Microsurf — Windows 10 Privacy Hardening & Debloat

The Problem With Windows 10

Windows 10 is not a product you own. It's a service running on your hardware. Out of the box it logs keystrokes for "handwriting improvement", uploads your browsing history, sends your location, transmits crash dumps with full memory snapshots, and runs background services that phone home on a continuous schedule. Microsoft calls this "Connected User Experiences". Everyone else calls it what it is.

The Settings panel offers toggles. They are cosmetic. The telemetry services don't stop when you flip the switch. DiagTrack keeps running. CompatTelRunner.exe keeps firing its scheduled tasks. The hosts file is untouched. The firewall has no rules blocking the data collection binaries. The registry keys that control the real pipeline are buried three levels deep in policy paths the GUI never touches.

If you want it actually gone, you have to go beneath the UI — registry, service manager, firewall, hosts file, and task scheduler, all at once, with no gaps. That's what Microsurf does.

OS Guard — Windows 10 Only

The first thing 10surf.ps1 does after printing the banner is read your OS build number from WMI. Windows 10 occupies builds 10240–19045. Windows 11 starts at 22000. If the script detects the wrong OS it exits cleanly — nothing gets changed.

OS guard — wrong OS detectedPowerShell

[!] UNSUPPORTED OS DETECTED Detected : Windows 11 Home (Build 22631) Required : Windows 10 (any release) This script will now exit to prevent unintended changes.

Sections 1–14 — Automated Privacy Hardening

A System Restore Point is created before any changes. Then the script works through 14 hardening sections with no prompts.

30+

Telemetry hosts blocked

Scheduled tasks killed

Services disabled

Firewall outbound blocks

Hardening categories

Telemetry registry — AllowTelemetry = 0 via both policy path and direct path. Diagnostic log collection and OneSettings downloads blocked.
Services — DiagTrack, dmwappushservice, WerSvc, DoSvc stopped and set to Disabled
Hosts file — 30+ telemetry endpoints redirected to 0.0.0.0 including vortex.data.microsoft.com, watson.telemetry.microsoft.com, all Bing and feedback domains
Firewall — Outbound block rules for CompatTelRunner.exe, DeviceCensus.exe, wsqmcons.exe, MusNotification.exe
Scheduled tasks — All CEIP, feedback, appraiser, and disk diagnostics tasks disabled via Task Scheduler API
Cortana — Killed via policy keys. Bing web search removed from Start search bar.
Advertising ID — Global identifier and all personalization data pipelines disabled
Activity History / Timeline — Activity feed, cross-device clipboard sync, and cloud upload all off
App permissions — Force-denies access to camera, mic, location, contacts, calendar, call history, email, and messaging via AppPrivacy policy (value 2 = Force Deny)
Windows Error Reporting — Disabled at policy and service level. Additional data upload blocked.
LLMNR — Multicast name resolution disabled. Closes the primary attack vector for Responder-style credential capture on local networks.
WiFi Sense — Auto-connect credential sharing disabled
Content Delivery Manager — Silent app install pipeline and Start menu sponsored suggestions fully off
Font streaming / online tips — Cloud font provider and online help streaming disabled

How to Run It

Elevated PowerShell — Run as AdministratorPowerShell

# One-liner PS> irm https://raw.githubusercontent.com/0xb0rn3/Microsurf/main/10surf.ps1 | iex # Clone and run locally PS> git clone https://github.com/0xb0rn3/Microsurf PS> cd Microsurf PS> Set-ExecutionPolicy Bypass -Scope Process -Force PS> .\10surf.ps1

Before You Run

Right-click PowerShell → Run as Administrator
A System Restore Point is created automatically as step one
Roll back at any time: rstrui.exe → "Before Privacy Hardening"
Tested on Windows 10 21H2, 22H2, and 23H2

Section 15 — Update & Upgrade Windows

After the automated hardening pass, the script presents a numbered menu for Windows Update. Each option is completely independent — pick one, several, all, or skip. Nothing is applied without an explicit choice.

Option [1] — KB fetch outputPowerShell

[*] Fetching latest stable Cumulative Update... [+] Querying Windows Update service (no credentials required)... [+] Found : 2026-05 Cumulative Update for Windows 10 Version 22H2 (KB5058481) [+] KB : KB5058481 [+] Size : 847.3 MB [+] Released: 05/13/2026 00:00:00 [+] Downloading KB5058481 — this may take several minutes... [+] KB5058481 downloaded and staged. Install KB5058481 now and reboot? [Y/N]:

Section 16 — Debloat

The final section walks through nine debloat categories. Each gets its own [Y/N] prompt. Nothing runs without your confirmation. Explorer is restarted at the end to apply visual changes immediately.

A — Bloatware Apps

65+ pre-installed UWP apps removed via Remove-AppxPackage -AllUsers plus provisioned package cleanup. Candy Crush, Clipchamp, Teams, TikTok, all Bing apps, Cortana UWP, social media, streaming apps.

A — OEM Bloatware

HP Support Assistant, Lenovo Vantage, Dell SupportAssist, Digital Delivery, Mobile Connect, and related factory software removed silently.

A — Xbox / Game Bar

Gaming overlay apps removed. Game DVR disabled via GameConfigStore and AllowGameDVR policy keys.

A — OneDrive

Silent uninstall via OneDriveSetup.exe /uninstall. Removed from File Explorer navigation pane via CLSID key. Provisioned package cleaned.

B — System Tweaks

Fast startup off, BitLocker auto-encryption blocked, mouse acceleration off, Sticky Keys shortcut off, Storage Sense off, Modern Standby networking off, Snap Assist off.

C — Appearance

Dark mode for system and apps. Transparency and animations disabled via best-performance preset and UserPreferencesMask.

D — Start & Search

App suggestions, Search Highlights, local search history, Store suggestions in search, and People bar all disabled.

E — Taskbar

Task View hidden, search box removed, Chat/Meet Now hidden, News & Interests hidden, End Task enabled in right-click.

F — File Explorer

File extensions shown, hidden files visible, 3D Objects removed from This PC, Explorer opens to This PC, cluttered context menu items removed.

G — Lock Screen

Lock screen tips and fun facts off. Windows Spotlight killed on lock screen, action center, Settings, and desktop via CloudContent policy.

H — Browser Bloat

Edge news feed, shopping assistant, startup boost, background mode, personalisation reporting, and web widgets killed via Policies\Microsoft\Edge.

I — Find My Device

Location tracking disabled. Stored location history cleared from CapabilityAccessManager\ConsentStore\location.

Reversibility

Almost all registry changes can be reverted via Windows Settings or Group Policy
Removed UWP apps can be reinstalled from the Microsoft Store
OneDrive reinstall: aka.ms/OneDriveSetup
Full rollback: rstrui.exe → select "Before Privacy Hardening"

The Bigger Point

The privacy settings panel in Windows 10 is theatre. The actual telemetry pipeline runs deeper than any toggle the GUI exposes — in services, in scheduled tasks, in firewall rules that were never created, in registry keys that Settings doesn't touch. The debloat layer removes the surface junk. The hardening layer cuts the cables underneath.

You don't have to trust them with your data. But you do have to go below the UI to make sure they can't take it anyway.

Quick startPowerShell

PS> irm https://raw.githubusercontent.com/0xb0rn3/Microsurf/main/10surf.ps1 | iex