Taming Windows 10
by Bob Reite, CBT
Although I have converted most of my machines over to Linux Mint 19, I have found a few programs that I still want to use that just don’t play well on WINE under Linux. If the machines in question were never going to be connected to the Internet again, I would just continue to run Windows 7, however that is not an option. So I did some research and found ways to disable the bloatware, spying and the forced updates of Windows 10. Once I completed these modifications, I found that Windows 10 actually boots faster than 7 did. So let’s get started! These apply if you got a brand new machine with Windows 10 Pro (version 1903, the May 2019 Update) installed or are upgrading from Windows 7 Pro or 8.x Pro.
Create a Local User
While Microsoft touts the convenience of logging in via a Microsoft account to sync all of your data across several devices, this is a security risk. To force Windows 10 to give you this option, make sure that the machine is not connected to the Internet. If it insists on trying to connect to the Internet choose “I don’t have Internet”. On the next screen, choose “continue with a limited setup” to go to the local account setup screen.
Disable Most of the Spyware
Go to the Privacy settings. You can get there quickly by typing “Privacy” in the search bar at the lower left. This will bring up Privacy > General. By default, everything is ON. Turn everything off here.
Go to speech. Turn this off so Cortana can’t listen (we will disable Cortana even more later). Next at Inking & typing personalization, turn this off. At Diagnostic data, turn everything off that you can. However for Diagnostic data, you only have a choice of “Basic” or “Full”. Choose basic for now. Later, we will do some registry hacking to disable this entirely. Under Activity history make sure that “Send my activity history to Microsoft” is unchecked. Up to you if you want to also uncheck “Store my activity history on this device”, I left it checked because I do find this convenient and it’s not really dangerous. Finally a long list to go through, “App permissions”. Go though the whole list and turn everything off. The only categories that you might want to grant some permissions to are Pictures and Videos, as you might want to use some of the listed applications to view these files. One setting that will go a long ways towards speeding up your machine is to turn off “Let apps run in the background”. If some apps you use won’t work correctly unless they are allowed to run all of the time, you can enable just those.
Get Rid of Bloatware
Much of the bloatware can be uninstalled by right clicking it and choosing “Uninstall”. This works for Get Office, Get Skype, Get Started, Microsoft Solitaire Collection, Money, News, Phone Companion, and the Sports apps. However some apps do not have the “Uninstall” option. For those, you can either use a paid third party program such as CleanMyPC or PowerShell. While not as dangerous as registry editing, it would still be a good idea to back up the computer before going further.
Open PowerShell as administrator. Hit Windows+X then choose Windows PowerShell(Admin) option from the menu. Then type in these commands for the respective programs:
Uninstall 3D Builder:
Get-AppxPackage *3dbuilder* | Remove-AppxPackage
Uninstall Alarms and Clock:
Get-AppxPackage *windowsalarms* | Remove-AppxPackage
Uninstall Calculator:
Get-AppxPackage *windowscalculator* | Remove-AppxPackage
Uninstall Calendar and Mail:
Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage
Uninstall Camera:
Get-AppxPackage *windowscamera* | Remove-AppxPackage
Uninstall Contact Support: Cannot be removed
Uninstall Cortana: Cannot be removed, we’ll deal with Cortana with some registry tweaks.
Uninstall Get Office:
Get-AppxPackage *officehub* | Remove-AppxPackage
Uninstall Get Skype:
Get-AppxPackage *skypeapp* | Remove-AppxPackage
Uninstall Get Started:
Get-AppxPackage *getstarted* | Remove-AppxPackage
Uninstall Groove Music:
Get-AppxPackage *zunemusic* | Remove-AppxPackage
Uninstall Maps:
Get-AppxPackage *windowsmaps* | Remove-AppxPackage
Uninstall Microsoft Edge: Can’t be removed, but if you don’t want people using it, just delete the shortcut.
Uninstall Microsoft Solitaire Collection:
Get-AppxPackage *solitairecollection* | Remove-AppxPackage
Uninstall Money:
Get-AppxPackage *bingfinance* | Remove-AppxPackage
Uninstall Movies & TV:
Get-AppxPackage *zunevideo* | Remove-AppxPackage
Uninstall News:
Get-AppxPackage *bingnews* | Remove-AppxPackage
Uninstall OneNote:
Get-AppxPackage *onenote* | Remove-AppxPackage
Uninstall People:
Get-AppxPackage *people* | Remove-AppxPackage
Uninstall Phone Companion:
Get-AppxPackage *windowsphone* | Remove-AppxPackage
Uninstall Photos:
Get-AppxPackage *photos* | Remove-AppxPackage
Uninstall Store:
Get-AppxPackage *windowsstore* | Remove-AppxPackage
Uninstall Sports:
Get-AppxPackage *bingsports* | Remove-AppxPackage
Uninstall Voice Recorder: I personally would keep this, but the uninstall instructions are included for completeness.
