Harden Windows Privacy: Kill Telemetry and Lock It Down
A named-tool stack for Windows users who won't leave the OS but want it to stop phoning home — encrypted DNS, tracker blocking, a network firewall, a hardened browser, and trace cleanup.
Tools in this stack
Harden Windows Privacy: Kill Telemetry and Lock It Down
You don't have to leave Windows to make it stop phoning home. This stack cuts the connection at the network — where it can't be quietly re-enabled by an update.
Who this is for and what it defends against
You run Windows because you have to, or because you want to — and you're tired of it reporting your activity back to Microsoft and its advertising partners. The exposure here is telemetry and diagnostics, an advertising ID tied to your usage, forced sync that pushes your data to the cloud, and background tracking you never opted into.
Here's the honest core of this stack: in-OS toggles get reset by updates. Microsoft reverts privacy settings on major upgrades, and a settings-only guide leaves you re-doing the same work every patch cycle. So this stack does the durable thing — it intercepts telemetry at the network and browser layers, where a Windows update can't reach in and flip it back on.
What it does not do: it won't turn Windows into a privacy OS, and it won't stop data you actively type into Microsoft accounts. For that, the answer is a different OS — out of scope here.
Layers, in order: encrypt your DNS → filter telemetry domains → firewall the connections → harden the browser → wipe the traces.
Layer 1 — Encrypt and control DNS
Every time Windows or an app phones home, it first looks up a domain. Control that lookup and you control a huge share of the leak — visibly and reversibly, without touching a single Windows setting.
Control D
Customizable DNS filtering. Why it's here: you can block known Microsoft telemetry and advertising domains at the resolver, so the requests fail before they leave your machine. Custom rules mean you decide what's allowed, not the OS.
AdGuard
DNS-level ad and tracker filtering. Why it's here: a maintained blocklist that neutralizes trackers system-wide, covering apps and browsers alike — not just one browser's traffic.
DNScrypt-proxy 2
GitHub
Encrypted, authenticated DNS. Why it's here: it stops your DNS queries from being read or tampered with in transit, and lets you route lookups through a resolver you trust instead of your ISP's. Pair it with the filtering above for the full effect.
Layer 2 — Firewall the connections
DNS filtering blocks lookups; a firewall blocks the connections that use a hardcoded IP and skip DNS entirely. This is the backstop.
OPNsense
open-source
An open-source firewall and router platform. Why it's here: run at the network edge, it gives you outbound control over every device — so a Windows machine can't reach telemetry endpoints even when it ignores your DNS. This is the strongest, most durable option because it sits outside Windows entirely.
IPFire
GitHub
A hardened Linux firewall. Why it's here: the same network-edge control as OPNsense, with a lighter footprint — a good pick if you're repurposing older hardware as a firewall box.
Reality check: a network firewall means running a separate box or a capable router. If that's more than you want, the DNS layer above still handles most telemetry on its own. Don't skip Layer 1 waiting to build Layer 2.
Layer 3 — Harden the browser
The browser is where most day-to-day tracking actually happens. Swap the leaky default.
LibreWolf
open-source
A hardened fork of Firefox. Why it's here: it ships with tracking protection and anti-fingerprinting turned on, so you're private out of the box instead of after an hour of about:config edits.
Brave Browser
GitHub
Blocks trackers and ads by default. Why it's here: the low-friction option if you want a Chromium-based browser that blocks trackers without add-ons.
Privacy Badger
open-source (GitHub)
Automatically learns and blocks trackers. Why it's here: it catches trackers that slip past static lists by watching their behavior. Add it to whichever browser you keep.
ClearURLs
open-source (GitHub)
Strips tracking parameters from links. Why it's here: it removes the ?utm_ and click-ID junk that follows you between sites, cleaning up every link you open or share.
Layer 4 — Wipe the traces
BleachBit
A secure disk and data cleaner. Why it's here: Windows and its apps leave caches, logs, and histories all over the disk. BleachBit clears them on a schedule so old activity doesn't linger for anyone who later gets the machine.
Tradeoffs — pick your effort level
This stack scales from a ten-minute win to a weekend project. Don't let the deep end stop you from the shallow one.
Layer Effort Do this if...
-------------- ------- ---------------------------
Encrypted DNS Low You want the fastest win
Tracker filter Low You want system-wide cover
Browser swap Low You browse more than you
run desktop apps
Network firewall High You want update-proof,
device-wide control
Trace cleanup Low You share or resell hardware
The call: start with encrypted, filtered DNS and a hardened browser — that's 80% of the benefit in under twenty minutes, and nothing about a Windows update can undo it. Add the network firewall later if you want the connection locked shut regardless of what any app tries.
Frequently asked questions
How do I stop Windows 11 telemetry for good?
Block it at the network, not just in Settings — Windows updates tend to reset in-OS privacy toggles. Filter telemetry domains with Control D or AdGuard over encrypted DNS via DNScrypt-proxy 2, and for full lockdown add a network firewall like OPNsense that Windows can't override.
Do I need to leave Windows to get real privacy?
No — but be clear on the ceiling. This stack stops most background telemetry and tracking at the network and browser layers, which survives updates. It won't make Windows a privacy OS or protect data you actively give to Microsoft accounts. For that level, a different OS is the answer.
What's the single most effective Windows privacy step?
Encrypted, filtered DNS. Routing lookups through Control D or AdGuard with DNScrypt-proxy 2 blocks telemetry system-wide — across every app, not just your browser — and takes minutes to set up.
Will a firewall break my apps?
It can if you block too aggressively. A network firewall like OPNsense or IPFire lets you allow legitimate connections while denying telemetry endpoints. Start by blocking known Microsoft telemetry domains and add exceptions if something you rely on stops working.
Which browser is most private on Windows?
LibreWolf if you want hardened privacy on by default, or Brave Browser for a Chromium base that blocks trackers without setup. Add Privacy Badger and ClearURLs to either for behavior-based tracker blocking and clean links.
Tags
Build your stack
Browse the vetted directory to compare every tool, or run a free check on your own exposure.