I’ve been meaning to post this from the time I built my Windows desktop. But I keep adding to the list of things I need to configure to get Windows 10 into a ”usable” state for me. Unlike with macOS - for which the default installation is well configured, secure, and pretty much good-to-go - the installation and setup of Windows is extremely painful and a terrible experience. I have to spend hours trying different methods to remove junk, disable telemetry, and secure Windows (and still fail)...
Disclaimer: Don’t do anything mentioned below. Read on at your own risk. Everything below is super dangerous! Hence the use of the word “hack” in the title, although we are really just configuring Windows the way Microsoft many not want most users to.
Installation
- Do not enable Ethernet and do not connect to your Wi-Fi when prompted - without an Internet connection, Windows does not ask for a Microsoft account login.
- Post-install, remove unwanted Windows components with Windows 10 Debloater.
- And I also disable most live tiles in the Start Menu - and in many cases I directly Uninstall where possible.
Task scheduler
Even after running the debloater above, I noticed Tasks still present which I disabled:
OneDrive Standalone Update Task
andXblGameSaveTask
- I don’t use OneDrive nor do I have an XBox.- All Nvidia scheduled tasks, e.g.
NvBatteryBoostCheckOnLogon
andNvTmRep_CrashReport#
(also see below). Firefox Default Browser Agent
task - and/or disable the default browser check in Firefox.- For the tasks in the Microsoft folder, I disabled what I didn’t think I needed:
- Under Active Directory
AD RMS Rights Policy
, Autochk
>Proxy
,- All the stuff under
CloudExperienceHost
,Customer Experience Improvement
,Feedback
,Flighting
. DiskDiagnostic
>DataCollector
since it relates to the Customer Experience Program above (I left the theResolver
for S.M.A.R.T. enabled)HelloFace
which I don’t use,- Everything to do with Sync under
Input
andInternational
LanguageComponentsInstaller
Location
which I totally disabled where possible- Under
Management
>Provisioning
>Cellular
andMobile Broadband Accounts
- Since I uninstalled Maps, so I disable that section too
Printing
>EduPrintProv
- sounds weird- Under
Shell
, the two items related toFamilySafety
TimeZone
synchronization - quite meaningless for a desktop that does not go anywhereWindows Error Reporting
- And, also maybe under
Windows Orchestrator
(more on this later)
- Under Active Directory
Windows Telemetry
Normally, one would head to the Control Panel / Settings
- Disable as you see fit in the Privacy section - I mostly turn off everything on-line (
Advertising ID
,Locally relevant content
,Suggested content
, Online speech recognition,Send my activity history to Microsoft
) - While here, also have a look at Apps > Startup and similarly under Task Manager > Startup, to disable the undesired.
- Diagnostics & feedback has to be
Required diagnostic data
at the lowest setting (i.e. level1 - Required
).
However, it may be possible to set to the lower level 0 - Security [Enterprise Only]
if you are using certain editions of Windows. Microsoft’s documentation says:
When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education.
- Run Edit Group Policy, and under Computer Configuration, right-click on Administrative Templates > Filter Options....
- Search for
telemetry
and then review All Settings. - Of note is
Allow Telemetry
, here you canEnable
a policy to set it to0 - Security [Enterprise Only]
(the impacted registry key isHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
which is a DWORD). - You may of course, set other policies as you see fit.
Also in Administrative Templates > System > Internet Communication Management > Internet Communication settings is “Turn off Windows Customer Experience Improvement Program” to enable.
Services
One could also try disabling unused services - as long as one is sure they are not needed. For me, I mostly leave them as-is, except for some services I never want activated especially if its to do with remote access. At minimum, I disable:
- Connected User Experiences and Telemetry (aka
DiagTrack
) - Downloaded Maps Manager
- Internet Connection Sharing
- IP Helper (if not using IPv6)
- Network Connected Devices Auto-Setup
- Phone Service
A Google search will give you more information! Alas, Black Viper’s Windows 10 Service Configurations is no longer updated.
Start-up and Background Apps
Startup tasks are easy, everyone by now knows to run Task Manager and disable stuff in the Start-up tab. The old msconfig
also points to Task Manager nowadays.
But with Windows 10, there are also Background Apps. I can no longer distinguish what are Services, Scheduled Tasks, startup programs, and Background Apps - so I set Let apps run in the background off, as it is mostly a list of MS crap anyway.
Windows Settings
The easy stuff - set Windows Explorer > Options to your preferences, e.g. View > Open File Explorer To This PC
:
- Show hidden files,
- Show extensions, and
- Expand to open folder (why isn’t this the default behaviour?)
