Windows 10 Enterprise: Does setting telemetry to zero disable cumulative updates?

Topic

New Reply

A very interesting post this morning from Günter Born. In a nutshell: If you’re running Win10 Enterprise And you aren’t connected to an update server
[See the full post at: Windows 10 Enterprise: Does setting telemetry to zero disable cumulative updates?]

1 user thanked author for this post.

Norio

Reply | Quote

Replies

Yep, this statement is correct. Unfortunately.

If you change setting of this Win10 registry key from its default 3 to 0 then a regular updates’ check returns nothing.

It has been tested by me personally on Win10 Enterprise x86 install a long ago when I’ve tried to arrange its settings aimed to minimize snooping.

Rgds,

P.S. I guess it’s correct for any edition of win10. Although I hardly understand what does it mean – you aren’t connected to an update server ?

Reply | Quote

Not just forced Telemetry collection in Win 10 Ent, according to https://answers.microsoft.com/en-us/windows/forum/windows_10-update/windows-10-fall-creators-update-crashed-my-pc/b8e2bdb4-9125-448b-a768-d597db79bf2c and
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/update-1709/3d9ff6e0-f7c0-4002-a29c-6170e7195e40 , it seems, some 4 to 5 years old computers could not be upgraded to Win 10 1709 likely because their hardware devices are no longer supported by the OEMs.

If so, affected users will have to buy new OEM Win 10 computers = Planned Obsolescence by M$ and the OEMs.

Reply | Quote

Hello Anonymous, This does appear to be true. If I recall, Woody ? pressed Microsoft into admitting what the end of life for a device is and was told 2 to 4 years. After that EOL, Microsoft does not have to supply updates to that device.

Also, it was said, “If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, important information about update failures is not sent.”

With millions of Windows 10 users out there I really can not see having 10 or even 20 percent not participating as a problem With the MILLIONS of average users sending telemetry Microsoft surely know what patches are giving troubles. This does not include the people that are technical that post and inform Microsoft of issues.

 

Reply | Quote

Since posting the first edition of my blog article, I added some text (we have a discussion on German Facebook). Microsoft’s article Configure Windows diagnostic data in your organization from October 2017 contains contradictionary statements. What I read, was:

The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.

 

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

2 users thanked author for this post.

Norio, Elly

Reply | Quote

Maybe this is another instance of Microsoft not honoring the settings that their customers have chosen.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

http://www.zdnet.com/article/how-to-take-control-of-windows-10-updates-and-upgrades-even-if-you-dont-own-a-business/
“Ironically, one Group Policy option available only in Enterprise and Education editions causes these settings to be completely ignored. If Allow Telemetry is set to 0 (that is, set to the lowest possible level), then Windows Update for Business settings have no effect.”

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

abbodi86

Reply | Quote

There’s got to be a moral in there somewhere.

Reply | Quote

Susan, is this true with 1809 Enterprise edition too?  I noticed that if i didn’t set Telemetry = 0, i no longer had the “Check for Updates” button in 1809 and Windows Updates.

We have Windows Update for Business configured to use our local WSUS servers but still allow our users to use Microsoft Store and apps and in turn needed ability for those to work.

From my testing w/the re-released 1809 Feature upgrade (went from 1607 to 1809 Enterprise), it seems WSUS is still set as my default AUService in when i run the powershell script to check default WU providers.  Can anyone else confirm if they fixed this in the re-release?

So far my MS Premiere support rep has no idea (like always) on these settings.

Reply | Quote

An update to my prev post: I apparently didn’t RTFA and am noticing exactly this problem and we do use WSUS.

Change Telemtry to 0 so i can get the “Check for Updates” button back but when i check for updates it says i’m up to date but when i check on my WSUS side of things, i see that the Nov 2018 CU is showing as needed but not showing on the client so… yes. this appears to be true even with WSUS unless i’m missing a setting in my GPO (we set wsus server address in gpo, the group in wsus it goes to).

INSERT FACE PALM.. why do Windows Updates have to be this complex on Windows 10? each feature build changes the behavior.. great… just great….  now how does one get the “Check for Updates” button and also be able to get CU updates for 1809? TIA!

Reply | Quote

You don’t get the check for updates button… it doesn’t “check” it installs.  You have to use powershell to scan for updates but not install them.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Why would anyone accept that “setting telemetry to zero” equates to “security only”?

Did someone try to redefine “zero”?

