Windows 10’s aggressive data-collection capabilities may concern users about corporate spying, but enterprises have control that consumer-edition Windows users do not: Administrators can decide how much information gets sent back to Microsoft.
But enterprises need to think twice before turning off Windows telemetry to increase corporate privacy. That’s because doing so can decrease the effectiveness of Windows 10’s security features.
Microsoft isn’t merely vacuuming up large amounts of data because it can. The company has repeatedly reiterated its stance that Windows 10 does not collect the user’s personal data, but rather anonymized file data that is then used to improve overall user experience and Windows functionality.
With the current shift to Windows-as-a-service, Microsoft plans to release more updates to the operating system more frequently, and it will use telemetry data to understand how people are actually using Windows and applications. Microsoft can use the information to figure out what new features are needed or to prioritize changes to existing components.
For Microsoft, more data means more security
But the telemetry data is used for more than how to improve or evolve Windows. There is an actual security impact, too.
Knowledge is power, and in the case of Windows 10, that usage data lets Microsoft beef up threat protection, says Rob Lefferts, Microsoft’s director of program management for Windows Enterprise and Security.
The information collected is used to improve various components in Windows Defender, such as Application Guard and Advanced Threat Detection (these two features are available only to customers with Windows 10 Enterprise with Anniversary Update and Enterprise E5 subscriptions). As Windows 10’s built-in security tool, Windows Defender uses real-time protection to scan everything downloaded or run on the PC. The information from these scans is sent back to Microsoft and used to improve protection for everyone else.
For example, Windows Defender Application Guard for Microsoft Edge will put the Edge browser into a lightweight virtual machine to make it harder to break out of the browser and attack the operating system. With telemetry, Microsoft can see when infections get past Application Guard defenses and improve the security controls to reduce recurrences.
Microsoft also pulls signals from other areas of the Windows ecosystem, such as Active Directory, with information from the Windows 10 device to look for patterns that can indicate a problem like ransomware infections and other attacks. To detect those patterns, Microsoft needs access to technical data, such as what processes are consuming system resources, hardware diagnostics, and file-level information like which applications had which files open, Lefferts says.
Taken together, the hardware information, application details, and device driver data can be used to identify parts of the operating system are exposed and should be isolated into virtual containers.
How Windows 10 telemetry levels affect security and administration
IT admins can control what telemetry is sent back to Microsoft using group policy objects—if they are using an enterprise version of Windows 10 and a Microsoft administration tool, of course. (Consumer versions of Windows don’t provide this capability, which is why there are now third-party telemetry blockers on the market, though not all telemetry can be blocked.)
The Privacy option in Settings lets administrators choose one of three telemetry levels: Basic, Enhanced, and Full. Windows 10 Home and Pro are set by default to Full. Windows 10 Enterprise and Education are set by default to Enhanced. But there’s a fourth level called Security available only in Windows 10 Enterprise and Education editions, and only through group policies (not via Settings).
Available to admins only, Security level sends the least data. The Security level sends less telemetry to Microsoft than the Basic level does. And it collects enough technical data about Windows’s Connected User Experience and Telemetry component settings, the MSRT (Malicious Software Removal Tool), and Windows Defender to keep Windows, Windows Server, and System Center secure.
At the Security level, only OS information, device ID, and device class (server, desktop, mobile device) are sent to Microsoft, along with the MSRT report that contains information about the infection and IP address. Windows Defender and System Center Endpoint Protection provide diagnostic information, user account control settings, UEFI (Unifieid Extensible Firmware Interface) settings, and IP addresses. (If this latter information shouldn’t be sent, then turn off Windows Defender and use a third-party tool instead.)
If the goal is to not have any data go to Microsoft, using the Security level is the best option. But it has one big drawback: Windows Update won’t work, because Windows Update information—such as whether the update installation succeeded or failed—does not get collected at the Security level. MSRT also won’t run if Windows Update is not working.
Thus, it requires a lot of IT involvement to keep the systems updated and secure if the telemetry level is set to Security.
Basic level is the least a user can choose within Windows. For most users focused on privacy, the Basic level is probably the best option for limiting what gets sent to Microsoft. The Basic level sends device information like application compatibility and usage information in addition to the information sent from the Security level. This can include the number of crashes and the amount of processor time and memory an application used at a time. System data can help Microsoft know whether a device meets the minimum requirements to upgrade to the next version.
Data from the Basic level helps identify problems that can occur on a particular hardware or software configuration. The types of data collected include device attributes, such as camera resolution, display type, and battery capacity; application and operating system versions; networking devices, such as the number of network adapters; IMEI number (for mobile devices) and mobile operator network; architecture details, such as processor, memory type, and firmware versions; storage data, such as number of drives, type, and size; and virtualization support.
The Basic level also collects and transmits compatibility details, such as how add-ons work with the browser, how applications work with the operating system, and whether peripherals like printers and storage devices would work with the next version of the operating system.
Enhanced level aids user-experience improvements. The Enhanced level, the default setting for Windows 10 Enterprise and Education, also sends data on how Windows, Windows Server, System Center, and applications are used; how they perform; and their reliability. This includes operating system events, such as those from networking, Hyper-V, Cortana, storage, and file system; operating system application events, such as those from Server Manager, Mail, and Microsoft Edge; device-specific events such as data from Microsoft HoloLens; and all crash dumps.
Data collected from the Enhanced level helps Microsoft improve user experience because the company can use the detailed information to find patterns and trends in how the applications are being used.
Enhanced is the minimum level needed for Microsoft to identify and address Windows 10, Windows Server, and System Center quality issues.
The Full level makes your PC an open book. The Full level—the default for consumer versions of Windows—is the free-for-all level that has privacy folks worried, because it includes significant technical data, which Microsoft claims is “necessary to identify and help to fix problems.”
At the Full level, devices send information related to reliability, application responsiveness, and usage along with all crash dumps.
Data collection has changed in Windows
Telemetry data is not new to Windows 10. Microsoft used telemetry in previous versions of Windows and Windows Server to check for updated or new Windows Defender signatures, verify Windows Update installations, and gather reliability information through the RAC (Reliability Analysis Component) and Windows CEIP (Customer Experience Improvement Program).
What’s changed is that Windows 10 has expanded the scope to better understand the type of hardware being used, basic system diagnostics, logs of how frequently features are being used, what applications have been installed, how users are using those applications, and the reliability data from device drivers.
Microsoft says it tries to avoid collecting personal information, but it can happen. For example, crash dumps can contain the contents of a document that was in memory at the time of the crash.
The news that Microsoft would include threat intelligence content such as indicators and reports of past attacks from FireEye’s iSight Intelligence product into Windows Defender Advanced Threat Protection, there were concerns that FireEye would gain access to some of the telemetry data. But Microsoft says that is not part of the FireEye deal.
Microsoft’s plan to put advertising on users’ lock screens and Start screens—and block IT admins from disabling them—has also fanned the flames of security fear. After all, similar advertising from the likes of Google ad Facebook relies heavily on the intense collection of personal data to target the ads.
It’s worth noting that Windows is not intentionally collecting functional data, such as the user’s location when the user is looking at local weather or news. The application may collect such data, but not the Windows 10 operating system—and thus not the Windows 10 telemetry.
Of course, Microsoft collects personal information from its own applications. Cortana is such an example, but users can turn off Cortana completely.
Overall, IT organizations should be able to find a telemetry level they’re comfortable with in terms of privacy, while not sacrificing the core security of Windows. They may have to pay the price of higher admin costs if they use the lowest telemetry level (Security), but only if they choose to do so.