Win10 “Allow Telemetry” required for Update control on Win10 Enterprise, Education

Topic

New Reply

Very interesting note from ch100: This would be funny, but… it is not In Windows 10, there are 2 Group Policies which are supposed to be used for the
[See the full post at: Win10 “Allow Telemetry” required for Update control on Win10 Enterprise, Education]

Reply | Quote

Replies

Woody, somewhat related, but not really. I was just going through my task scheduler and found a few interesting items:

>Task Scheduler Library >Microsoft >Windows > Application Experience

Under this is the task “AitAgent” here is the general description:

Aggregates and uploads Application Telemetry information if opted-in to the Microsoft Customer Experience Improvement Program.

Now I have never been opted in the CEIP. I even rechecked my settings and I am still not in it.

The interesting thing on the task though is that it says status – disabled but then shows a last run time of 10/20/2016 and a next run time of 10/27/2016.

Sound like even when I am opted out and the task is disabled, it is running once a week anyways and sending telemetry to Microsoft.

Can I just delete this task without hurting anything (if that will even be effective??)?

There are a few others that have run that I wonder if I can just delete under the same folders >Task Scheduler Library >Microsoft >Windows

> Autochk – Proxy

This task collects and uploads autochk SQM data if opted-in to the Microsoft Customer Experience Improvement Program.

Shows disabled but last run 9/29/2016 although does not show a next run time

> RAC – Rac Task

Microsoft Reliability Analysis task to process system reliability data.

Shows ready and will be run, not sure if it actually sends data

> Windows Error Reporting – Queue Reporting

Windows Error Reporting task to process queued reports.

Shows ready and will run but again I am not sure if it sends data to Microsoft.

Let me know what you think of each of these.

Thanks!

Reply | Quote

As it appears, the 2 policies are new in 1607, replacing the single policy related to the delay in 1511.
Few details at the URLs below:

http://www.grouppolicy.biz/2016/08/windows-update-business-group-policy-changes-windows-10-1607/
http://www.techproresearch.com/article/windows-update-for-business-a-hands-on-look-at-how-to-take-control/

Reply | Quote

“What does anyone else think about this implementation?”

I think it stinks. You have to choose either spying by Microsoft or being an unpaid beta tester.

Does this also apply to LTSB, or only to CBB?

Reply | Quote

Resistance is futile.

Reply | Quote

Woody:

Maybe it’s just the cynic in me, but I fully expect Malwaresoft to introduce something like this for Windows 7, 8 & 8.1 very soon, probably through one of their so-called “quality updates”.

In fact I’m surprised it hasn’t been done already given the massive push-back they’ve received on their efforts to ramp up “telemetry” and other data collection in all versions of Windows since the release of Window 10.

Reply | Quote

I haven’t bumped into that one. Ouch.

I have no idea if you can delete the task with impunity. Let’s see if we can get comments from folks who are more knowledgeable…

Reply | Quote

Since we have at least three Jims posting on this blog, I’ll be Jim4 (it’s a long story).

Reply | Quote

Several of these tasks (Application Experience, Autock, and CEIP) I believe were altered by KB2952664 (for example) back in the GWX campaign to go around the opt-out of CEIP and report anyway. Disabling seems to have little effect on whether they run or not.

At this point, MS is curtailing a bunch of the efforts to limit telemetry by changing Policies and Reg settings. I suspect it will eventually be taken out of our hands altogether.

Group A or Group W.

Reply | Quote

It has been done already for Win7/8, ramped up by the GWX campaign. That’s why there was such a discussion about hiding updates.

Reply | Quote

Don’t be surprised if Group B members will soon be required to upload information from a government issued ID and and a valid credit card number in order to download security only updates from the catalog.

Linux looks better every day!

Reply | Quote

Of course, you’re correct, but I avoided absolutely everything to do with the GWX campaign so never noticed any attempts to increase telemetry until after the “free giveaway” barrage. Next will come forced telemetry reporting as a condition of updating Windows Defender and/or other major components. Fortunately, I use other antivirus/antimalware products, and I will switch from Group B to Group W the second they start messing with that on my Windows 7 and 8.1 machines.

Reply | Quote

That might explain it as I at one time had KB2952664 installed but later removed it.

Do you know if I can delete these tasks without any ill effects?

Will deleting the task prevent this telemetry?

Reply | Quote

@PKCano I think that only the “Appraiser” task which is installed by KB2952664 is affected by what you described. The other Windows 7 original tasks seem to comply with the global setting for CEIP, although they still run at the scheduled time, probably logging locally.
I think abbodi86 has more information about this behaviour which was discussed when we were analysing the telemetry related patches.

