Andrew ZonenbergAnybody have a comprehensive list of GPOs to disable all of the ai/cloud/telemetry functionality in MS products? Copilot, onedrive, alt text generation in office, the works. Anything that can potentially violate NDAs by sending content of your system to MS.
Graham Sutherland / Polynomial@azonenberg I should really know the answer to this, but I don't, sorry. Would be very interested in the answer.
@gsuberland Yeah it's annoying. All of the cloud integrations make it very easy to accidentally put content somewhere you don't want it.
Not a problem I have to worry about in the Linux space, thankfully.
Alexander Bochmann@gsuberland @azonenberg Microsoft provides a "Windows Restricted Traffic Limited Functionality Baseline package", but I'm not sure how comprehensive it is: https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
German data protection authorities didn't think it's sufficient last time I looked.
Fritz Adalis@galaxis
@gsuberland @azonenberg
This helps, but does break things like updates and the store. The only real solution I've found is to filter outbound traffic by process (default deny) and use wsus or wsusoffline.
@gsuberland @azonenberg
This helps, but does break things like updates and the store. The only real solution I've found is to filter outbound traffic by process (default deny) and use wsus or wsusoffline.
@FritzAdalis @galaxis @gsuberland Yeah I need updates to work. Store doesn't matter as I don't use it for anything except perhaps WSL, and I can always install that on a new system and then deploy the hardening package after WSL is installed but before any confidential data enters the VM.
@azonenberg
@galaxis @gsuberland
I mean you can run the rtlfb and then re-enable WU. Nothing is permanent or hidden.
I haven't gotten Windows Update to work reliably with default deny, hence my use of wsus or wsusoffline. If you need actual WU to work your options are limited.
@azonenberg wsl.exe, specifically, has a --web-download option that should bypass the store.
I have never tried to use the baseline package myself, but it can probably be adapted depending on needs?
For consumer Windows, I usually point to O&O ShutUp10++ (www.oo-software.com/en/shutup10), which is a point-and-click shortcut to many of the relevant Registry and GPO settings.