There is a way to find most of the settings UIs - via what is referred to as God Mode. Windows has a bad habid of hiding settings everywhere (though Macs are similar in this regard, by hiding menu items behind the Option... although fans would say that is exactly what “Option” key is for). Anyway:
- Create a folder,
- Name it
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
(feel free to change the filename, just leave the second part, the GUID after the.
exactly as it is). - Double click to open it...
Finally, other settins are hidden in the Registry. There are tools to help, but I just do these manually:
- Modify
HKEY_CURRENT_USER\Control Panel\Desktop\WindowsMetrics
to shrink down the title bar height as desired - Set
CaptionHeight
-15 x pixels, e.g. 18 pixels = -270, - Set
ScrollWidth
andScrollHeight
, default is -255, and -100 will make it thinner - Remove 3D Objects, Pictures, Music and Videos virtual folders from Windows Explorer, by using RegEdit to delete these keys from two locations for Windows 10 64-bit, where:
- MS =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
and - Wow =
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
- MS =
Virtual Folder | MS Keys | Wow Keys |
---|---|---|
3D Objects | {0DB7E03F-FC29-4DC6-9020-FF41B59E513A} | {0DB7E03F-FC29-4DC6-9020-FF41B59E513A} |
Music | {3dfdf296-dbec-4fb4-81d1-6a3438bcf4de} | {3dfdf296-dbec-4fb4-81d1-6a3438bcf4de} |
Pictures | {24ad3ad4-a569-4530-98e1-ab02f9417aa8} | 24ad3ad4-a569-4530-98e1-ab02f9417aa8} |
Videos | {f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a} | {f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a} |
Added 2 Jun 2022:
Speaking of the registry, there a many URL schemes / URL protocol handlers that could be potential exploit vectors, similar to the “Follina” exploit. In Microsoft’s own Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability, since there is no solution, the workaround is to delete the offending URL scheme:
Running Command Prompt as Administrator, delete the scheme ms-msdt
:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Here is another Microsoft CVE involving the ms-appinstaller
URL scheme Windows AppX Installer Spoofing Vulnerability. Good grief, you would have thought we’d know by now not to permit software installation from random, untrusted web sites?
Sleep
My computer was waking from sleep periodically - and being a desktop, it sounds like a jet engine when waking (4 case fans, 1 CPU fan, 1 PSU fan at 100% for a brief moment during boot). I am so used to sleeping my Macs but Windows is so stupid that I nowadays power off every time.
Anyway, one can try to “fix” properly sleeping:
- In Task Scheduler, disable Microsoft > Windows > Update Orchestrator >
Reboot_AC
/Reboot_Battery
and change Security to remove “Write” permissions for everyone, or else Windows will re-enable this! Refer to StackExchange for details. - Using Edit Group Policy (
gpedit
), navigate downComputer Configuration
>Administrative Templates
>Windows Components
>Windows Update
, and disable “Enable Windows Update Power Management to automatically wake up the system to install scheduled updates”. - Head over to the Control Panel:
- Under Power & Sleep > Advanced Power Settings > “Allow Timers on Wake” and set to Disable or Important Timers Only.
- And under Security and Maintenance > Maintenance, hit Change Maintenance Settings and disable “Allow scheduled maintenance to wake up my computer at the scheduled time” (which is 2 am by default).
If this does not work, and your computer still wakes , try to troubleshoot with (source: HelloTech):
powercfg /requests
(must run Command Prompt as administrator) - list processes preventing sleeppowercfg /lastwake
- show process or input device that last woke the computerpowercfg /waketimers
(admin) - list wake timers set e.g. backup, updates, start menu widgets, etc.powercfg /devicequery wake_armed
- list input devices that wake from sleep, e.g. keyboard, mouse, USB:
Whatever the last command lists may need to have its power management setting changed - search from the offending device (e.g. your mouse) under Device Manager, and under its Properties > Power Management, uncheck “Allow this device to wake the computer”.
Bluetooth
On the topic of power management, I get frequent disconnects when using my bluetooth speakers. Often it happens when I hit pause or stop, or after a time of usage, be it YouTube or VLC. There is something seriously buggy about Microsoft’s Bluetooth implementation, as evidenced by many, many complaints on-line.
Some netizens suggest disabling Power Management from the Bluetooth driver. But Microsoft, in their wisdom, is dumb enough to remove the tab to do exactly this in a recent update. Other suggest adding a new DWORD CsEnabled=0
to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power
. I totally messed up by system by re-trying to pair, adding and removing drivers, updating to Intel drivers, etc. And now I have devices named #2
and worse, I have given up using my Bluetooth speakers.
