News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch

    Posted on July 10th, 2019 at 05:33 PKCano Comment on the AskWoody Lounge

    Unannounced, Microsoft has added telemetry functionality to the July 2019 Security-only Update for Windows 7 KB4507456. Alerted on Patch Tuesday by an anonymous poster:

    Warning for group B Windows 7 users!

    The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.

    It replaces infamous KB2952664 and contains telemetry. Some details can be found in  file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).

    It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.

    Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.

    With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

    Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

    Susan, we need your Pinocchio with a loooooong nose.

    UPDATE: Details on ComputerWorld. Woody on Windows

  • The complexity of controlling Windows telemetry

    Posted on May 18th, 2017 at 10:13 woody Comment on the AskWoody Lounge

    Noel Carboni has a great post that I wanted to bring up here onto the main page. It’s in response to the question of what to recommend for Win7 and 8.1 users, in this age of Malware as a Service, but it’s generally applicable to all Windows customers:


    I’ll wager I know what communications a desktop system does online as well as anyone, as understanding and controlling such communications is a passion of mine. A career in data communications and software engineering tends to do that to you.

    Thing is, there’s not just one “telemetry” communications stream. What Windows does online is much, much more complex than that! Insanely more complicated.

    Presuming you want to do at least SOME things online with your system you actually DON’T want to block all the comms – there are some very necessary sites that MUST be contacted by a typical system regularly, e.g., for the purposes of certificate verification, time sync, license management…

    That’s not to say Windows can’t be made very private. I myself maintain Windows 7, 8.1, and 10 systems that don’t spill the beans online. But it’s no small, simple, turnkey task. Windows is a complex beast, and it takes some geek chops to do it along with ongoing effort.

    As an example, here’s a list of all the sites my Windows 10 test system at LAN address, allowed to sit idle all day, contacted. I ran the command (on my Win 8.1 workstation) to search my DNS log at near midnight last night. You can see that the only communication initiated in the 24 hour period was to get the time from the National Institute of Standards and Technology via a task I have scheduled (I have disabled the out-of-box Windows time service).


    Most folks, however, wouldn’t find my Windows 10 system, above, acceptable. Why? Because I have shunned all the Apps and cloud-integration entirely. But it DOES illustrate that the beast can be controlled, and my techniques are applicable to purely desktop-oriented Windows 7 and 8.1 systems also.

    What have I found that it takes to accomplish this reduction/elimination of Microsoft-initiated online communications?

    • Reconfiguration of all provided settings to their most private choices.
    • Being willing to do without (or reduced function from) some services Windows seeks to provide.
    • Configuration through the local Group Policy editor a number of settings.
    • Configuration through the registry of a number of settings that have no UI.
    • Disabling of scheduled tasks involved with telemetry and online comms.
    • Disabling of services involved with telemetry and online comms.
    • Adding entries to the hosts file to blacklist some sites.
    • Watching vigilantly for any of these things to be reverted by updates.
    • Outfitting with extra software to monitor and police communication attempts.

    The list above may seem daunting, but we haven’t even gotten to the part where the devil is in the details. The lists of how to accomplish the above things are long and complex.

    Ideally I imagine people want a fully private system that still allows them to do everything they want. That’s not gonna happen. You have to be willing to compromise.

    What does one have to consider doing without?

    • Apps. The very nature of Apps is that they’re web-integrated and they require an infrastructure to keep them functional. If you want to run Apps, stop reading now.
    • Cortana. A personal digital assistant COULD work entirely from local data, but Cortana doesn’t. If you want a personal digital assistant that talks to you, stop here.
    • Cloud-integration, such as OneDrive, except for user-initiated operations e.g., in a browser. The good news is that you can use a OneDrive server to store/retrieve files through a browser without ANY of the system-level integration
    • Automatic updates. You have to be willing to install them yourself from the catalog if you want a truly subservient system.
    • Some security features such as the “Smartscreen Filter”. But you can’t rely on luck; you need a GOOD alternate plan to stay safe online.
    • Suggestions that pop up while you type. Your keystrokes are sent to Bing or Google or whatever search engine to make that happen.
    • Generally speaking, subscription and high-end commercial software communicates regularly online to do things like verify its licensing. Either you need to allow this or choose software that doesn’t do that.
    • Some software seeks to be cloud-integrated (late versions of Office, for example). You have to avoid this software or specific features within it, and be able to differentiate wanted comms from unwanted comms. That’s no small feat!
    • Online backups. Uh, no, get one or more external USB drives and make your own local backups, where you maintain full control of your data.

    This has gotten long already, yet I’m sure there are things I’ve missed and I haven’t even begun to get into the list of actual technical things to do to get to a secure, private system that doesn’t try overmuch to send your data abroad. It’s a challenging task even for a career software engineer. It’s not going to be feasible at all to provide a “have your cake and eat it too, set it and forget it” solution for an average user.