"}}]}
Privacy Stacks
Threat-Model StacksIntermediate

Harden Windows Privacy: Kill Telemetry and Lock It Down

A named-tool stack for Windows users who won't leave the OS but want it to stop phoning home — encrypted DNS, tracker blocking, a network firewall, a hardened browser, and trace cleanup.

July 7, 202645 minutesIntermediate

Harden Windows Privacy: Kill Telemetry and Lock It Down

You don't have to leave Windows to make it stop phoning home. This stack cuts the connection at the network — where it can't be quietly re-enabled by an update.

Who this is for and what it defends against

You run Windows because you have to, or because you want to — and you're tired of it reporting your activity back to Microsoft and its advertising partners. The exposure here is telemetry and diagnostics, an advertising ID tied to your usage, forced sync that pushes your data to the cloud, and background tracking you never opted into.

Here's the honest core of this stack: in-OS toggles get reset by updates. Microsoft reverts privacy settings on major upgrades, and a settings-only guide leaves you re-doing the same work every patch cycle. So this stack does the durable thing — it intercepts telemetry at the network and browser layers, where a Windows update can't reach in and flip it back on.

What it does not do: it won't turn Windows into a privacy OS, and it won't stop data you actively type into Microsoft accounts. For that, the answer is a different OS — out of scope here.

Layers, in order: encrypt your DNS → filter telemetry domains → firewall the connections → harden the browser → wipe the traces.

Layer 1 — Encrypt and control DNS

Every time Windows or an app phones home, it first looks up a domain. Control that lookup and you control a huge share of the leak — visibly and reversibly, without touching a single Windows setting.

Control D

Customizable DNS filtering. Why it's here: you can block known Microsoft telemetry and advertising domains at the resolver, so the requests fail before they leave your machine. Custom rules mean you decide what's allowed, not the OS.

AdGuard

DNS-level ad and tracker filtering. Why it's here: a maintained blocklist that neutralizes trackers system-wide, covering apps and browsers alike — not just one browser's traffic.

DNScrypt-proxy 2

GitHub

Encrypted, authenticated DNS. Why it's here: it stops your DNS queries from being read or tampered with in transit, and lets you route lookups through a resolver you trust instead of your ISP's. Pair it with the filtering above for the full effect.

Layer 2 — Firewall the connections

DNS filtering blocks lookups; a firewall blocks the connections that use a hardcoded IP and skip DNS entirely. This is the backstop.

OPNsense

open-source

An open-source firewall and router platform. Why it's here: run at the network edge, it gives you outbound control over every device — so a Windows machine can't reach telemetry endpoints even when it ignores your DNS. This is the strongest, most durable option because it sits outside Windows entirely.

IPFire

GitHub

A hardened Linux firewall. Why it's here: the same network-edge control as OPNsense, with a lighter footprint — a good pick if you're repurposing older hardware as a firewall box.

Reality check: a network firewall means running a separate box or a capable router. If that's more than you want, the DNS layer above still handles most telemetry on its own. Don't skip Layer 1 waiting to build Layer 2.

Layer 3 — Harden the browser

The browser is where most day-to-day tracking actually happens. Swap the leaky default.

LibreWolf

open-source

A hardened fork of Firefox. Why it's here: it ships with tracking protection and anti-fingerprinting turned on, so you're private out of the box instead of after an hour of about:config edits.

Brave Browser

GitHub

Blocks trackers and ads by default. Why it's here: the low-friction option if you want a Chromium-based browser that blocks trackers without add-ons.

Privacy Badger

open-source (GitHub)

Automatically learns and blocks trackers. Why it's here: it catches trackers that slip past static lists by watching their behavior. Add it to whichever browser you keep.

ClearURLs

open-source (GitHub)

Strips tracking parameters from links. Why it's here: it removes the ?utm_ and click-ID junk that follows you between sites, cleaning up every link you open or share.

Layer 4 — Wipe the traces

BleachBit

A secure disk and data cleaner. Why it's here: Windows and its apps leave caches, logs, and histories all over the disk. BleachBit clears them on a schedule so old activity doesn't linger for anyone who later gets the machine.

Tradeoffs — pick your effort level

This stack scales from a ten-minute win to a weekend project. Don't let the deep end stop you from the shallow one.

Layer           Effort   Do this if...
--------------  -------  ---------------------------
Encrypted DNS   Low      You want the fastest win
Tracker filter  Low      You want system-wide cover
Browser swap    Low      You browse more than you
                         run desktop apps
Network firewall High    You want update-proof,
                         device-wide control
Trace cleanup   Low      You share or resell hardware

The call: start with encrypted, filtered DNS and a hardened browser — that's 80% of the benefit in under twenty minutes, and nothing about a Windows update can undo it. Add the network firewall later if you want the connection locked shut regardless of what any app tries.

Frequently asked questions

How do I stop Windows 11 telemetry for good?

Block it at the network, not just in Settings — Windows updates tend to reset in-OS privacy toggles. Filter telemetry domains with Control D or AdGuard over encrypted DNS via DNScrypt-proxy 2, and for full lockdown add a network firewall like OPNsense that Windows can't override.

Do I need to leave Windows to get real privacy?

No — but be clear on the ceiling. This stack stops most background telemetry and tracking at the network and browser layers, which survives updates. It won't make Windows a privacy OS or protect data you actively give to Microsoft accounts. For that level, a different OS is the answer.

What's the single most effective Windows privacy step?

Encrypted, filtered DNS. Routing lookups through Control D or AdGuard with DNScrypt-proxy 2 blocks telemetry system-wide — across every app, not just your browser — and takes minutes to set up.

Will a firewall break my apps?

It can if you block too aggressively. A network firewall like OPNsense or IPFire lets you allow legitimate connections while denying telemetry endpoints. Start by blocking known Microsoft telemetry domains and add exceptions if something you rely on stops working.

Which browser is most private on Windows?

LibreWolf if you want hardened privacy on by default, or Brave Browser for a Chromium base that blocks trackers without setup. Add Privacy Badger and ClearURLs to either for behavior-based tracker blocking and clean links.

Tags

windowstelemetrydnsfirewallthreat-modeltracker-blocking

Build your stack

Browse the vetted directory to compare every tool, or run a free check on your own exposure.