In addition, there is also Fast Startup which may or may not affect Bluetooth. Microsoft is being obtuse, such that Shutdown no longer shutsdown the computer, and only Restart really starts a fresh (clean) copy of the OS. But that means it is impossible to shutdown (as the workaround is a restart-shutdown sequence).
Micrsoft’s own documentation amits that “Updates may not be installed with Fast Startup in Windows 10” (date July 2020 and as of March 2021 has not been addressed) - they say “full shutdown only occurs when you restart a computer” but not tell you how. So stupid. Anyway, I turn it off.
Sigh, moving on...
Nvidia
As mentioned, I disable a bunch of scheduled tasks via Task Scheduler - they are named NvProfileUpdater...
or NvTm...
depending on the device, per ghacks.net and How-To Geek.
For Services, disabling NVIDIA Display Container LS
disables the Nvidia Control Panel (and notification tray icon) while disabling NVIDIA Local System Container
disables GeForce Experience.
I don’t touch this, but some people do advise Control Panel > Global Settings:
- Image sharpening =
On with GPU scaling
- Low latency mode =
On
- Texture filtering =
Performance
- Power management mode = Optimal Power (default), as Adaptive does not really do much.
Search the internet for other guides to remove telemetry and login, like this one by BaiGfe
Users
It is now annoyingly difficult to create local users, as the Settings and Control Panel links all lead to creating an on-line Microsoft account. This is ridiculous!
To create secondary users (e.g. for file sharing or for logging in with least privilege), the workarounds are either:
- creating them from Computer Management under
Local Users & Groups
, or - using the CLI
net user /add
Firewall and Tamper Protection
A majority apps make Internet coneections nowadays, even when not explicity told to, so:
- Use
netstat -a
to list connections and look for thoseESTABLISHED
to Internet addresses. - And
netstat -b
to list the programs making those connections
Some apps prompt to add firewall exceptions, and I am more interested in locking down Outbound Rules than inbound ones, under the Windows Defender Firewall with Advanced Security wf.msc
console. I cannot really make recommendations here, but one could look at enabled Outbound Rules, and change Allow the connection
to Block the connection
for anything that sounds fishy, say Connected User Experiences Telemtry
or Unified Telemetry Client Outbound Traffic
...
Speaking of which, I do not trust Microsoft to search the Internet for me via the Start Menu. If you did not get rid of Cortana (does not work in my region anyway), you may want to disable Search online
or Cloud content search
. Yes I know Spotlight does a similar thing!
I am in two minds about using Tamper Protection because Microsoft’s logic is all screwed up and the opposite of the way I work! I want to define custom folders to protect where I store documents, photos, etc. BUT I want to allow “My Documents” and other known locations - but this can’t be done. The reason is “My Documents,” etc. is required by nearly all software and game (even for save games), and for this reason I never keep my files in these locations! They get too messy, and by keeping my files on other drives and in know locations (to me anyway, e.g. X:\Docs or X:\Photos), I can easily back them up. Which brings me to my next gripe:
Other Tracking
As a principle, data sharing should always be opt-in, never as an opt-out option - I consider this a dark pattern! I do appreciate that developers do need data for debugging, and I do appreciate “free” is often “ad-supported”... however, that does not imply permission to my “data”, consent to be tracked via personally identifiable tokens, and/or selling said data other companies.
So, some personal preferences are:
My browser of choice is Firefox with Multi-Account Containers Extension installed and Total Cookie Protection (Strict mode) enabled:
- for example, I use Multi-Account Containers to separate work from personal tabs. I use a container for Google Search and YouTube (un-authenticated / no login), and a separate one when I am logged in for Google mail or drive.
- Under
Privacy & Security
, disable data collection. - Disable scheduled task to check default browser
about:config
>default-browser-agent.enabled
=false
.
I still use Visual Studio Code (and yes I know VSCodium exists), but I configure it as follows:
- search for and disable
telemetry
and crash reporter - similarly disable On-line Services Settings like Experiments and Natural Language Search.
Miscellaneous
I do not like that F11 makes apps full screen, it’ too close to the Backspace and I often hit it by accident. Ditto for F12. My programmable keyboard cannot remap the function keys, nor can SharpKeys i.e. I can change F11 to Volume Down, but I cannot change Fn+F11 back to F11 (this combination is not sent to Windows, it runs Explorer somehow without sending scan code E0_6B
).
But certain applications may have configurations that can help:
For the Command Prompt, the only way to disable the new full screen hotkey is to revert to Use legacy console under Properties.
Other related posts:
- If you want a way to turn off your monitor like I did.
- Or to create your own Start Menu medium tiles.
Updated 21 Mar 21: Disable background apps, SharpKeys... Updated 2 Jun 22: Deleting unwanted URL schemes in the registry, in response to the Zero-Day Follina exploit.