There are lots of ways to "skin a cat" so I am looking for opinions and options here. Not everyone will agree with all ideas but I'ld like to hear yours. Scenario: I am booting up a laptop and going to connect to the router on my encrypted private network. I use a VPN tunnel connection on this machine and would like NO exceptions unless I MANUALLY override that configuration. I currently use the machine in question for my surfing and posting activities. However; it has dawned on me that the AV programs, sometimes the windows OS, etc... will jump on the network's IP directly from my ISP and some software updates will happen during boot up. Once booted up I click on the VPN client and then I am gone from observation as far as my ISP knows (except they see the server connection - duhhh). My VPN software client "locks down" the tunnel and removes the default route out of the machine so that a lost connection will NOT allow data up or down except in the tunnel - period. Thats all good, but first I have to boot up to gain access to the tunnel. Software updates during bootup are not a huge risk for my threat model, but they are a loose end I'ld like to close up if I can do so without huge difficulties. So there is my concern. I am running windows and on this machine I am using PrivateFirewall. Recommendations for how to lock down during boot? I know I can turn off auto updates on the software but then I'ld have to manually keep triggering the various programs to update. If they were not online until I get in the tunnel it would be much better in my opinion. How would you recommend locking down the machine during boot up as described above. I will still need internet access to grab the VPN tunnel.