A firewall must interface at a very low level to totally prevent Microsoft code from connecting to the internet during boot or other times. Here is an example of a firewall where the developer honestly admits this goal is not achieved: https://wiki.safing.io/en/FAQ/PMOnStartup https://wiki.safing.io/en/Portmaster/Architecture/OSIntegration Many firewalls use the Windows Filtering Platform (WFP). Do these firewalls interface at too high of a level to achieve this goal? See https://en.wikipedia.org/wiki/Windows_Filtering_Platform Does this goal require a firewall with (an expensive) signed driver? I run Win 8.1 now, but I plan to buy a new PC with 13th generation Intel hardware, so I need a recent Win 10 ISO. I am interested in feedback from anyone who has a firewall that can block Win 10 from phoning home, especially if they have used logs on a hardware firewall (PCAP) to confirm that their Win 10 PC doesn't phone home.
This is not possible. This is like asking how to hide from Facebook which posts you liked. You are on their platform, you are on their terms. But really, since hundreds of millions of Windows machines are online at any given time, what is your concern about Microsoft phoning home? Windows may sent whatever encrypted data they need/want when you check for Windows Updates. I guess you want Windows Updates. No phoning home means an offline computer. Whatever telemetry data is sent, it will not be used to identify you personally anyway.
I agree that when accessing Windows Updates online the user has no knowledge of what information is being sent to MS. So anybody anybody who doesn't want that, like me, would disable online Windows Updates. But that is easy to turn off. This thread is about a firewall that can block connections to MS, without going to the extreme of an offline PC.
Closest software firewall to what you want to achieve, would be Windows10 Firewall Control. The setting is when installing "No windows updates" . It can be changed when you need to update. Great firewall for blocking "Phoning home" with all apps. https://www.sphinx-soft.com/Vista/index.html
No, WFP provides "boot-time filters" mechanism: "A boot-time filter is a filter that is enforced at boot-time as soon as the TCP/IP stack driver (tcpip.sys) starts." Portmaster uses the WFP, so it can easily use the boot-time filters too. Maybe Portmaster's developers did not know about this option.
it never has been proven that windows sends very personal data. the very best developers and hackers have tried this and failed. in fact the amount of send data is either very good compressed, or not existant. and windows need some minimal telemetry to obtain micropatches, some slight corrections based on your used hardware and software. if a program crashes for no reason dont you want a solution even if the developer has done anything to avoid? some things people dont know - some vital services are routed to the web without any filtering. why? because malware is able to re-route eg. by HOSTS file. furthermore the defender (and a lot of other secuity software) is obeying this file for changes, defender in special discards any changes towards microsoft servers. https://petri.com/windows-10-ignoring-hosts-file-specific-name-resolution/ what you can disable with easy and no pain are some tasks which are not vital. eg customer experience, application experience. and you should avoid an ms account. but in that case you cannot use the ms store. the less you tweak windows the better it will perform. concerning sphinx, only the paid versions block telemetry and some more (eg ad domains), i dont use it, its disabled. this one https://www.sphinx-soft.com/Vista/pict/domains.jpg very easy to handle, lots of predefined rules combined in zones. but, i only use this additional firewall (the windows firewall is also active) only on this machine, any other are on windows 11 and dont have it installed, there exist no reason to do so. i need to trust my used software, sphinx software helps me to investigate in the past. a firewall is no set and forget - its a learning process.
For the record, when you use "mandatory" MS account and the internet is blocked you can not reset PIN nor login with a password, restoring a backup will not help, you would need to reinstall. In other words, MS knows, what it is doing. Also people, who like to block everything, forget about certificates used by Windows and browsers, they need to be updated daily and if you allow that, you are already "leaking", so this whole block everything nonsense is just an overkill. You want the latest hardware, yet you want to limit it with an unsupported OS (soon)? MS is no longer even selling Windows 10 and Intel's Thread Director technology got a significant overhaul in the Windows 11 22H2 update.
