Andrew ZonenbergAnybody have a comprehensive list of GPOs to disable all of the ai/cloud/telemetry functionality in MS products? Copilot, onedrive, alt text generation in office, the works. Anything that can potentially violate NDAs by sending content of your system to MS.
Graham Sutherland / Polynomial@azonenberg I should really know the answer to this, but I don't, sorry. Would be very interested in the answer.
@gsuberland Yeah it's annoying. All of the cloud integrations make it very easy to accidentally put content somewhere you don't want it.
Not a problem I have to worry about in the Linux space, thankfully.
Alexander Bochmann@gsuberland @azonenberg Microsoft provides a "Windows Restricted Traffic Limited Functionality Baseline package", but I'm not sure how comprehensive it is: https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
German data protection authorities didn't think it's sufficient last time I looked.
Fritz Adalis@galaxis
@gsuberland @azonenberg
This helps, but does break things like updates and the store. The only real solution I've found is to filter outbound traffic by process (default deny) and use wsus or wsusoffline.
@gsuberland @azonenberg
This helps, but does break things like updates and the store. The only real solution I've found is to filter outbound traffic by process (default deny) and use wsus or wsusoffline.
@FritzAdalis @galaxis @gsuberland Yeah I need updates to work. Store doesn't matter as I don't use it for anything except perhaps WSL, and I can always install that on a new system and then deploy the hardening package after WSL is installed but before any confidential data enters the VM.
@azonenberg
@galaxis @gsuberland
I mean you can run the rtlfb and then re-enable WU. Nothing is permanent or hidden.
I haven't gotten Windows Update to work reliably with default deny, hence my use of wsus or wsusoffline. If you need actual WU to work your options are limited.
@azonenberg wsl.exe, specifically, has a --web-download option that should bypass the store.
I have never tried to use the baseline package myself, but it can probably be adapted depending on needs?
For consumer Windows, I usually point to O&O ShutUp10++ (www.oo-software.com/en/shutup10), which is a point-and-click shortcut to many of the relevant Registry and GPO settings.
vince@azonenberg i've put a lot of hours into a similar question... i'd love to be proven wrong, but every time i think i have an answer, it's something that only works fully with enterprise or educational SKUs and somehow not on any version you can license as an individual
@0x56 My immediate interest is making sure $dayjob is up to speed when e.g. ms copilot launches and I think we're on enterprise.
But having it work on professional for home based VMs would be a big plus as well.
Thunderbolt@azonenberg this might be a start https://github.com/bitlog2/DisableWinTracking but probably not complete, since it only targets the OS itself
Scott Duensing@azonenberg I've had great luck with fdisk.
Kevin Karhan 
@azonenberg no and I'd rather forcibly migrate all #Windows machines ob sight to @ubuntu than trying to hack something into a shitty #Govware that'll automatically revert my settings to illegal defaults (potentially) EVERY SINGLE UPDATE...
Stop trying to fix #Microsoft's trash and take fucking #Consequences instead!!!