Explore the possibility of Windows 10 Ameliorated

[fepitre]

I've found this amazing project for Windows users: https://ameliorated.info/. There is all the sources at https://git.ameliorated.info/malte/scripts. Maybe that could help into having more minimal windows images?

[ElliotKillick]

Interesting! There are so many projects like this for Windows that intend to slim it down, remove spyware, etc. I think requires a larger discussion on what the best one(s) are to include and why.

As mentioned in the project README, one of this projects focuses is correctness. One of the ways I wish to make sure this remains a focus is by following official Microsoft documentation wherever possible. (similar as to how I made the whonix.bat script just by implementing the official Whonix-Windows-Workstation documentation + recommendations and I think that leads to the best result)

For removing spyware at least, I have found one script which really just goes off the official Microsoft documentation as much as possible. I mentioned it in spyless.bat but I will say it again here:

Script: https://github.com/cryps1s/DARKSURGEON/blob/master/configuration/configuration-scripts/Set-WindowsTelemetrySettings.ps1

Documentation: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services

See the .NOTES section of the PowerShell code to see the documentation it is based on, I also put it above. That script may need some updating though.

Also, certain tools such as O&O Shutup10 are of course out of the picture because they are closed sourced. The only closed source component allowed is Windows itself.

As for slimming down scripts, I think more research is definitely required to find the best and most up-to-date one(s). Please drop any suggestions for scripts you have.

[ElliotKillick]

I also made optimize.bat based on (at least what I thought at the time was fairly official) Qubes documentation. However, now the link I based that script on redirects to the Qubes Community repo whereas it existed on the official qubes-os.org website before.

See here: https://www.qubes-os.org/doc/windows-template-customization/

In fact, upon further analysis all the Windows documentation stemming from https://www.qubes-os.org/doc/windows/ now leads to the Qubes Community repo. I guess Windows support in Qubes has been fully delegated as a community effort at this point.

However, I did expand that script past the documentation with my own stuff to disable things I saw popping up in the notifications in Windows 8.1/10 that are not reqiuired for a VM (it seems like that documentation was only made for Windows 7). Also, other things like bypassing annoying Tamper Protection (latest piece of MS security theatre) to disable the Windows Defender antivirus which we definitely don't want running in our Windows qubes.

[fepitre]

@elliotkillick sorry to have not answered to your invitation sooner, I've been considerably busy with multiple subjects recently. Do you mind to renew your invitation?

[ElliotKillick]

Sure thing @fepitre, I've renewed the collaboration invitation!

[fepitre]

Sure thing @fepitre, I've renewed the collaboration invitation!

Thank you. I'm currently very busy on others tasks but I plan to integrate step by step the whole stuff I've investigated and done during the end of 2020. Keep you in touch with that.

[McNinjaTNT]

I've found this amazing project for Windows users: https://ameliorated.info/. There is all the sources at https://git.ameliorated.info/malte/scripts. Maybe that could help into having more minimal windows images?

For this you can use the manual amelioration process, which, if done correctly, is pretty much the same as using the pre-made AME ISO. It could break things with regards to the QVM integration I suppose, but likely not. Worth a try at least, this won't be a option for me if AME doesn't work at all with this project, I'm assuming it should work fine though.

Also, it may even be possible to use the pre-made ISO if you can get said ISO where it belongs, not sure if it would work though.

[McNinjaTNT]

Interesting! There are so many projects like this for Windows that intend to slim it down, remove spyware, etc. I think requires a larger discussion on what the best one(s) are to include and why.

As mentioned in the project README, one of this projects focuses is correctness. One of the ways I wish to make sure this remains a focus is by following official Microsoft documentation wherever possible. (similar as to how I made the whonix.bat script just by implementing the official Whonix-Windows-Workstation documentation + recommendations and I think that leads to the best result)

For removing spyware at least, I have found one script which really just goes off the official Microsoft documentation as much as possible. I mentioned it in spyless.bat but I will say it again here:

Script: https://github.com/cryps1s/DARKSURGEON/blob/master/configuration/configuration-scripts/Set-WindowsTelemetrySettings.ps1

Documentation: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services

See the .NOTES section of the PowerShell code to see the documentation it is based on, I also put it above. That script may need some updating though.

Also, certain tools such as O&O Shutup10 are of course out of the picture because they are closed sourced. The only closed source component allowed is Windows itself.

As for slimming down scripts, I think more research is definitely required to find the best and most up-to-date one(s). Please drop any suggestions for scripts you have.

