Zorin replaces Windows - is it a joke or a scam?

Feedback
102

The closest thing to "caged windows" for you would be Windows 11 IoT Enterprise LTSC. Difficult, but perhaps not impossible for individuals to obtain.

Windows 11 IoT (Internet of Things) Enterprise LTSC (long term service channel), allows for total telemetry blackout through group policy settings. Copilot, Recall, and Microsoft Store have all been stripped in advance.

It is designed for things like medical MRI machines, ATMs, and other uses which cannot allow for forced updates or unpredictable background traffic. You'd get security updates, but no feature updates, which means your registry tweaks and other customizations would be left alone.

Win11 Enterprise LTSC is built on the same kernel as Windows Pro, so your programs and peripherals would feel right at home.

It doesn't throttle hardware just because it is an IoT build, so your CPU, GPU, memory, etc. would be used to the max.

AND, you can set up a local account out of the box. Setup assumes you are a tech setting up a specialized device, so doesn't demand (I don't think it even requests) you use a Microsoft account.

1 Like
103

[quote="wsmather, post:102, topic:61210"]

I'm not familiar with Windows 11 LTSC, but I am familiar with Windows 10 LTSC. It's missing a number of libraries and other things that prevent a number of programs from running on 10 LTSC, including the ones I need. Microsoft is a b@st@rds, but they're not stupids.

104

No they aren't, but neither are they all-seeing and knowing.

The best course of action to mitigate this would be to install Win 11 LTSC and then add in the stuff that's missing. I did some research:

  1. In 2026, it is easier to add back in the missing DirectX End-User Runtimes and the Visual C++ All-in-One redistributables than it used to be.

Apps like 3ds Max and ZBrush primarily need the C++ 2015-2022 Redistributables (both x86 and x64) and DirectX 9/10/11 legacy DLLs. You can download a single "All-in-One" installer from community sources (like TechPowerUp or GitHub), that reinstalls them.

As for proprietary drivers, your Wacom and 3Dconnexion drivers will work fine on LTSC because the underlying architecture is identical to Pro.

Once you install your missing libraries, they will stay there, because LTSC only receives security patches and not feature updates.

  1. Even with LTSC, it would be a very good idea to get a hardware firewall (pfSense/OPNsense are good - $200 to $300). Because even a "zero" level of telemetry is not silence. It will activate to verify your hardware/firmware hasn't been tampered with (tpm 2.0, secure boot, etc.) Also, it pings ms to check policy status and certificate revocation lists and arcana like that. Your machine has a fingerprint bound to something called your TPM endorsement key, which a hardware firewall can block. If it tries to leave via their high traffic node (13.107.4.52), the hardware firewall kills it. It can do this because by definition a hardware firewall is completely outside the "circle of trust" of the os.

The only way Microsoft gets around a hardware firewall is via Encrypted DNS (DoH) and SNI (Server Name Indication). If Windows hides the destination of its traffic inside an encrypted HTTPS tunnel to a generic Microsoft server (like outlook.com), the firewall might struggle to tell "telemetry" apart from "legitimate mail." What to do? Here's what I found: ***

BTW, in seeking a copy of Windows 11 IoT LTSC, avoid the "N" version (the European version). It is missing a great deal (media feature pack, codecs, DirectX runtimes, etc.)

From Google Gemini search:

  1. Block DoH

Windows 11 tries to use DoH to bypass your local DNS filters. If it can't resolve the "bad" domains through your firewall, it will try to ask Google (8.8.8.8) or Cloudflare (1.1.1.1) directly over port 443.

The Fix: On your hardware firewall (pfSense/OPNsense), use a DoH Blocklist (like those from Hagezi). This is an alias of known IP addresses for encrypted DNS providers.

The Rule: Any traffic from your Windows machine trying to reach these specific IPs on Port 443 is blocked. This forces Windows to "fall back" to your local, unencrypted DNS, where you can see exactly what it’s asking for and block it.

  1. Defeat SNI via "Force-Routing"

SNI (Server Name Indication) is part of the TLS handshake that tells the server which website you're visiting. Microsoft uses "Domain Fronting" to make telemetry look like legitimate traffic.

The Fix: Instead of trying to "read" the SNI, you Block by Destination IP Range (ASN).

As we discussed, if you block AS8068 (Microsoft's main block), it doesn't matter what the SNI says. Whether the packet says "I'm an email" or "I'm telemetry," the firewall sees it's headed for a Microsoft data center and drops it.

For your 3D work: You only whitelist the specific, tiny IP ranges or domains required for your licenses (e.g., *.autodesk.com).

  1. The "IoT LTSC" Advantage

This is why the IoT version is so important for you.
In Windows 11 Pro: The OS is constantly fighting to turn DoH back on.

In IoT LTSC: You can use Group Policy (gpedit.msc) to set "Configure DNS over HTTPS (DoH) name resolution" to Disabled. Because it's LTSC, the OS will actually obey this setting. Once disabled, Windows stops trying to "hide" its DNS requests, making your hardware firewall's job 100% easier.

  1. The "Local Account" Registry Kill

Since you mentioned the local account bypass was removed, in LTSC you simply:

Install the OS while disconnected from the internet.

Set up your local account.

Apply your "Disable DoH" and "Disable Telemetry" group policies.

Only then connect to your hardware firewall.

(P.S. I use a hardware firewall. I got one on the advice of a friend, as a way to maintain security since I choose to use an unsupported operating system - Zorin 16.)

3 Likes
105

I'm so glad we have a smart networking IT tech in here, who knows what their doing in Windows 11 @wsmather. Thank you Scott for sharing your knowledge, that is how everyone benefits. That OS has a history of turning back on, every feature that has been turned off, making it impossible to customize the OS. I didn't know, that there was a different version, of Win11, that is better to start with. Glad to have you onboard, helping other's, with your knowledge and experience.

I personally abandoned Microslop, after Win7 was EOL. I already didn't like what I was hearing with Win10, that I said, no way, I'm going to try Linux. In truth, I've had both ups and downs with Linux, its never been a perfect solution. Having said that, I still believe I made the right choice. Microslop shouldn't even legally be allowed, to infringe on people's privacy, but they lobbied to be allowed to do it.

I wish that Microslop lost their marketshare, so they would no longer be seen as the global go to, for software and games development. If things went the other way, Linux wouldn't have to worry about needing Proton, or Proton not working, because it would be coded for Linux in the first place.

Far too many people accept what Microslop does to them, cause its easier to do nothing I guess, and let their world get owned by a greedy corporation. There was a time when Windows, was just an OS, and didn't get in the way. Once people's data became known as dollar signs, thats when things changed.

Startreker Signature
Startreker Signature700×342 112 KB

2 Likes
106

I have not had that problem with Zorin but I had similar with Windows.

  • Open and edit a file and go Control S to save it and Windows would often say I did not have permission to save that file - I had to give it a new name then delete the spare file. OR
  • Go to delete a file only to be told I did not have permission to do that. I am still removing some of those files four months after the switch, OR
  • Go to edit a file name ... Etc
1 Like