Get-AppxPackage *soundrecorder* | Remove-AppxPackage
Uninstall Weather:
Get-AppxPackage *bingweather* | Remove-AppxPackage
Uninstall Windows Feedback: Cannot be removed.
Uninstall Xbox:
Get-AppxPackage *xboxapp* | Remove-AppxPackage
Note that some of this bloatware or even a new annoyance may come back to haunt you after a major update, so you may have to do it again.
Delving Deeper
At this point, we have gone about as far as we can without some registry hacking. Before touching the registry, take a full backup of the machine! As a bare minimum, create a new restore point. In the search box, type “Recovery”. That will bring up a page that has a “Configure System Restore” link. Go there. Hopefully you already have your main disk (usually C:) set up, if not do it now. Click “Create” to take a snapshot of your system as it stands now. Note that this does not back up data files or user installed programs, just operating system and registry settings which we are going to modify next. While you are in this window, go ahead and create a recovery drive, just in case the machine becomes unbootable due to a typing mistake. You’ll need a flash drive with at least 16 GB capacity. Needless to say the BIOS must be capable of being set to boot from USB, but modern computers have the capability.
Silence Cortana
Unfortunately, you cannot just kill and delete the Cortana process entirely, as it is also used for the text bar search which is really nice to have. So here is how to get rid of the annoyance without the functionality that is needed.
Step 1: Paste the following text into Notepad, making sure that there are two line breaks at the end.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
"AllowCortana"=dword:00000000
"AllowCortanaAboveLock"=dword:00000000
"AllowSearchToUseLocation"=dword:00000000
"DisableWebSearch"=dword:00000001
"ConnectedSearchUseWeb"=dword:00000000
"ConnectedSearchUseWebOverMeteredConnections"=dword:00000000
Save as "disable cortana machine.reg" (including the quotes)
right click this file and “Run as Administrator”. This will modify the registry automatically as shown.
Step 2: Into a new Notepad document paste this:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
"CortanaConsent"=dword:00000000
"AllowSearchToUseLocation"=dword:00000000
"BingSearchEnabled"=dword:00000000
Save as "disable cortana user.reg"
right click this file and “Run as Administrator”, but while logged in as every user on the machine, assuming that you have more than one user.
Blocked Forced Updates
Although version 1903 of Windows 10 does allow you to ‘postpone’ updates for up to a week, you have to remember to keep doing it. It would be much better to have it set up like you could in Windows 7, with the option of “Let me know when updates are ready, but I’ll choose when to download and install them.” That way, you can wait a week or so, to see if the most recent update is faulty, which happened a year or so ago that turned half the computers that ran it into a brick. Oddly enough the Enterprise edition gives the choice as an administrator menu option, but not so the Professional edition, much less the Home edition. So time for more registry tweaks:
1. Use the Windows key + R keyboard shortcut to open the Run command.
2. Type regedit, and click OK to open the Registry.
Browse the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
3. Right-click the Windows (folder) key, select "New" and then click "Key".
4. Name the new key "WindowsUpdate" and press "Enter".
5. Right-click the newly created key, select "new", and click "Key".
6. Name the new key AU and press Enter.
Inside the newly created key, right-click on the right side, select "New", and click on "DWORD (32-bit) Value".
7. Name the new key AUOptions and press Enter.
Double-click the newly created key and change its value to 2. It's for "Notify for download and notify for install". Click "OK".
8. Close the Registry to complete the task.
To make sure that it “took”, reboot the machine. Once back at the desktop, type “updates” in the search box, then click Check for Updates to see the Windows Update window. You should see in red the following: “*Some settings are managed by your organization”. Clicking on “View Configured Update Policies” will show “Notify to download updates”.
Totally Disable Data Collection.
Remember that you only had a choice of “Basic” or “Full” data collection? We are going to fix that now.
Run Regedit
1.Go to the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
If you do not have such a Registry key, then just create it.
2.There you need to create a new a 32-bit DWORD value named AllowTelemetry and set it to 0.
Next you will have to disable some services. In the search box, type “Services” then run the Services app as administrator.
Look for:
Diagnostics Tracking Service
dmwappushsvc
On some machines you might find it as:
Connected User Experiences and Telemetry
dmwappushsvc
Don’t worry if you can’t find dmwapushsrv, it is not present on all machines. In any case change the startup type on the ones that you do find to “Disabled”
Final Analysis
It took about three hours to figure this out the first try, subsequent machines took under an hour each once I knew what to do. One unsolved mystery is why the computer kept trying to make encrypted connections to an IP address owned by Microsoft listed as “Azure”, perhaps it was trying to connect to OneDrive, even though I said “no” to that option. Perhaps checking for updates.
On one computer I set up a firewall rule to block all traffic in and out from known Microsoft IP addresses. Once I did that the mystery packets stopped. However after doing that I could not get files that people wanted to share with me using OneDrive, nor connect to any site hosted by Microsoft.
Bob Reite operates his contract engineering firm, Telecentral Electronics, Inc. servicing radio stations in Pennsylvania and New York state and may be contacted at br@telcen.com