Microsoft has responded to claims that its Windows 10 Enterprise operating system ignores user preferences in Group Policy with the advice that, basically, it does and you shouldn't meddle with it.
On Monday, we revealed that a security researcher had used a packet sniffer to show that many settings designed to prevent access to the internet were being ignored with connections to a range of third-party servers including advertising hubs.
The security researcher, Mark Burnett (@m8urnett), went on to show that with teredo IPv6 disabled, the system still checks for IPv6 connectivity. SmartScreen is disabled but it still connects. Telemetry is disabled. Still connects. Error reporting disabled. Still connects. Sync-related services all disabled at a group level. Still connects. I mean we could go on. Yes? OK then. Online KMS validation disabled, still connects. All connections except Updates to Microsoft blocked. Still connects to a range of ad servers. Yes advertising servers. Burnett confirms that all these calls are made by Windows 10, not by any apps.
"So it seems" he goes on "like Microsoft doesn't even honour it's own Group Policy settings" warning "but the big problem here is that people will use third-party apps to block all this and inadvertently block security-related stuff." As if for an encore, Burnett deleted the new Paint 3D, a system app, which he is entirely entitled to do. He found the system restored it and added a firewall rule allowing it network access. Yes. Not even Paint is safe.
Microsoft responded late Monday night with a statement explaining: "Enterprise users are able to configure the necessary settings to achieve zero emissions and we provide guidance and actual script to configure their systems. We don't recommend turning off the settings as it disrupts user experiences and security.
"We give our customers a number of choices to help manage telemetry settings for an enterprise environment and how to confirm these settings." As ever, because we have no direct conversation with Microsoft (they always respond when we've gone home) we haven't been able to pick them up on the point that this is the bit that isn't working and causing security concerns.
The fact that this is happening on Windows 10 Enterprise is of particular concern. Microsoft is relying on an upsurge of businesses to switch from Windows 7 to Windows 10, which currently has less than half the market share of its combined predecessors, and is running well short of the projected 2 billion machines in the first two years, which was promised. That two-year mark is fast approaching and even Microsoft's own statistics are showing a quarter of that.
Organisations need to have faith in their operating system and revelations like this will not help. The conversation continued on ycombinator with others sharing their horror stories of Windows 10.
One user, ‘Donkeychan' said: "MS Support consistently and repeatedly told me that enterprise allowed me to disable this stuff. If I can't control the egress then I can't verify PCI compliance. I've already had to revert a client to Win 7 because they failed a PCI compliance audit using Win 10 Enterprise. Which, by the way, is very expensive for small businesses. Win 10 Enterprise isn't viable for business. I have a bunch of small business clients and I've had to use a whitelist firewall to pass PCI compliance, someone said here that a whitelist firewall is borderline unusable. I've sunk so much time into that solution and I can attest, it's not viable."
‘Sathackr' added: "I went through the same thing last year. I spent two months trying to plug all the holes in the enterprise version, for a medium sized healthcare client, and eventually gave up. "The LTSB edition looks promising but I haven't put it under the microscope yet." While ‘weeks' summed it all up "Playing whack-a-mole with memory corruption vulnerabilities isn't how you create a secure operating systems."
Download SafeUM — communicate privately, without advertising and spam.
Axarhöfði 14,
110 Reykjavik, Iceland