A 'private as can be' Windows Install

So I am not the strictest privacy zealot out there, but I'm making strides. Most every privacy enthusiasts choice in machine would be something running Linux, then maybe a Mac, and at the bottom of the barrel is a Windows machine. So my dilema is that my favorite machine I have is a Surface Laptop 3. I really love the thing and it doesn't run Linux, well at least without some heavy kernel tweaking. So I'm going to reload the thing and be as privacy conscious as I can be while still maintaining as many of the bells and whistles of normal userdom I can.

First thing to tackle is the fact that a Windows machine loses quite a bit of functionality if you don't have a Microsoft account. Biggest thing is the use of their store. The next biggest loss is if you wanted to use any of the insider stuff. So I'm tackling this doing the following.

  • I created a fresh Microsoft account with it's own non-Microsoft email. (You could create a completely anonymous one with a sock-puppet if you want to really go down the rabbit hole.)
  • A lot of time you need some sort of payment option set up. So I made a Privacy.com card specifically for this account.

I still have my other account which I use for Family Safety controls for my kids. I also occasionally need Office. So my plan is to put a Windows VM in place specifically for these tasks. I guess that setup would be a post of it's own. Either way, this will put me at a level of dealing with Microsoft that I can be comfortable with.

So now that that is done I will use the freshly created Microsoft account to setup my laptop. I know Microsoft will still get some telemetry from me, but it will be minimal and tied to a separate account that isn't used for anything other than logging into that one device and using the Windows store.

Next I uninstall all the programs that come with Windows by default that I can, like games, Office365 trials, etc..

Once this is done we need to open Edge so we can download a different browser. I suggest Firefox so we can use container tabs. If you don't want to go that far we can do Brave also. I may have a future post on how I setup my browsers.

Now we need to open our browser of choice and install O&O ShutUp10. This is going to turn off as much Windows telemetry and spywarish settings as it can. It will also disable Onedrive if you choose (I do recommend this). I choose the 'Recommended and somewhat recommended settings'. Again, besides that you have to find the turn off Onedrive setting and manually check it if you want to kill Onedrive.

At this time I would install my VPN also to give me some more protection before I continue. My personal recomendation is Mullvad. I like them because it makes it easy for me to have Wireguard setup on all my devices and they are as anonymous as it gets. They don't have your name, email, phone.. nothing.

Next we need to install Virtualbox. With this installed you can install Windows or Linux machines for whatever usecase you need. Again, detailed use would be another post. But the main thing at this time we will use it for is another Windows VM to do all those Microsofty things we need without having to dirty up our main machine. You can get a free Windows VM to use from Microsoft themselves by following this LINK

If you read the fine print below you get 90 days. So set it up how you want then take a snapshot. When it expires just load the snapshot again and your back in business. This isn't meant to be persistent. It's just so you can use office or anything else from other Microsoft accounts.

All that is really left is to install any other VMs I may use. I have a few I keep.

  • The Trace Labs OSINT VM
  • A Kali Linux VM
  • A vanilla Linux VM (Distro just depends on how i'm feeling, they come and go)
  • The above mentioned WIndows VM

Then I install whatever othe software I want on the host, which for me is:

I hope this all made sense for you. I will go into more details on some of the finer things in other posts. This will get you pretty far though.


You'll only receive email when Personal Opsec publishes a new post

More fromĀ Personal Opsec