Newsletter Archives

  • The bugs in this month’s Win10 version 1903 and 1909 Cumulative Update have prompted MS to issue a call for help – but where’s the telemetry?

    It’s good that Microsoft has acknowledged the bugs in this month’s Cumulative Update. I’ve looked and looked, and haven’t found any patterns. So I feel their pain.

    But… why isn’t Windows telemetry picking this stuff up? We’re sending copious quantities of data to Microsoft every time we use Windows. MS says they aren’t using it to sell things to us. Okay. But if the telemetry isn’t there to pinpoint and fix these kinds of problems, why do we bother?

    Details in Computerworld Woody on Windows.

  • This month’s Win7 and 8.1 “security only” patches install and activate telemetry systems

    Back in July, we discovered that the Win7 security-only patch was installing and activating telemetry (read: snooping) subsystems.

    The August security-only patches didn’t include telemetry, and many of us breathed a sigh of relief.

    Now it looks like the September security-only patches have telemetry once again — and not just for Win7.

    Details in Computerworld Woody on Windows.

  • Windows Blog: “Data, insights and listening to improve the customer experience”

    Yesterday, Rob Mauceri and Jane Liles published a white paper on the Windows Blog that talks about using telemetry to figure out if a patch is ready for deployment:

    We approach each release with a straightforward question, “Is this Windows update ready for customers?” This is a question we ask for every build and every update of Windows, and it’s intended to confirm that automated and manual testing has occurred before we evaluate quality via diagnostic data and feedback-based metrics. After a build passes the initial quality gates and is ready for the next stages of evaluation, we measure quality based on the diagnostic data and feedback from our own engineers who aggressively self-host Windows to discover potential problems. We look for stability and improved quality in the data generated from internal testing, and only then do we consider releasing the build to Windows Insiders, after which we review the data again, looking specifically for failures.

    In other words, MS looks at the telemetry from dog food runs and, if all looks copacetic, the Insiders get it.

    I’m not going to snark about it (you folks can do that better than I). It’s obvious that the people involved have advanced tools at their disposal, they’re good at what they do, and they know the statistical analysis cold.

    But you have to ask yourself… If the model’s so great, why did Destiny 2 and CoD get hit so badly last week?

    Why do we continue to get solid, acknowledged bugs with almost every Windows patch on Patch Tuesday?

    And… how on earth did Win10 version 1809 get let out of its cage?

  • Windows 10 Enterprise: Does setting telemetry to zero disable cumulative updates?

    A very interesting post this morning from Günter Born. In a nutshell:

    • If you’re running Win10 Enterprise
    • And you aren’t connected to an update server
    • And you set the level of telemetry to “Security data only” (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry set to 0)

    You don’t get any cumulative updates.

    Sounds like a bug to me. Can anyone out there confirm?

    UPDATE: @teroalhonen pointed me to the Microsoft documentation for the AllowTelemetry setting:

    Security level

    The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.


    If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.

    Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.

    Sure enough — it’s not a bug, it’s a feature!

  • MS re-re-..release (again) of KB 2952664 and KB 2976978

    We’re seeing a recurrence of the two snooping patches KB2952664 for Win7 and KB2976978 for Win8.1. The last time they showed up, was on March 7th, but now they’re back……

    MS re-re-..release of KB2952664 and KB2976978

    Microsoft describes them as a “Compatibility update for keeping Windows up-to-date.”

    This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.

    They are appearing as unchecked Optional now, which means they won’t be installed unless you check the corresponding box in Windows Update.
    Their status may change next week to Recommended and, for some, they may show up as checked Important on Patch Tuesday.

  • Win10 telemetry tweaking

    Interesting letter from UKBrianC:

    Reading the discussion re. killing Cortana and the suggested tweaks from the WinAero site got me thinking what is the general opinion on the reducing telemetry suggestions on the same site?

    The reduction in CPU activity I have seen has been significant in the “first half hour” after startup but I don’t know if something important is being missed that will cause problems down the line. It has worked well for me so far (updates have been successfully installed/no errors or crashes) but defining what that even means is difficult because how do we really know what is still being collected/sent?

    (I can answer the last question – we don’t have any idea what is being collected or sent.)

  • Care to join a Win7 snooping test?

    This from MrBrian:

    I am conducting Windows telemetry technical tests similar to Ed Bott’s tests (, but instead I am testing Windows 7 x64, and I am using Microsoft’s Process Monitor instead of Resource Monitor.

    Background information from Microsoft: “Windows 7, Windows 8 and Windows 10 Telemetry Updates (Diagnostic Tracking)” –

    The October 2016 monthly rollup previews and November 2016 monthly rollups contain the Diagnostics Tracking Service, as did some previous Windows updates. See for more information.

