Most of his configuration is invalid, due to his misconfiguration of group policy. For example, he disabled the Teredo policy. But here's the help text for that policy: "If you disable or do not configure this policy setting, the local host settings are used."
He made this error countless times, rendering the entire experiment a failure.
Actually I made this error twice, which is far from "countless times". The one Allow Telemetry setting would not have made a difference because I had also configured it manually and the Teredo setting doesn't actually disable Teredo anyway. This does not make the entire experiment a failure.
Enable the Group Policy: Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies > Set Teredo State and set it to Disabled State.
Reading that, it seems as though you should disable the policy but in fact you should first Enable the policy, then go into the policy settings and Disable the setting there. And even with that mistake, I had it manually disabled in both HKCU and HKLM so if disabled means it uses the local host settings then it should use that.
Nevertheless, there are some serious concerns here:
1. Why is it even connecting to facebook, msn ad services, google analytics, etc when nothing is running?
2 Why is it doing this by default on an Enterprise operating system?
4. Why is this the default setting that requires dozens of group policy settings (and knowledge of group policy) to disable?
5. And why is there no option to opt out completely?
Most of his configuration is invalid, due to his misconfiguration of group policy.
Yeah, it's his fault that he didn't properly navigate the Kafkaesque nightmare that Microsoft has created in order to thwart people from disabling all this spyware.
Some of the GPO settings make me feel like I'm reading a contract written by a lawyer out to get me.
I don't have any concrete examples, but I swear I've stumbled across settings like this <not a real setting, just an example, probably exaggerated>:
Setting - Disable Windows Error Reports.
Description: Disable the submission of error reports
Options:
Unconfigured - Use client settings.
Disable - Send only minimal information in error reports.
No - Do not send any error reports.
Yes - automatically send full error reports.
So when you Enable the "disable windows security reports" option, it Enables sending of the security reports, and when you "Disable" the option, it still sends reports.
Many of them are extremely confusingly worded like this. It takes several reads to figure out which option actually disables it.
> pretty shoddy security researcher that doesn't read the documentation
What an unnecessary insult. If you can read the incredibly confusing Microsoft documentation better than him (or any of us), then please post the definitive step-by-step instructions for turning off all telemetry and privacy-invasive connections in Windows 10.
So, I search for "teredo group policy" and here's the second link I find, a TechNet article with detailed screenshots about how to disable IPv6 via Group Policy, which is one of the things he talks about:
That's 1 item[ * ]. I'd still like to see your definitive step-by-step instructions for turning off all telemetry and privacy-invasive connections in Windows 10 -- which is what the OP was attempting to do.
[ * ] How do you know that it even works? Plenty of times I've followed instructions from Microsoft's TechNet that didn't solve the problem it purported to solve.
And by the way, that's a helluva lot of steps to disable IPv6. Multiply that by a hundred other things you need to do, and probably a hundred you don't know about, and changes that get undone by updates, and you have a nightmare trying to create a privacy-respecting Windows 10.
IPv6 isn't even part of telemetry per say, it's an IETF standard that can be used to connect with any server that supports it. Yes, some OS-level services require IPv6. Shutting off IPv6 as a way of disabling those services is like... using leeches for bloodletting but for IT practices. If you want to disable telemetry and you're on a supported Windows SKU for Group Policy, here's Microsoft's directions on what you can configure:
It all started with a pretty casual tweet, can we stop crucifying the guy?
No matter your opinion about the subject at least we are talking about it now and from what I can tell he's going to make a more reproducible test with a script so we can all tear it to pieces.
If not, I hope someone else do it. Even better if it's somebody with the proper credentials some of you all are requiring (from a freaking tweet).
There's a difference between "testing things on a reasonable reproduction of real-world systems" and "claiming Windows doesn't work correctly because you don't read the documentation."
It's a huge bummer that the (wildly implausible) results he got didn't discourage him from spreading them widely. He later said they were 'unexpected' and he was working on verifying them from scratch reproducibly, but that comes only after misinformation about telemetry is spreading around the web. :(
I actually didn't spread them widely, I tweeted them. If you follow me you would know I tweet things like that all the time. I observed these connections and showed the settings I have set that should have prevented them.
I haven't published results anywhere and many people, including in the comments here, have corroborated what I saw.
The results are the results. I am re-verifying before I publish anything on this and to provide a script so that others can reproduce the results. That certainly does not make it wildly implausible.
He made this error countless times, rendering the entire experiment a failure.
Oops.