You are viewing a single comment's thread.

view the rest of the comments →


[–] arrggg 0 points 75 points (+75|-0) ago 

Yes, they are lying. You cannot stop the Enterprise LTSB version from making connections out either. This is easily proven with wireshark.


[–] lbruiser 0 points 4 points (+4|-0) ago  (edited ago)

making connections out either

Firewall rules. As far as Enterprise, WSUS and you manually check updates first. However I am not working in a Win10 environment (yet) so I might be wrong. Currently we are blocking telemetry updates, the sites that do call out (from telemetry) just in case, and are going through each update (we always did anyways) that gets pushed from our servers.

E: it seems like I may have been a little unclear. I mean a physical firewall. Not the software one Microsoft bundles their OS with.


[–] SeraCharm 0 points 3 points (+3|-0) ago 

Some IPs cannot be blocked on Windows, this is a 'feature' to get around malware blocking access to windows update and other stuff. You have to block these Microsoft domains on network level.


[–] OhBlindOne 0 points 2 points (+2|-0) ago 

You cannot block any of Microsoft's telemetry gathering IP's from within the OS. You'd have to block it all outside of the OS, such as through your router.


[–] gottobekind 0 points 2 points (+2|-0) ago 

This can't be blocked via local hosts.conf ip/port blocking or various other router or software based blocking? I'm sure it has all been tried, but I'm completely out of the loop on this issue. Thanks in advance for any insights!


[–] arrggg 0 points 7 points (+7|-0) ago 

I spent a few hours trying to lock down windows 10 enterprise LTSB, just to see if it was possible. Using all the currently available scripts for disabling features, turning off all monitoring and updating via gui and gpo, disable defender\cortana\updates, disabling the appstore, disable IPV6, change to opendns, and block all known microsoft hosts via the hosts file and routing table, it was still making connections out to microsoft servers.

It got around a 200 ip hosts and routing table block list to make those connections. Spynetus was supposed to be windows defender updates, but defender was disable by gpo and the process was not active. It is also weird that it was connecting to addresses.

This is acting like malware, trying to deliver info even if multiple routes are blocked.