Just found this guide and decided to post it here, maybe someone can find it useful: https://fdossena.com/?p=w10debotnet/index_1709.frag It makes use of a small open source tweak tool called install_wim_tweak.exe, I don't know if someone knows it
Some of them seem dangerous. Deleting services instead of disabling them? Personally I wouldn't do it.
Yeah, I agree... also deleting Windows Defender looks a bit too much... I may give it a try about: removing features (pre-installed apps), removing onedrive and removing scheduled tasks
A nice guide, it covers the basics. Obviously a full system backup is recommended prior to any changes. I have grabbed a few tweaks from there. Windows keeps re-enabling some services at will, removing them should prevent it. It is user's choice, not surprising considering, how badly WD affects OS and most guides only show, how to disable the icon not services. But I prefer to fully disable it rather than to remove it.
Except that is just not true. WD has matured into an excellent solution. And it keeps maturing and getting better and better. Forums are full of cases where users got rid of performance issues just by uninstalling their 3rd party security (or at least their real-time components) and going back to WD. I am not saying WD is the best solution out there. Just that is not bad - as many portray it to be. And for the record, Microsoft and many 3rd party providers have gone to extremes to ensure running Windows Defender along side the 3rd party app will NOT cause conflicts or significantly impact performance. Some systems with limited resources may see some performance hit - but that is to be expected when running any additional program that uses RAM and CPU resources.
I don't like that either, they should just respect users decisions. Even though I still wouldn't "feel good" deleting them.
Fully agree with that statement and every other statement in this Thread that disagrees with the Link in the Original Posters Post. That Link: "Windows 10 Privacy Guide - Fall Creators Update" is very effective and will do exactly what it claims, however, remember, any reduction in security, especially with built-in security, escalates the threat potential and widens the threat landscape. The safest way to overrule Microsoft's persistence to re-enable some Services and/or Settings is to use the built-in tools provided for the End User by Microsoft in order to so. Those built-in tools are the 'Predefined Rules' within the Windows Defender Firewall. Those Predefined Rules are/include: The default outbound and inbound rules The default Predefined rules listed when creating new outbound or inbound rules The default list of Application Packages The default List of Services And.....here goes.....The default Allow All Outbound and Block All Inbound For example, if one does not want "Connected User Experiences and Telemetry" connecting Outbound or Inbound, simply BLOCK the outbound connection by modifying the rule for outbound connections, and BLOCK the inbound connection by modifying/or deleting the rule for inbound connections. The name of the predefined rule is 'DiagTract' and can be found in the list of predefined rules when creating New Rules. If 'DiagTract' does not exist in the outbound and/or inbound rules simply RE-CREATE it by choosing 'New Rule'/'Predefined'/'DiagTract' and choose BLOCK for outbound and BLOCK for inbound, or do not create the inbound rule. The End User should ONLY RE-CREATE rules using the Default Predefined Rules List, or the Default Applications List, or the Default Services List. The End User exists NO REASON to CREATE NEW RULS from SCRATCH other than for rules regarding personal installed programs, such as the CCleaner emergency updater for example. Outbound Rule to Block CCleaner emergency updater NEW RULE = Outbound NAME = CCleaner emergency updater (CCUpdate.exe - Out) PROGRAM = C:\Program Files\CCleaner\CCUpdate.exe ACTION = Block the connection With this rule the CCleaner emergency updater Task will fail to connect outbound regardless of whether the Task is Enabled, Disabled, or Deleted, as AVAST will always re-create the TASK every time new updates install. This is an cleaning tool for Windows, and not perimeter security software, even though it provides security by cleaning sensitive files. AVAST'S CCUpdater.exe violates my perimeter security if allowed to forcibly install updates being it is NOT security software and NOT actively protecting the perimeter or networks edge. In regards to Microsoft Windows Defender Virus & Threat Protection. I strongly recommend leaving and using Windows Defender at the DEFAULT SETTINGS! However, for diamond heads, instead of disabling Windows Defender, SUSPEND Windows Defender. WHEN Windows Defender Virus & Threat Protection is suspended, Windows Defender Real-time protection is disabled, but Windows Defender Cloud-delivered protection and Automatic sample submission is still enabled and can be toggled on/off within the Windows Defender Security Center. Further more, Windows Defender can still be used as an Stand Alone Scanner utilizing