• Transporter@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    If you’re already on a Linux-based operating system, and you gotta run a real instance of Windows for some reason, your safest bet from both a security and privacy standpoint is to run it in a virtual machine (I like VirtualBox, personally, but VMWare, or whatever else will do the job fine also) and firewall the hell out of it. In a virtual machine, you can totally lock it down as much or as little as you need for the task at hand, and ain’t a damned thing Windows itself can really do about it, and as an added bonus, it saves you from the required reboots of dual-booting. It’s confined to a “safe space” (until you start opening enabling network stuff and opening ports to it). You’re in control.

    edit: or QEMU/KVM (with virt-manager)

  • starchturrets@feddit.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    If I remember correctly, Pro should give you access to group policies (making configuration a tad less painful compared to fiddling in the registry), stuff such as Windows Sandbox/MDAG (basically, throwaway VMs you can run executables/Edge in), as well as Bitlocker encryption.

    You cannot turn off required diagnostics on Windows 11 Home or Pro. You can see it yourself by firing up a Windows Pro or Home VM, editing the relevant setting in the registry or group policy, then taking a look at wireshark traffic - you should still see traffic to telemetry endpoints that Microsoft has listed in their documentation. This confirms what their documentation already says about this setting:

    This is only available on Windows Server, Windows Enterprise, and Windows Education editions.

    This also applies to many third party tools which claim to stop windows telemetry. Since I’m reasonably sure they work by editing the registry, they would be no more effective than simply turning off optional diagnostics in the GUI. So you end up giving yet another random app admin access for no real gain.

    That being said, imo the required OS diagnostics Windows collects tends to be pretty basic in comparison to all the FUD that’s spread about it being a literal backdoor. You can see for yourself by opening the diagnostic data viewer app and seeing what info is there.

    The other main problems (at least from my fiddling around in a VM with mitmproxy and wireshark as well as reading various articles) are:

    • Windows Spotlight sending back similar data compared to required diagnostics - but if you’re on Home/Pro where you can’t turn it off anyways, this is irrelevant.

    • Forced Microsoft Login with a lot of cloud syncing stuff opted in by default - bypassable, but is somewhat troublesome. You can also just select the domain join option when installing Windows Pro to get around this.

    • Bing start menu search (needs a group policy or regedit to disable).

    • Edge’s optional features and Windows Security’s Smartscreen constantly leaking stuff such as browsing history (these can be disabled easily enough, fwiw).

    Edit: I just realized you were talking about 10 and not 11, still, a lot of what I wrote about diagnostic data is applicable to both of them.

  • dominikoso@lemmy.dominikoso.me
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Talking from experience when it comes to privacy on Windows I recommend looking into:

    https://privacy.sexy

    I know domain looks kind fishy but you can Inspect generated script yourself before running. Also you can Customize it to only include things you want.

  • ADL@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I really wish people would stop making perfection the enemy of good when Windows comes up in any capacity on here. We all know Windows sucks for privacy but for certain users and industries it’s still quite mandatory so answer the damn question and provide resources to make it as least intrusive as possible.

  • Transporter@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Pro is a little bit better because of features like Bitlocker. A lot better would be Education/Enterprise variant. You’d need special licenses for running enterprise I think. There are also registry hacks that would give you some protection against telemetry (I personally haven’t done this).

    Privacy-wise though, any “windows” is going to fare lower than linux is what I’d say. Wait for others in the sub for more insights.

  • unfazedbeaver@lemmy.one
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Just wanna take a moment to let people know about a very, very good and reputable tool for privacy and windows. Honestly, it should be on the privacy guides website imho.

    Linux is better, but if you have to use Windows, there is the Chris Titus Tech tool available. You can set power-user privacy options easily, massively debloat your windows installation, install programs, and easily set your update settings to security only, if that is what you want.

    It’s also freaky easy to use, and comes from one of the foremost minds in the tech world today.

    https://christitus.com/windows-tool/