Windows 11 and Windows 10 send diagnostic data to Microsoft servers by default. This telemetry includes system health checks, error reports, and usage statistics. While some data helps with security updates, many business users want to limit what leaves their network. Blocking outbound traffic to specific endpoints using Windows Firewall gives you control without disabling all system updates.
Windows Firewall is a built-in tool that filters network traffic based on rules you create. You can block specific IP addresses, domain names, or entire port ranges. This article explains how to identify telemetry endpoints and create outbound block rules that stop data from reaching those servers. You will learn the exact steps to configure these rules using the Windows Firewall with Advanced Security console.
Key Takeaways: Blocking Telemetry with Windows Firewall
- Windows Firewall with Advanced Security > Outbound Rules > New Rule: Creates a custom rule that blocks traffic to a specific IP address or domain name.
- Block rule for
vortex.data.microsoft.comandsettings-win.data.microsoft.com: Stops the most common telemetry endpoints used by Windows 11. - Group Policy or PowerShell for multiple machines: Deploy the same block rules across all domain-joined computers without manual setup.
Why Windows Sends Telemetry and How Firewall Rules Work
Windows telemetry helps Microsoft improve reliability and detect security threats. The diagnostic data service runs as a background process called Connected User Experiences and Telemetry. It sends data to Microsoft-owned domains such as vortex.data.microsoft.com, settings-win.data.microsoft.com, and telemetry.microsoft.com. These endpoints are documented in the Microsoft privacy statement and can change over time.
Windows Firewall operates at the network layer. It inspects each outgoing packet and compares it against a list of rules. A block rule with a higher priority than an allow rule stops the traffic. You create outbound rules that target either a specific IP address or a domain name. When you use a domain name, Windows Firewall resolves it to an IP address at the time the rule is created. If the IP changes later, the rule may stop working. To avoid this, you can create rules for both the domain and its current IP addresses.
The firewall rules apply to all users and services on the computer. This means telemetry processes that run under the SYSTEM account are also blocked. You do not need to disable any services or modify registry keys. Blocking telemetry at the firewall level is reversible and does not affect system stability. However, some Microsoft services like Windows Update and Defender may stop working if you block the wrong endpoints. Always test rules on a single machine before deploying them broadly.
Steps to Create Outbound Block Rules in Windows Firewall
These steps assume you are using Windows 11 Pro or Enterprise. Windows 11 Home has the same firewall console but lacks Group Policy management. You must be logged in as an administrator to create firewall rules.
- Open Windows Firewall with Advanced Security
Press Win + R, typewf.msc, and press Enter. The console opens with three sections: Inbound Rules, Outbound Rules, and Connection Security Rules. - Create a new outbound rule
In the left pane, click Outbound Rules. In the right pane under Actions, click New Rule. The New Outbound Rule Wizard starts. - Select rule type: Custom
On the first page, select Custom and click Next. Custom rules let you specify both the program and the remote IP address. - Set the program scope
On the Program page, select All programs and click Next. This blocks telemetry from any process, including system services. - Configure protocol and ports
On the Protocol and Ports page, leave Any for protocol type. Click Next. Telemetry uses HTTPS on port 443, but blocking all ports for the target IP is simpler and equally effective. - Specify the remote IP address
On the Scope page, under Which remote IP addresses does this rule apply to?, select These IP addresses. Click Add. Enter the IP address of the telemetry endpoint. For example,40.126.30.30is one IP used byvortex.data.microsoft.com. Click OK and then Next. You can add multiple IP addresses in the same rule. - Set the action to Block
On the Action page, select Block the connection. Click Next. - Choose when the rule applies
On the Profile page, check all three profiles: Domain, Private, and Public. Click Next. - Name the rule
On the Name page, type a descriptive name such asBlock Telemetry vortex.data.microsoft.com. Optionally add a description. Click Finish.
Repeat these steps for each telemetry endpoint you want to block. Create separate rules for each domain or IP address. This makes it easier to disable or remove a single rule later.
Using Domain Names Instead of IP Addresses
If you prefer to block by domain name, use the same wizard but specify the remote IP address as the domain name. In the Add IP Address dialog, enter the domain name such as vortex.data.microsoft.com. Windows Firewall resolves it to an IP address at that moment. The rule will not update if the IP changes. For this reason, consider using IP addresses that you verify regularly.
Common Issues When Blocking Telemetry with Windows Firewall
Creating the rule is straightforward, but several issues can prevent it from working as expected. Understanding these will save you time during testing.
Windows Firewall Rule Does Not Block the Traffic
If telemetry still reaches Microsoft after you create the rule, check the rule order. Windows Firewall evaluates rules from top to bottom. An allow rule that appears above your block rule will override it. In the Outbound Rules list, select your block rule and use the Move Up button in the right pane to place it near the top. Also verify that the rule is enabled. A gray icon next to the rule means it is disabled. Right-click the rule and select Enable.
Blocking Telemetry Also Blocks Windows Update
Some telemetry endpoints overlap with Windows Update servers. If you block ctldl.windowsupdate.com or update.microsoft.com, your device may not receive security patches. To avoid this, only block the specific endpoints listed in the Microsoft documentation for diagnostic data. Do not block the entire microsoft.com domain. Use a tool like Process Monitor from Sysinternals to watch which IP addresses the Telemetry service contacts.
Rule Stops Working After a Network Change
If your computer moves between networks, the firewall profile changes. A rule that only applies to the Private profile will not work on a Public network. Always select all three profiles when creating the rule. This ensures the block applies regardless of the network type.
Firewall Rule Types: IP Address Block vs Domain Name Block
| Item | IP Address Block | Domain Name Block |
|---|---|---|
| Description | Blocks traffic to a specific IP address | Blocks traffic to a domain name resolved at rule creation |
| Resolution timing | Fixed at rule creation | Fixed at rule creation |
| Handles IP changes | No, must update rule manually | No, must update rule manually |
| Ease of creation | Requires knowing the current IP | Easier because you type the domain |
| Best use case | Static IP endpoints that rarely change | Endpoints with stable domain names |
For telemetry endpoints that change IP addresses frequently, use a combination of both methods. Create one rule for the domain name and a second rule for the current IP. Check Microsoft’s published endpoint lists monthly and update your rules.
Conclusion
You can now create outbound block rules in Windows Firewall to stop telemetry from reaching specific Microsoft endpoints. The key is to target only the diagnostic data domains and leave Windows Update servers untouched. Use the Custom rule type in the New Outbound Rule Wizard and apply the block to all three network profiles. For ongoing accuracy, monitor the IP addresses used by telemetry services and update your rules when they change. As an advanced step, export your firewall rules to a .wfw file and import them on other machines using the same console. This keeps your entire fleet configured consistently without manual repetition.