all of its scans, including Offline scans. Note that during Windows Manual or Automatic Updates the Virus Definitions will not be updated when Windows Defender is suspended. But who knows in the background. Suspending Windows Defender is equivalent to installing third party antivirus and the end user will be prompted accordingly to accept periodic scans and setup Cloud-delivered protection. This can be toggled on/off at any time in Windows Defender Security Center. You MUST reboot after performing the following Registry entry and it may or may not take some time to start receiving notifications in regards to the change. SUSPEND WINDOWS DEFENDER IN CREATORS UPDATE: Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Create New DWORD (32-bit) Value in right pane and name it DisableAntiSpyware (this is what third party antivirus does) Change its value data to 1 to suspend Windows Defender (0 = No 1 = Yes) To revert the suspension delete the DWORD DisableAntiSpyware & reboot (again, may take some time after reboot to stabilize) SUSPEND CORTANA AND RESTORE WINDOWS SEARCH IN CREATORS UPDATE: Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Create new Key: Windows Search Create new DWORD (32-bit) Value: AllowCortana Set value to: (0) as-is Reboot Computer To restore: Delete Key Windows Search Modify the outbound rule for Cortana to BLOCK If the outbound rule for Cortana does not exist RE-CREATE it by using predefined rule. First start an new outbound rule and Choose 'Custom' Just step through the wizard accepting all of the defaults and choose the default to BLOCK Name the Rule = Cortana [Package] (Out) Now right-click the new rule for Cortana [Package] (Out) and choose 'Properties' Left-click the 'Programs and Services' Tab Under the heading 'Application Packages' left-click the 'Settings' button Left-click 'Apply to this application package' radio button (the third one down) Choose: Microsoft.Windows.Cortana_cw5n1h2txyewy (your device name/and account name will appear to the right) Left-click Apply then Left-click OK Reboot and notice that the icon for Cortana in the Taskbar turns into an magnifying glass allowing one to search WINDOWS ONLY without Cortana accessing the Internet. In Settings/Search turn off 'Windows Cloud Search' and 'My Device History" - Click the button 'Clear my device history' Now remember, this rule is orphaned because we have suspended Cortana and there is nothing to block out. This rule exists as an "safety net" in case Cortana becomes unsuspended for whatever reason/s. This was an long Post and I am now tired.....later. -HKEY1952
This is a "cleaning for good" guide, so if users are worried about deleting stuff, they should move away from it. Anyway those willing to do it, should obviously make a backup before. about the "opt-out" for Wifi, just setting mac adress filtering on the router is more efficient.
By default I block all inbound/outbound and I also remove all rules every days (then add mine), just to make sure, that all rules created, by whatever, are gone.
So, you mean, WD can be used as a cloud-only AV, without the need to download database signatures? If you set WD this way, can you use attack surface reduction and network protection (which require WD to be working) ? EDIT Just tried and it's not true. Maybe if you only have WD as security SW you can do that, but if you have another AV installed and WD suspended, then WD options can't be set (only the offline scan can). Check also this article https://docs.microsoft.com/en-us/wi...irus/windows-defender-antivirus-compatibility
It's privacy guide. It is not hardening/security guide. Antivirus products are bad for privacy, but for some users it can increase security at the same time. I have similar goals as I stated in my thread. IMHO Some changes, such as changing privacy settings, should be made before connecting Windows 10 to the Internet and downloading updates. It means offline installation and being offline during first boot.
New guide for the upcoming Spring Creators Update https://fdossena.com/?p=w10debotnet/index_1803.frag
Is there a way to upgrade to newer Windows 10 release from previous release offline? I mean i.e. upgrade Redstone 3 to Redstone 4 done completely offline.
That guide is meant for users who have already upgraded to Spring Creators Update. In my signature you can see the link to the guide made for Fall Creators Update
You can use the Windows 10 Update Assistant https://support.microsoft.com/en-us/help/3159635/windows-10-update-assistant Anyway, you'll need an internet connection to download the files, but you can choose to install them later and perhaps you can do it offline (not sure though). Otherwise you have to wait for a while after the official release and check for dedicated packages, for example these http://www.softpedia.com/publisher/Phoenix-Notebookreview-com-102028.html
What if I just put DVD/pendrive with newer Windows 10 installer? Would Win 10 installer recognize I am using Windows 10 and offer upgrade instead of clean install? I don't use Win 10. This knowledge maybe useful for me in the future.