Microsoft has gone to great lengths to foster adoption of its Windows 10 operating system, and for good reason. In addition to it likely being one of the best iterations of the Windows OS in a long time--with better security, support for DX12 and host of other features--it’s clearly also a platform for MSFT to better track its customer base for myriad of reasons. Many, including our team here at HotHardware, have droned on about some of the privacy concerns with Windows 10 and we even showed you how to keep Redmond’s nose out of your private bits here as well. Further, even Microsoft has reacted, offering significantly more advanced privacy controls in the recent Windows 10 Creators Update. However, according to veteran security analyst and Windows expert Mark Burnett, even a very restricted setup of Windows 10 Enterprise Edition, doesn’t go far enough to keep Windows 10 from phoning home to MSFT’s mother ship with your data.
Burnett details a very specific and highly controlled installation of the Microsoft OS where he sets up Windows 10 Enterprise Edition in a virtual machine and adds NIC (Network Interface Card) tracing, then lets the machine sit untouched overnight. The kicker is he also installed the Windows Restricted Traffic Limited Functionality Baseline to the OS before connecting it to the Internet (see here). For reference, this is a Microsoft-built configuration for Windows 10 that shuts down much of the tracking functionality, but according to Burnett, not all. The ramifications here reach far beyond just a single user and in fact HIPPA compliance organizations in the US recommend this Restricted Traffic configuration to avoid personal health privacy violations with Windows 10 in health care. According to Burnett, a 7 time Microsoft MVP, it’s very easy to get confused with how to properly disable basic privacy settings for things like telemetry. It’s further noted that though the Windows Restricted Traffic Limited Functionality Baseline config does cut back on tracking data being pushed back to the Microsoft cloud significantly, it does not block everything.
Even according to Microsoft’s documentation on this specific security level, it does still gather telemetry info on the programs you run, app diagnostics, Windows DRM, Microsoft Office and what the Mail and Calendar apps have access to. On the flip side, this highly restricted setup still allows Microsoft OneDrive nag screens to get through, though Windows Updates are disabled, presumably because in this configuration for the enterprise, your company IT department would likely manage these for you.
To make matters worse, if you don’t have Windows 10 Enterprise Edition, the most you can do is turn the OS down to basic telemetry, which still allows Microsoft gather a certain amount of data on your machine and its use. Not to mention, many less-savvy users probably have telemetry and other Windows tracking features set to maximum default levels, because Microsoft’s OS is quick to point out any reduced functionality concerns with apps, should you turn its tracking features off.
Burnett underscores that "You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience. It’s almost like they don’t want you to opt-out.”
And of course Redmond doesn’t want you to opt out. In this day and age where operating systems are more than just software to control devices and give users a UI to work with, the big players like Microsoft, Google and Apple all leverage their software to lock the user into their ecosystem in order to sell more product and services to them. It’s by design and on some levels it does improve the user experience and platforms as a whole as well. The problem is, where do you draw the line on privacy at the expense of services and functionality? That’s likely a personal decision for most users and we’ll put away our tinfoil hats for now. However, either way, it’s always best to be fully informed of exactly what you’re sharing for data, and with whom you’re sharing it with.