Reply | Quote

@Jim Thank you for replying.
CBB is a concept not a version of the operating system and means exactly what those settings are supposed to do, i.e. deferring updates until such a time when they are considered safe(r). CBB is available in the versions of Windows 10 manageable with Group Policies, which are Pro, Enterprise, Enterprise LTSB, Education. The last 3 versions are flavours of the Enterprise version, customised for a specific purpose, but with their own licensing requirements.
To answer directly to your question, it applies to LTSB.
The only possible configuration to take advantage of those settings is to set the telemetry setting to 1 = Basic which is the minimum level available in the Pro version.
Level 0 = Security is available only in the Enterprise versions (including Education) mentioned above.

Reply | Quote

It is not necessary associated with the GWX campaign and it was not the main purpose. GWX campaign only benefited from a more general approach industry-wide.
MSRT and MSE/Defender have had those features built in for a very long time, 10+ years and MSRT had it enabled since then.

Reply | Quote

KB2952664
KB2976978
KB2977759
KB3021917
KB3022345
KB3068708
KB3075249
KB3080149
KB3081954

All telemetry & CEIP updates that have already been released over the last 1 1/2 years (or so).

Obviously up until this point, you could choose to not install them, and you were fine. Going forward, yes, I absolutely agree that we’ll probably see these updates integrated into one of the “Security & Quality rollup” updates.

Reply | Quote

Wonder if M$ will throw in a few more name changes too ala Diag Track is gone….meet the new Connected User Experiences and Telemetry Service.

Swamps and Alligators.

Reply | Quote

It seems to be the accurate list to date.
I am wondering though, how many people, not necessary readers of askwoody.com , but users in general, actually install all those updates and have a better computing experience overall than those who don’t and are over-analysing this issue?

Reply | Quote

There is little doubt in my mind that MS salivates at the idea of WaaS for individuals, where they get a monthly revenue stream from every user and can use/market the big data that flows from that.

Whether they realize it won’t work I DK — like all monopolists before them, it takes a long time to realize the loss of dominance and they operate for quite a long time under the illusion of dominance and do lots of stupid things that only accelerate the decline. Short term profits help obscure the problem.

Reply | Quote

How many non-networked but internet-accessible Windows 10 PCs are there in Enterprise/Education?

Must be a miniscule percentage of the overall Windows platform.

Makes for yet another “sky-is-falling” headline though.

Reply | Quote

It’s my understanding that all Win10 Pro machines have this restriction.

Perhaps ch100 can enlighten me.

Reply | Quote

Mobile laptops belonging to an organisation. Lots of them.

Reply | Quote

Pro machines unfortunately don’t have that setting of Security being “natively” restricted, so they are able to use the deferring policies regardless.

Reply | Quote

MS faces a shift in the consumer market towards devices that best for content consumption and portability. This hurts the PC OEMs some and MS more directly because Windows PCs are not as important to consumers. They have a choice to either concede the consumer market to others and concentrate on businesses or try to keep the consumer market. They seem to be following the later strategy and may risk losing everything.

Most consumers do not need a specific program to do their tasks. They just need a program that can do their tasks. They do not need a specific OS but an OS that allows them to do what they need.

Reply | Quote

I had noticed this thing in 1511 a long time ago, but since I don’t use Windows 10 on any of my machines (only in VMs) I just ignore it:

If the “Allow Telemetry” policy is enabled and the Options value is set to 0, then the “Defer upgrades by”, “Defer updates by” and “Pause Updates and Upgrades” settings have no effect.

This is stated in the “Defer upgrades and updates” policy in Windows 10 1511. So Microsoft when it introduced the Defer Upgrades policy in 1511 had intended that the policy only works if you do not set the Allow Telemetry setting to the Security (0) setting.

For me, tying telemetry and useful update settings together is just another justification for avoiding Windows 10 as long as possible.

Hope for the best. Prepare for the worst.

Reply | Quote

You mean the ones that got hijacked by Win10 because they installed all of them???
I’m sure they are having a better computing experience!!!

Reply | Quote

That was my understanding too. Only Enterprise/Education could use the “0” setting.

Reply | Quote

I mean, I’m more tech savvy (obviously) so I can troubleshoot issues that come up, but I haven’t had anything but a good computing experience with Win7 over the years. The few issues I’ve had were either my doing (unstable OC) or just faulty hardware. OS has always run like a top though.

Reply | Quote

So “b” is right?

Reply | Quote

I don’t have any of those updates and my computing experience has been wonderful because every time I see anything about telemetry and CEIP I say “Bleep you, Microsoft, and thank you, Woody.”

P.S. Since I’m in Group W, that’s what I’ll continue to say.

P.P.S. And since I make disk images regularly I don’t have any FUD about being in Group W.

Reply | Quote

“b” is not right. “b” is always opposing something without having any constructive input and without having enough experience to understand the issues entirely.

