Saturday, 7 May 2016

Windows 10 Telemetry Documentation Latest

All information here is from Microsoft's Technet Documentation about Windows 10 telemetry, under this section

This document lists the main changes I've noticed in the latest version of Microsoft's telemetry documentation, which is dated 6th May 2016. 

Disclaimer: I'm only human and also dyslexic. I try my best to read and write accurately but I make mistakes and my enthusiasm can sometimes cloud fact. This is also a hobby, not a job. Please do check documentation yourself to be sure I've got things right.

My Summary

There's new insight into how the telemetry client works in latest update. We know not only is HTTPS involved, but SSL and certificate pinning when data is transferred from us to Microsoft. More interestingly to me, it's stated that the client uses Event Tracing which will mean it's likely writing a log file somewhere. This is the same technology that they introduced for Windows Update in Windows 10 which requires a blooming powershell command to convert the log files into readable text!

There's a fair few nuggets for enterprise customers to chew over; unlike with Windows 10, Windows Server metered connections will continue to send telemetry as normal unless you've set telemetry level to lowest, which is the security level. It's stated that non-internet servers should be set to that level so they don't amass data that's going nowhere. At the same time they say that if you rely on Windows Update Services (and who doesn't?) you shouldn't use the security level as that level doesn't send telemetry on update success etc, meaning Microsoft can't improve quality of updates as they learn nothing. Regarding System Center telemetry, it says that at basic and security level, no system center telemetry is sent but makes it clear that the control for System Center telemetry is from within the product itself. Also worth noting is that the text suggests that the default telemetry level for Server OS is Enhanced. I'm not sure if that's new or if that's what consumer Windows is set to as well. I thought it was basic?

Consumer wise, the Retention section now suggests that a fair amount of data is retained longer than 30 days. Which makes sense in some respects as they do say they supply anonymised data to third parties and vendors. Would be hard to do that without keeping data longer than a month, right? Of course, they don't say what they do keep specifically.

Equally interesting to me, and somewhat expected I guess, is that if you run any virtual machines, they too will be sending telemetry back, including all the apps they have installed. They also make it clear about something I already suspected, which is that pretty much every aspect to the use of an app is recorded too. i.e. how long it's used, does it have focus and when was it started. You can bet they'll be more than those 3 aspects that they described here that they record.

Not a biggie, and somewhat also unsurprising, the text now says that they can take crash dump files too from your computer via telemetry client. This is done at Enhanced Telemetry Level.

The ability at enhanced telemetry level to take content that might include user sensitive information is now not in the documentation at all, but I'd be surprised if that means they don't do that anymore. Remember, this is only if the user files were involved in the issue they are investigating and they won't do anything with what they find. i.e. your info in a document are safe.

There's also mention that telemetry data is taken at a "fractional sampling rate" which can be as low as 1%. I don't really know what that means. Suggests that telemetry likely targets only specific devices perhaps? Also, doesn't say what the average sampling rate is, only what the minimum could be.

Actual list of changes:

Configure windows telemetry in your organisation

Overview Section

  • Makes it clear that the article doesn’t apply to System Center products as they use different telemetry service than Windows and Windows Server.
  • Overview section explains the forms of telemetry Microsoft used to take in previous versions of windows and windows server; Defender Signature, Windows Update, Reliability Analysis Service and using CEIP.
  • Overview section says Microsoft partnering with enterprises to provide added value from the telemetry information shared from their devices; i.e. app capability and driver reliability issues.

Data Collection section:
  • Completely reworded section, now with additional information.
  • NEW = Connected User Experience & Telemetry component in Windows 10 and Windows Server 2016 uses Event Tracing for Windows trace logging to gather and store telemetry events and data.
  • NEW = The Connected User Experience and Telemetry Components transmits over HTTPS and uses certificate pinning.
  • NEW = Enhanced & Full levels of telemetry is gathered at a fractional sampling rate, which can be as low as 1% of such devices reporting data.

Data Transfer section
  • Section has been renamed to ‘Data Transmission’.
  • CHANGE = Now implicitly says telemetry data is encrypted using SSL and uses certificate pinning during transfer. Before it just said data was encrypted.
  • CHANGE = The example it gives for real-time events that are sent immediately is altered from ‘gaming achievements’ to ‘Windows Defender Advanced Threat Protection’.
  • CHANGE = After saying that normal events are not uploaded on metered networks it now says that doesn’t apply if you are on a metered server connection.

Microsoft Data Management Service Section
  • Section title renamed to ‘Endpoints’
  • CHANGE = Opening two sentences changed substantially:
    • Used to say = The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification.”
    • Now says = “The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
  • NEW = Two new endpoints now mentioned:
    • Windows Error Reporting connects to
    • Online Crash Analysis connects to

Usage section
  • Renamed to ‘Data use and access’.
  • Minor wording changes to all sentences but essentially saying exactly the same thing as before.

  • Mostly minor wording changes except last two sentences.
  • CHANGE = “Other info may be retained longer, particularly if there is a regulatory requirement to do so.” Changed to Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.”
  • NOT NEW (as I've subsequently realised but I'll keep it here anyway) = Added sentence here which was previously elsewhere “Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.”

Telemetry Levels


·         CHANGE = Windows Server 2016 and System Center added to list of Oss that this section applies to.
·         CHANGE = Windows Server 2016 added to list OS that have additional Security telemetry level.

Security Level 
·         CHANGE = In first ‘Note’ where it says organisation that rely on Windows Update shouldn’t use the Security level, it now says that because Windows Update Information isn’t being sent at this level, Microsoft can’t use that information to fix causes of any failures and improve quality of updates.
·         NEW = Says that servers with default telemetry settings and no 
·         NEW = Says telemetry data about Windows Server features or System Center are not gathered at this level.internet connectivity should be set the telemetry level to Security to stop data gathering for events that will  never be uploaded due to no internet connectivity.

Basic Level 
·         NEW = Says “The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.”
·         NEW = Added following to list of data that basic level gathers “Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system.”
·         CHANGE = App compatibility section now says that apps that are installed on a device or virtual machine will be gathered at this telemetry level.
·         NEW = Added following to list of data that basic level gathers “App usage Data. Includes how an app is used, including how long it is used for, when the app has focus and when the app is started.”

Enhanced Level
·         NEW = “Says this is the default level and the minimum level needed to quickly identify and address quality issues with Windows, Windows Server and System Center”.
·         NEW = Added following to list of data that enhanced level gathers “Some crash dump types. All crash dumps, except for heap dumps and full dumps.”
·         REMOVED = Sentence that says what happens if more details are required no longer says anything about how long it will gather info for that issue (was 2 weeks).

Full Level
·         Where section says what capabilities Microsoft Engineers have to use the telemetry client to gather more information ...
·         REMOVED = “Ability to gather user content, such as documents, if they might have been the trigger for the issue.”
·         ADDED = “All crash dump types, including heap dumps and full dumps.”

Manage your telemetry settings section
·         NEW = “Says you can turn on and off system center telemetry gathering. The default is on. Says setting telemetry level to Basic will turn off system center telemetry even if system center telemetry switch is on”.
·         NEW – Section on how to configure system center 2016 telemetry settings.

Examples of how Microsoft uses the telemetry data section
·         This is a new section.
·         Has three paragraphs explaining how telemetry data is used, which have the headings “Driver higher application and driver quality in the ecosystem”, “Reduce your TCO and downtime”, “Build features that address our customers’ needs”

No comments:

Post a Comment