    The first question that I’d like to address is: does participation in the operating system’s Customer Experience Improvement Program change what the Diagnostics Tracking Service does? Background information about the Customer Experience Improvement Program is at

    How to test:

    1. Set the operating system’s Customer Experience Improvement Program participation setting to the desired setting by following the instructions at

    2. We need to know the PID (Process ID) of the instance of process svchost.exe that runs the Diagnostics Tracking Service. We’ll do so by using Resource Monitor. Start Resource Monitor by following the instructions at In the CPU section of the Overview tab, find the row with “svchost.exe (utcsvc)” in the Image column and note its corresponding PID in the PID column. This value changes every time you start the operating system.

    3. If you don’t have Process Monitor, download it from

    4. To reduce memory consumption in Process Monitor, make sure Filter->Drop Filtered Events is ticked. Then exit Process Monitor and start it again to ensure this setting has taken effect.

    5. Add a filter by using Filter->Filter to add filter “PID is <number from step 2> Include”. As an example, my filter is “PID is 472 Include”. Make sure there isn’t more than one filter of type “Include”.

    6. Press the Clear button to clear the output.

    7. Run Process Monitor for at least 70 minutes (and preferably longer) to see patterns that may emerge in the output.

    8. You can toggle capturing of events on or off by pressing the Capture button.

    When Process Monitor has run for a few days on my computer, I’ll report the results here. Feel free to run your own tests and report your findings; be sure to include which operating system you are testing.

  • Is it possible Microsoft will install telemetry in a Security-only update?

    Interesting question from MA:

    This is a question about the “Group B” approach to safely updating Windows 7.

    If I understand correctly, the Group B approach is to install the security-only patches from the Microsoft Update Catalog rather than from the (formerly) beloved Windows Update. Things like .net patches would still be installed via Windows Update.

    Is it possible for a security-only patch installed in this way (from the Microsoft Update Catalog) to be a patch for, say, a telemetry function that has so far been evaded by using the Group B approach?  If this can occur, then what happens to the attempted installation of such a security-only patch?  In particular, is it possible that finding no target, this patch can then cause the unwanted telemetry function to be installed?

    My answer:

    Is it possible? Sure. In the post-Get-Windows-10 era, anything’s possible.

    But I think it’s highly unlikely. Microsoft has promised thousands of corporate customers that it won’t play games with the Security-only updates. It’s hard to imagine shenanigans that would cause Microsoft’s credibility with the industry to fall even lower. This would be one of them.

    Far more likely at this point is that Microsoft will introduce bugs in Security-only updates, which are subsequently fixed exclusively in the Monthly rollups, the Group A patches, which contain both security and non-security elements (and, potentially, added telemetry).

    I’m looking at one reported case now. If anything solidifies (and I can wrap my head around it), I’ll be sure to yell real loud.

  • Windows Server and System Center 2016 telemetry whitepaper

    Microsoft pub on TechNet:

    This document provides our server and enterprise customers with the necessary information to make informed decisions about how to configure telemetry in their environments. It discusses telemetry as system data that is uploaded by the Connected User Experience and Telemetry component.  In this document we will focus on the telemetry data from Windows Server 2016 and System Center 2016.  We discuss how we use it to troubleshoot problems and improve our products and services.  There are also some references to Windows 10 because the underlying infrastructure in Windows Server is the same.

    Tip o’ the Baker Street Irregulars hat to ch100.

  • The inside scoop on Windows snooping

    Microsoft won’t give us any decent documentation about its telemetry/snooping efforts. Ed Bott, on the other hand, has lots of contacts on the Windows team and has turned out an important piece on Windows security.

    Yes, I know that Ed writes books for Microsoft. Yes, I know he generally comes down on the side of the Redmondians. Nonetheless, if you read his article carefully, you’ll learn a lot.

    I know I did.

    I’d love to see a companion piece on Windows 7 and 8.1 snooping.

  • Microsoft walks a thin line between Windows 10 telemetry and snooping

    And the situation’s becoming more dire as MS uses Win10 techniques in Win7 and 8.1.

    InfoWorld Woody on Windows

  • Backporting Win10 telemetry tools to Win7 and 8.1

    Susan Bradley has an excellent report on the privacy questions that have been dogging all of us — have the “recommended” updates Microsoft’s been pushing on Windows 7 and 8.1 led to increased snooping, without our knowledge or consent?

    Susan doesn’t come to a single, definitive conclusion — the communications are encrypted, so she can’t tell exactly what’s been sent — but she has plenty of observations of Win 7 and 8.1’s weird propensity to phone home.

    Well worth a read, in Windows Secrets Newsletter. (Free post, no subscription required.)

    I intend to adopt her recommendation, to turn off the Diagnostic Tracking System in Windows 7 and 8.1 , in the forthcoming change to the MS-DEFCON status.