I replied already that there are mobile machines which belong to organisations and which can update from anywhere, including Windows Update. In addition, there is no requirement for organisations to have managed update servers, so any Enterprise, Education or LTSB machine can update from Internet at one time or another. Think small businesses for which is much easier to update from Internet than to manage a server for that purpose. Small businesses can qualify for using Enterprise version.

LTSB is a special edition, not supported by Microsoft for general use, which may mean something as simple as having installed Office on that machine. This is the general advice, although in specific situations, under Microsoft guidance, LTSB can be installed and fully supported if it is proved to be the best tool for the purpose.
For general purpose computers, organisations should use Enterprise or if academic should use Education (which is Enterprise customised for the purpose) or Pro.

Reply | Quote

@PKCano See my other reply, your statement is correct in relation to Pro.
In fact Pro has the setting 0 in Group Policies, which according to the published documentation defaults automatically to equivalent of 1 (Basic) for Pro machines. I did not test, but it is highly probable that those Pro machines which are configures with Telemetry setting to 0 in policy to be affected in the same way like the Enterprise machines.

What “b” actually says is that there are no unmanaged Enterprise machines for the purpose of Windows Update which is inaccurate.

Reply | Quote

Thanks @James Bond 007
I wouldn’t go as far as avoiding Windows 10 for that reason, but it is not OK to tie those two things which should be completely independent, unless:
– It is done on purpose (which is highly likely)
– Microsoft has poor developers (which is highly unlikely)

Reply | Quote

>How many non-networked but internet-accessible Windows 10 PCs are there in Enterprise/Education?

For W10, I only install and recommend Ent/Edu nowadays, because at least they give you some control over your PC (getting legal versions of those is not easy, but that’s a different topic…).

Also if you go around schools you’ll find many legal Edu versions that aren’t “centrally managed”.

Reply | Quote

Understood.

I know there are plenty of PCs running Win10 Enterprise and Win10 Education that are not attached to update servers. I didn’t understand that this “Allow Telemetry” limitation is only for those machines. For that I apologize.

(To me, LTSB = version 10240, and that’s about it. Am I missing something?)

Reply | Quote

There was no hijacking by using the right tools. It is not about the GWX Control Panel which I never installed, it is about the documented Group Policy/Registry procedure. Just speculating here, because I am convinced that most end-users have no idea about Group Policies or Registry editing. 🙂

My post was related to telemetry and questioning if it is worth spending the time to avoid something that may be benign vs just installing whatever comes on Windows Update, assuming that the push for the Windows 10 upgrade is past us.

Reply | Quote

There is a newer LTSB 2016 version 1607 which is documented by Microsoft to be the true client equivalent of the Server 2016 with Desktop Experience.
You have to read between the lines here
https://blogs.technet.microsoft.com/windowsserver/2016/07/12/windows-server-2016-new-current-branch-for-business-servicing-option/
The 10240 version is called LTSB 2015.
Otherwise the same principles for both versions apply.
Note: There was no LTSB version 1511 which is a sign that 1607 is considered a more important version that 1511 which was only an intermediate step between 2 major version.

Reply | Quote

Interesting. So you install Server 2016 version 1607 as a desktop, and you come up with the new LTSB version. I hadn’t noticed that.

But regular Enterprise machines on LTSB remain at 1507, yes?

Weird. That contradicts what I thought I knew about LTSB.

Reply | Quote

Maybe I’m off base (though I don’t think so), but, since we don’t know exactly what these updates do or don’t do because we cannot spy on the spying, and can only go off of what Microsoft says they’re for, I think of them just like curtains for my home.

I have windows, but I don’t generally leave my windows open and my curtains out of the way unless it’s daytime and I can see if someone’s outside peeking in. When it’s nighttime, and it’s dark out, even if I have my windows open (for fresh air), the curtains are closed. I want the air in, but I don’t want any possible prying eyes.

I think of these updates as windows, and installing them is leaving the curtains open. There may not be anything out there, but I’d rather not risk it. Though I may come off as one, I’m not a tinfoil hat guy – my issue is that MS has done almost everything they can to destroy trust, so I’m only giving them as much rope as they need to hang themselves.

Reply | Quote

Windows Server 2016 with Desktop Experience (which is the regular GUI) is not Windows 10 LTSB, just behaves like LTSB in terms of updating.

LTSB is a concept not necessary a specific Windows 10 version. It is related to the servicing model. The Windows 10 versions named LTSB are named as such just to make the distinction, otherwise they are Windows 10 Enterprise with features removed not to cause interruptions of service.

LTSB = Long Term Servicing Branch (like Windows 7, Windows XP)
CBB = Current Branch for Business with the Feature Updates (=Service Packs in old language) delayed
CB = Current Branch with the Feature Updates installed immediately

LTSB versions are missing all Store applications, including Edge. This is true for Server 2016 and Windows 10 (Enterprise) LTSB.
LTSB gets updates, but not Feature Updates, only the regular Cumulative updates and occasionally a hotfix

Firefox names the LTSB concept ESR = Extended Support Release

Citrix names the same thing Long Term Service Release

All those “new” concepts, LTSB, ESR, LTSR are the same model with which we were used for the last 20+ years.

