprehensive)
Blocks Ads, Affiliate, Tracking, Metrics, Telemetry, Phishing, Malware, Scam, Fake, Cryptojacking and other “Crap” GitHub
More aggressive, may require whitelisting some services
Community Lists:
Microsoft Telemetry: https://raw.githubusercontent.com/Qubi-B/microsoft-telemetry-domain-list/main/mslist.txt
W4RH4WK’s Debloat list (on GitHub)
Method 2: Zone-Based Firewall Rules
For more granular control:
UniFi’s Zone-Based Firewalling allows you to group network interfaces and efficiently define and enforce policies that control how traffic flows between zones Ubiquiti.
Create custom firewall policies:
Settings → Policy Engine → Zones → Create Policy
Source: Internal zone (your network)
Destination: Internet zone
Match criteria: Domain groups (telemetry domains)
Action: Block
Method 3: Advanced Firewall Rules + Custom Scripts
For maximum control (requires SSH access):
UDM GUI firewall rules do not apply to communication between router’s internal interface and WAN, so custom IPTables rules may be needed for complete blocking H|ard|Forum.
You can create custom firewall rules that survive reboots using tools like UDM-Utilities if you have a UDM/UDM Pro.
Key Telemetry Domains to Block
Here are the most critical Microsoft telemetry domains:
Core Telemetry:
watson.telemetry.microsoft.com
telecommand.telemetry.microsoft.com
Diagnostics:
*.trafficmanager.net
*.diagnostics.office.com
*.telemetry.microsoft.com
Important: With each update may come new IPs and domains Windows 10 Forums, so using a maintained blocklist like HaGeZi’s is strongly recommended over manual lists.
Critical Considerations
What WILL Break:
Microsoft Store may not work properly
Windows Update - you’ll need to selectively allow update domains
Office activation/updates
Xbox services
OneDrive sync
What Will Still Work:
Windows Update (if you whitelist specific domains)
Core Windows functionality
Most third-party applications
Internet browsing
Windows Update Domains to ALLOW:
*.windowsupdate.com
*.update.microsoft.com
*.delivery.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
Recommended Implementation Strategy
Step 1: Start with HaGeZi’s Windows/Office Tracker list in Content Filter
Step 2: Monitor your network for 1-2 weeks
Step 3: Whitelist any legitimate domains causing issues
Step 4: Optionally add more aggressive blocking
Pro Tip: Set up a separate VLAN for testing first, so you can troubleshoot without affecting your whole network.
Monitoring & Validation
After implementing:
Check UniFi’s traffic analytics to see blocked requests
On Windows, verify telemetry is blocked.