Microsoft responds to claims that Windows 10 Enterprise is ignoring group policy privacy settings
Microsoft's response to Windows 10 Enterprise group policy privacy setting claims? Don't mess with the settings!
Microsoft has responded to claims that its Windows 10 Enterprise operating system is leaking information in direct contradiction of group policy settings - and potentially undermining the operating system for use in secure environments.
In a statement (see below), it claimed that organisations shouldn't "turn off settings", even though this is required of many applications in order to achieve, for example, PCI-DSS compliance.
Security researcher Mark Burnett (@m8urnett) posted the results of tests on Windows 10 Enterprise he conducted on a virtual machine in a series of tweets over the weekend.
In the tweets, he uses a packet sniffer to show that with teredo IPv6 disabled, the system still checks for IPv6 connectivity. SmartScreen is also disabled, but it still connects. Telemetry is disabled, but still connects. Error reporting disabled. Still connects. Sync-related services all disabled at a group level. Still connects.
And so on.
With online KMS validation disabled, it still connects. Even with all connections except Updates to Microsoft blocked, it still nevertheless connects to a range of ad servers. Burnett confirms that all these calls are made by Windows 10, not by any apps.
"So it seems," he goes on, "like Microsoft doesn't even honour it's own Group Policy settings" warning. "But the big problem here is that people will use third-party apps to block all this and inadvertently block security-related stuff."
For an encore, Burnett deleted the new Paint 3D system app, which he is entitled to do, and found the system restored it and even surreptitiously adding a firewall rule allowing it network access.
Other users have also corroborated Burnett's experience, with users of ycombinator sharing their Windows 10 research.
One user, ‘Donkeychan' said: "MS Support consistently and repeatedly told me that Enterprise allowed me to disable this stuff. If I can't control the egress then I can't verify PCI compliance.
"I've already had to revert a client to Win 7 because they failed a PCI compliance audit using Win 10 Enterprise [our empahsis]. Which, by the way, is very expensive for small businesses.
"Win 10 Enterprise isn't viable for business. I have a bunch of small business clients and I've had to use a whitelist firewall to pass PCI compliance, someone said here that a whitelist firewall is borderline unusable. I've sunk so much time into that solution and I can attest, it's not viable."
‘Sathackr' added: "I went through the same thing last year. I spent two months trying to plug all the holes in the enterprise version, for a medium sized healthcare client, and eventually gave up.
"The LTSB edition looks promising but I haven't put it under the microscope yet."
Author's opinion:
Windows 10 has been subject to repeated warnings that it can undermine privacy, but this research indicates that it may be actively undermining users' settings.
The fact that this is happening on Windows 10 Enterprise should be a particular concern.
Microsoft is relying on businesses to switch en masse from Windows 7 to Windows 10, which currently has less than half the market share of its combined predecessors, and is running well short of the targeted two billion machines in the first two years.
To persuade organisations to adopt Windows 10, they will need to have faith in their operating system and revelations like this will not help.
We've asked Microsoft for their response, but haven't yet received an explanation.
UPDATE Microsoft has responded to the claims with the following statement: "Enterprise users are able to configure the necessary settings to achieve zero emissions and we provide guidance and actual script to configure their systems. We don't recommend turning off the settings as it disrupts user experiences and security.
"We give our customers a number of choices to help manage telemetry settings for an enterprise environment and how to confirm these settings."