I'm fairly involved with Windows Ameliorated and I would love to see official support for them with this project, you're probably plenty busy but if you have the time I would greatly appreciate you looking into AME.

From what I've seen the AME team have really done a outstanding job with removing spyware and such, I'm confident that in that regard, it is significantly more thorough and better then the spyless.bat script. AtlasOS may be worth looking into as well, but I haven't personally looked at it, and I'm guessing it also is not as good as AME, but I can't say for sure.

Thank you for making this project! It looks awesome.

P.S, AME is open-source (https://git.ameliorated.info/lucid/scripts)

[ElliotKillick]

@McNinjaTNT I've been looking into AME recently, however, I noticed that source hasn't been updated in a year and the script batch filename says "21H1" (which isn't the latest Windows release). So, I'm not sure how good it is to use...

Reading through the batch script in it's current state, there's things I like and dislike.

The biggest issue really is that each and every line of it isn't going off of some MS documentation so there's no easy way of verifying the script's actions. Also, I'm not a fan of all the services being disabled with no comments as to why: I've learned through my own experience that disabling random services in Windows can and will silently break things (as it has happened before for just the few I previously disabled in optimize.bat, see the git commit messages for that). A lot of code duplication when maybe a for loop would have been more correct. Also, removing any apps isn't something I want to do (except maybe the straight up ads such as Candy Crush or the like). If users want that level of minimization then they can have it officially from MS just by using Windows 10 LTSC (this is the recommended way for this project). Windows 11 LTSC hasn't been released yet (scheduled for second half of 2024 according to MS) but that's on it's way. Don't want to uninstall OneDrive as is being done either because some people may want that. Editing the hosts file isn't an effective way of blocking endpoints on its own because some IPs are hardcoded into Windows binaries (see: https://gist.github.com/ElliotKillick/124cc87981a08e8a4e53b2d12ff543ee). And that entails my biggest issues with this script.

Hope that doesn't sound too blunt but that's my honest review just going through line-by-line listing issues as they come along. However, at this point I'm unfortunately not really going for AME. Unless there is some other source I'm not aware of? Then I'd have another look. But, right now I'm more in favor of my originally proposed solution for stopping Windows spying (other than air gapping the VM) then if the user wants their installation to be minimal/lightweight as well they should use Windows 10/11 LTSC. What I would most like to find right now is an up-to-date (with the latest MS documentation) version of Set-WindowsTelemetrySettings.ps1. Please let me know if someone can find or make something like that (I unfortunately wouldn't be able to find the time for such a project).

As always, I'm open to suggestions and if AME is something that works for you then you're more than welcome to add the script yourself in the provided post/run.bat file of this project.

[fepitre]

I think source have moved around https://git.ameliorated.info/Styris/trusted-uninstaller-cli (I just looked at home page bottom).

[ElliotKillick]

It seems like that source is the CLI tool, browsing the AME Gitea instance I found this which seems to house all their (Ansible; not Salt like Qubes OS uses) playbooks: https://git.ameliorated.info/Styris/AME-11

Digging into the source, I find this folder a tad bit concerning: https://git.ameliorated.info/Styris/AME-11/src/branch/master/src/Executables

It looks like multiple EXE files are packaged with AME which is problematic because it makes it difficult for us to verify (with 100% certainty) that one of these programs haven't been backdoored somewhere in the supply chain.

Looking further, I see this: https://git.ameliorated.info/Styris/AME-11/src/branch/master/src/Configuration/features/base/appx.yml

Deleting app packages which some users may find desirable (to reiterate, if users don't want any apps installed by default they should use LTSC)

Next in components.yml, a lot of deleting is being done where disabling would be more favorable. Ideally, I want to give users the power to easily re-enable features in case they do indeed want them. For example, %windir%\\System32\\smartscreen.exe is deleted (we only disable it in spyless.bat) as well as OneDrive.

I do like the the contents of regedits.yml which looks like it may contain some desirable additions for our own spyless.bat.

I'm confident AME is a great tool for users with an existing Windows installation who want to hardcode privacy into their system (even at a cost of breaking the odd MS service), but our VM approach doesn't require that same level of thoroughness. For example, our Windows VMs aren't ever directly connected to WiFi which is great because it means nearby WiFi networks (and thus the user's location) can't be leaked to MS. AME flips a few registry keys to disable this, but given our unique situation (no direct hardware access), those kinds of things aren't necessary.

I want to thank AME developers/contributors as any project that helps improve a user's privacy on Windows is a great one. However, in this case I'm afraid it's just not the right fit for us.