Pro is a little bit better because of features like Bitlocker. A lot better would be Education/Enterprise variant. You’d need special licenses for running enterprise I think. There are also registry hacks that would give you some protection against telemetry (I personally haven’t done this).
Privacy-wise though, any “windows” is going to fare lower than linux is what I’d say. Wait for others in the sub for more insights.
If using bitlocker be sure to note down the key for it, one bad crash and your drive is a good as dead.
If you’re already on a Linux-based operating system, and you gotta run a real instance of Windows for some reason, your safest bet from both a security and privacy standpoint is to run it in a virtual machine (I like VirtualBox, personally, but VMWare, or whatever else will do the job fine also) and firewall the hell out of it. In a virtual machine, you can totally lock it down as much or as little as you need for the task at hand, and ain’t a damned thing Windows itself can really do about it, and as an added bonus, it saves you from the required reboots of dual-booting. It’s confined to a “safe space” (until you start opening enabling network stuff and opening ports to it). You’re in control.
edit: or QEMU/KVM (with virt-manager)
And if you spend a bit of time with it, you can even pass a graphics card to the VM if you’re limited by the VM’s specs.
As well as having a dual boot partition or drive but opening it in a VM when you can split resources or dual boot when you need the full system
Gnu boxes makes it pretty easy. Use the VM behind a VPN and don’t allow access to your host. You can just mount the virtual volume to share any data you need to back and forth.
If I remember correctly, Pro should give you access to group policies (making configuration a tad less painful compared to fiddling in the registry), stuff such as Windows Sandbox/MDAG (basically, throwaway VMs you can run executables/Edge in), as well as Bitlocker encryption.
You cannot turn off required diagnostics on Windows 11 Home or Pro. You can see it yourself by firing up a Windows Pro or Home VM, editing the relevant setting in the registry or group policy, then taking a look at wireshark traffic - you should still see traffic to telemetry endpoints that Microsoft has listed in their documentation. This confirms what their documentation already says about this setting:
This is only available on Windows Server, Windows Enterprise, and Windows Education editions.
This also applies to many third party tools which claim to stop windows telemetry. Since I’m reasonably sure they work by editing the registry, they would be no more effective than simply turning off optional diagnostics in the GUI. So you end up giving yet another random app admin access for no real gain.
That being said, imo the required OS diagnostics Windows collects tends to be pretty basic in comparison to all the FUD that’s spread about it being a literal backdoor. You can see for yourself by opening the diagnostic data viewer app and seeing what info is there.
The other main problems (at least from my fiddling around in a VM with
mitmproxy
and wireshark as well as reading various articles) are:-
Windows Spotlight sending back similar data compared to required diagnostics - but if you’re on Home/Pro where you can’t turn it off anyways, this is irrelevant.
-
Forced Microsoft Login with a lot of cloud syncing stuff opted in by default - bypassable, but is somewhat troublesome. You can also just select the domain join option when installing Windows Pro to get around this.
-
Bing start menu search (needs a group policy or regedit to disable).
-
Edge’s optional features and Windows Security’s Smartscreen constantly leaking stuff such as browsing history (these can be disabled easily enough, fwiw).
Edit: I just realized you were talking about 10 and not 11, still, a lot of what I wrote about diagnostic data is applicable to both of them.
-
deleted by creator
Really you’d have to fire up Wireshark and see what telemetry Windows was blabbing away behind your back. Analysing those logs can be a tedious business, especially as you’d need a large dataset.
Thing with just about any tech related question posted is likely some geek will have done the heavy lifting for you already. Here is a nice start:
https://www.zdnet.com/article/windows-10-and-telemetry-time-for-a-simple-network-analysis/
Here is another one:
https://www.comparitech.com/blog/information-security/windows-10-data/
That’s logs required to be collected, doesn’t say whether or not the data is sent back to Windows. Best assume yes.
Course, all that proprietary software will have a voluminous licence agreement that nobody reads. They’ll collect as much data as they can to “maximise user experience” or whatever rubbish.
Could one mirror the traffic from the VM into Suricata/Snort to analyse it? Although if it were to be HTTPS traffic I doubt these or Wireshark would be able to do anything about them. The only alternative remains is to run a MiTM proxy in your network, which is a bit more advanced
Talking from experience when it comes to privacy on Windows I recommend looking into:
I know domain looks kind fishy but you can Inspect generated script yourself before running. Also you can Customize it to only include things you want.
Just wanna take a moment to let people know about a very, very good and reputable tool for privacy and windows. Honestly, it should be on the privacy guides website imho.
Linux is better, but if you have to use Windows, there is the Chris Titus Tech tool available. You can set power-user privacy options easily, massively debloat your windows installation, install programs, and easily set your update settings to security only, if that is what you want.
It’s also freaky easy to use, and comes from one of the foremost minds in the tech world today.
Afaik there’s some telemetry stuff you cannot turn off with the Home edition but you can with Pro. Not sure though if W10Privacy can disable that telemetry anyway.
Pro offers more control if you don’t mind following some guides or enjoy tinkering. Whichever option you choose consider running https://github.com/crazy-max/WindowsSpyBlocker.
I really wish people would stop making perfection the enemy of good when Windows comes up in any capacity on here. We all know Windows sucks for privacy but for certain users and industries it’s still quite mandatory so answer the damn question and provide resources to make it as least intrusive as possible.