Because the big software manufacturers decided that it is in their interest to change this model to one based on “service”, now they are trying to convince us all that the new model is normal, while the old model is just a concession that they still make to us, maybe for a limited time, while we get used to the new thing. It is that simple, although it appears complicated at first sight.
One can think about all this push like a conspiracy to make updating unmanageable for the end-user or not practical for enterprises, so those users, private and corporate would be convinced that using a cloud model where Microsoft or other providers manage the updates is the only way to go forward.

Reply | Quote

“But regular Enterprise machines on LTSB remain at 1507, yes?”

Yes if they don’t upgrade and can stay on LTSB 2015 for 10 years, no if they decide to upgrade to LTSB 2016 which is 1607.
LTSB 2016 actually has different license keys, it is not a free upgrade from LTSB 2015, unless the agreement (Software Assurance?) is current.

Reply | Quote

Well I deleted the Application Experience – AitAgent and Autochk – Proxy tasks and nothing bad happened so far.

I am a little hesitant about the RAC – RAC task and Windows Error Reporting – Queue Reporting Tasks as I am not sure what they are really for.

Does anyone know what they really do? Can I safely delete these? Do the send anything to Microsoft?

Reply | Quote

Man, they slipped another upgrade right past me. 🙂

Reply | Quote

It is not here
https://technet.microsoft.com/en-us/windows/release-info.aspx
but is here 🙂
https://blogs.technet.microsoft.com/windowsitpro/2016/08/02/whats-new-for-it-pros-in-the-windows-10-anniversary-update/

Windows 10 Enterprise Long-Term Servicing Branch (LTSB) 2016 media will be available beginning October 1st.

For trialling
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise

Editions

Windows 10 Enterprise, Version 1607 | 64-bit ISO
Windows 10 Enterprise, Version 1607 | 32-bit ISO
Windows 10 Enterprise LTSB 2016 | 64-bit ISO
Windows 10 Enterprise LTSB 2016 | 32-bit ISO

Reply | Quote

For MS that’s almost Full Disclosure.

The name would more likely be something akin to “Enhanced User Experience Improvement Service”.

Ugh.

Reply | Quote

Thx!

Reply | Quote

I didn’t say none. I asked how many. But hinted that it may be a very small minority based on your “normally not the case for most Enterprise or Education installations” in the first post.

Reply | Quote

Great discussion with great posts. Thanks to all.

I would like to get hold of Win10 Ed or Pro-Ed version but I’m not prepared to attend a school to do so. I wonder if this path is still open

http://www.infoworld.com/article/2613773/office-software/how-to-buy-a-microsoft-volume-license-on-the-cheap.html

Reply | Quote

Too much drama 🙂

Reply | Quote

@Erik;

Diag Track is now Connected User Experiences and Telemetry Service.

http://www.ghacks.net/2015/11/19/microsoft-rena-and-telemetry/

I was suggesting we will probably see more clever name changing un-announced.

Reply | Quote

I have a hard time controlling myself about all this spam… but it is not my blog 😀

Reply | Quote

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise

Check this site too and read carefully 🙂
http://www.howtogeek.com/250503/how-to-upgrade-to-windows-10-enterprise-without-reinstalling-windows/

Reply | Quote

Not for this reason alone of course. The main reason I avoid using Windows 10 is the forced automatic updates (plus the inability to selectively install and refuse updates like Windows 7 and 8.1), and of course the “telemetry”. This just serves as additional justification for me.

As you said, it is not right to tie this important function with telemetry collection.

Hope for the best. Prepare for the worst.

Reply | Quote

I didnt know that about Ent. ver. i always thought they were a ver. all on theyre own.I always used the “/set-edition” cmd as a way of updating multiple “wim” indices rather than offline update each seperatly.

If you want clean M$ versions win7,8.1,10all google heidoc.net it has a download app that gives you access to all the versions from the M$ tech bench web site theyre all clean and from M$ and a fast download too. As for activation cant help you there but at least you get to try them out before you buy and i am sure M$ will sell you a key if you ask them nicely 🙂

Reply | Quote

@ch100;

Thanks, will do.

JF

Reply | Quote

Try a product named Windows Update MiniTool. It is another GUI for windows Update which allows you selective installation on Windows 10.

Reply | Quote

https://github.com/Nummer/Destroy-Windows-10-Spying

You can always try this or other spy removals apps out there for W10. Be sure to make a backup first or not to use professional mode unless you know what you’re doing. Not sure if it helps with the new updates on telemetry or whatnot.

Reply | Quote