I don't have an MS account on Win 8.1. All my apps are not MS. Why would it be mandatory to create MS account for my new Win 10 PC? I block Windows certificate updates in Win 8.1. I understand they are used in MS web browsers and apps, which I don't use. I keep Pale Moon up-to-date, and it has its own copy of certificates. With Win 10 near the end of life, what do I miss by not updating certificates in Win 10? I am buying a fanless PC that can dissipate 65W. There are few hardware choices that meet this requirement. The best one I found supports Win 10 and Win 11. I wish it supported Win 8.1 drivers, but I have to adapt. I choose Win 10 because it is stable and supported by most apps. I understand Win 10 doesn't support the the eCores like Win 11 does, but I don't want to be a MS beta tester for Win 11 and experience lots of crashes and app incompatibilities. Remember when Windows Update forced Win 7/8/8.1 PCs to update to the early/buggy Win 10? I had dozens of work colleagues wimper when they lost all their data and had to reload Windows. I appreciate the help from Wilders folks about making a transition to Win 10 while maintaining the security and privacy I have in Win 8.1.
Revoked certificates for one, digital signatures of executables, etc. It is like using AV with several years old signatures. 10 was bad, then good, now it is bad again. I do not know, if MS did it on purpose or it is caused by all the bloatware, but it is not what it used to be. MS is really pushing it and it does improve security significantly. It is inevitable, just like Google account on android, so better to get used to it. You can not have both, you can block everything at the cost of security or you can compromise and get something from both. I love silence, I have a silent mouse, keyboard and low speed fans, they are noiseless, I have all locked to 700rpm and I can not tell, if the PC is running or not. Never underestimate the power of dust and zero airflow.
nonsense. any installed program is using the windows cert store. indeed, this will push your unsecure working. no updates, ancient and vulnerable browser. but in fact you do not listen. then why do you ask? you cant make windows 10 like windows 8, its not possible.
Firefox is using its own cert repository. Maintaining own cert repository is expensive so most 3rd party apps use OS certs store though.
to repeat: the cert store is for any installed program! this is independent of own cert databases like firefox uses for the web. the difference is windows <> web. in special drivers need a current cert store in windows, otherwise there were rejected if the cert is not valid due an outdated database. and windows need a lot of drivers. another point he missed that some programs need a browser behind, newer programs need edge webview - to say he does not need it will result in failure or issues if he uninstall both. there also exist programs which have its own QTbrowser or chromium/Chromium Embedded Framework (CEF) and use the windows cert store.
Now I get it: before program is executed Windows checks its signature. It is true but impact on compatibility is overblown: I used outdated Windows cert store and didn't have any issues with running my software. There are also offline methods for certificate updates though the easiest requires 1 online Windows system with Windows Update connectivity left intact. Can be a VM.
Pale Moon was updated yesterday. See https://www.palemoon.org/releasenotes.shtml Pale Moon is a fork of Firefox, so it too uses its own cert repository.
I got one answer to my question in the title of this thread: Which firewalls can block Win10 phoning home? It is Fort Firewall. See https://www.wilderssecurity.com/threads/fort-firewall.414325/page-11#post-3161629 Anybody tested another software firewall and achieved success (no boot-time internet/WAN accesses in your router or hardware firewall logs)?
to be exactly: palemoon is a fork of firefox 52 ESR, so its original code is 5 years old, has no improvements, it has single core, it has an outdated javascript engine which is very slow, it has the old and vulnerable XUL, it cannot use extensions from firefox. it does not matter which "update" you drive of palemoon, it remains old and vulnerable, and lack of performance. Moonchild is reversing updates from current firefox and its deprecating XUL components, and XUL is phased out, there will be a moment were XUL is complete removed and Monchild cannot reverse anything. and honestly, you were asking in a security forum, what do you expect? there are pros and cons, but threads like this has more cons. and yes, i have tested and used a lot of software firewalls, sophisticated firewalls, far ahead of fort firewall or similar. and in short, again: forget to tune win10 like win8, you wont have success, and win10 will threaten you with issues.