-Noel

1 user thanked author for this post.

johnf

Reply | Quote

Sounds like it doesn’t send update telemetry at 0. Doesn’t seem to say anything about not trying to install those updates…

Reply | Quote

Hello, I am running Window 10 Enterprise 1709 for testing on one of our department’s systems (we use Win8.1 and have not yet migrated).  I looked at the telemetry settings in the registry (HKLM \Software \Microsoft \Windows \CurrentVersion \Policies \DataCollection) on the Win10 system and found it was set to “1”.  I modified the value to “0” and rebooted, and ran windows update.  No updates were available.  However, when I ran the Windows MiniTool I received four choices: 1) Intel driver update for Intel(R) Ethernet connection 1217-LM; 2) Update for Windows 10 Version 1709 for x64-based Systems (KB4058043); 3) Windows Malicious Software Removal Tool x64 – February 2018 (KB890830); and 4) Definition Update for Windows Defender Antivirus –  KB2267602.  So, it appears that we can use the MiniTool in this situation to manually download updates without reverting the telemetry setting.

2 users thanked author for this post.

HiFlyer, laidbacktokyo

Reply | Quote

Norio wrote:

… So, it appears that we can use the MiniTool in this situation to manually download updates without reverting the telemetry setting.

I found that even with the MiniTool I wasn’t seeing the updates for Microsoft Office (which I had configured to be “on” in group policty).  I ended up downloading the offline update cab (wsusscn2.cab) from https://msdn.microsoft.com/en-us/library/aa387290.aspx and configuring MiniTool to use offline updates (just copy the cab into the minitool executable directory).  That gave me access to the latest Office updates.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Don’t rely on switches that might be ignored by the software anyway. The only way to block telemetry is to block outgoing traffic to well-known URIs via DNS (either hosts file or (even better) local DNS server). Some of those endpoints are listed at docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization.

Of course, having a network monitor in place reveals quite more endpoints.

Below is a list of some URIs related to telemetry (sub-domains have to be blocked as well):

analytics.live.com
c.microsoft.com
settings-win.data.microsoft.com
vortex.data.microsoft.com
vortex-win.data.microsoft.com
telemetry.microsoft.com
telemetry.microsoft.com.nsatc.net
t.urs.microsoft.com
tele.trafficmanager.net
vo.msecnd.net

Reply | Quote

The cited note does not say that Windows will not do the updates. Only that it will not inform Microsoft it it could not do the update. And that Microsoft does not want us to use this option.

But disabling telemetry is indeed documented to cause the deferral settings to be ignored. Does anybody understand the logic behind this?

Reply | Quote

Logic, shmogic.

If we read between the lines, Microsoft’s twisted rationale is that they need the information from telemetry to provide us with the correct match  of services/resources.  If we block the telemetry pipeline, then they will say that “since we can’t see what you need, we can’t give you anything.”

They want to play the part of the avuncular parent who knows what is best for you.  They act surprised when users indicate a lack of trust.  After all, Microsoft only has your welfare in mind.  But the parental mask slips off and we see instead an 8-year-old who wants to punish anyone who has the temerity to go against their wishes.  That’s the “logic” we’re dealing with here–that of a child.

1 user thanked author for this post.

johnf

Reply | Quote

I thought this was already known
i remember discussing this in the past two years with @ch100 🙂

Reply | Quote

abbodi86 wrote:

I thought this was already known
i remember discussing this in the past two years with @ch100 ?

🙂

1 user thanked author for this post.

Elly

Reply | Quote

And I also seem to recall that discussion.

Reply | Quote

M$ were too busy designing an applocker for Enterprise edition.

They forgot to remove Windows To Go: A) Because it probably worked for Pro  B) Because it actually works for Pro  C) They hired that cross eyed gentleman from Spaceballs.

They actually think the Enterprise space needs more apps! Which is not so bad as the Education copies which offer Candy Crush and Solitaire trials!

Which is still better than Pro because we can’t turn off Telemetry but there’s a perk we don’t get Candy Crush!

Reply | Quote

anonymous wrote:

An update to my prev post: I apparently didn’t RTFA and am noticing exactly this problem and we do use WSUS. Change Telemtry to 0 so i can get the “Check for Updates” button back but when i check for updates it says i’m up to date but when i check on my WSUS side of things, i see that the Nov 2018 CU is showing as needed but not showing on the client so… yes. this appears to be true even with WSUS unless i’m missing a setting in my GPO (we set wsus server address in gpo, the group in wsus it goes to). INSERT FACE PALM.. why do Windows Updates have to be this complex on Windows 10? each feature build changes the behavior.. great… just great…. now how does one get the “Check for Updates” button and also be able to get CU updates for 1809? TIA!

hmm.. it appears 2018-11 CU for 1809 isn’t needed if you pushed the re-released feature upgrade.  I approved the 2018-12 CU for 1809 on my wsus and am now seeing it on my clients.

 

TLDR; i’m an idiot.. 😉

Reply | Quote