Windows 10 Enterprise: Updates and the Telemetry trap

[German]A strange observation has been reported to me by a blog reader. If you disable telemetry data transmission on Windows 10 Enterprise, you may not get updates any more.


Telemetry in Windows 10 Enterprise

In Windows 10 Enterprise, the scope of telemetry data collection can be specified using group policies. The following categories can be selected for entering diagnostic data:

  • Security: Information that's required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
  • Basic: Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
  • Enhanced: dditional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
  • Full: All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

Telemetriestufen Windows 10 Enterprise
(Telemetry levels Windows 10 Enterprise, Source: Microsoft)

Microsoft has released an article Configure Windows diagnostic data in your organization in October 2017 dealing with the details. This article also documents the group policy settings to control the level of telemetry data acquisition. The following table shows the levels of telemetry data acquisition and their values.

Level Daten Wert
Security Security data only 0
Basic Security data, and basic system and quality data 1
Enhanced Security data, basic system and quality data, and enhanced insights and advanced reliability data 2
Full Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. 3

These values may be found within the registry key HKEY_LOCAL_MACHINE in sub key:



within a 32 bit DWORD value AllowTelemetry. In enterprise environments level Security = 0 is recommended, to minimize the amount of data.

An observation made by a blog reader

Blog reader Marcus B. contacted me a few days ago, telling me his observation.

I just noticed that if you set Windows 10 Enterprise telemetry to 0 (security), my [Windows 10] does not receive a cumulative Windows update. I got only the Flash update and Defender updates.

Clients running over WSUS have received the update. Clients running Windows Update did not run.

I can't imagine that's right. Also applies to a newly installed PC with Windows 10 Ent.

I currently have no time to test that on my Windows 10 Enterprise in a VM. That's why I just post it here in the blog. Can anyone confirm this and/or is there an explanation?

Addendum to my initial post

Since I've posted this article, we have some discussion on Facebook and on my German blog article. A comment on Facebook 'Works as designed' from Andreas Erber, Consultant for Microsoft's products is shown below


The German conversation with Adreas may be summed up as: In discussions with Microsoft employees about telemetry, in the second sentence the hint comes up, that in Basic telemetry mode there would block updates. That brought me to the point, where I re-read Microsoft's article Configure Windows diagnostic data in your organization from October 2017. The wrote:

In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.

Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. … We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.

Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:

  • Keep Windows up to date

So I would say as a conclusion: Windows Update depends on Telemetry. But then I stumbled uppon the following paragraph.

The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.

It says clearly, security update should be delivered. So now I'm puzzled. Andreas Erber told me on Facebook 'what Microsoft writes, and what they say, are two things'. If you know a source, the updates in Security mode are blocked, please drop a comment.

Similar articles
Windows 10 privacy: more transparency and control
Microsoft has been "served" by French authorities for Windows 10 privacy failings
Windows 10: System protection mysteries

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

4 Responses to Windows 10 Enterprise: Updates and the Telemetry trap

  1. krzemien says:

    Not that surprising. Whilst using SpyBot Anti-Beacon with all rules applied I did manage to defer (unwillingly) upgrade to 1709 from 1603 last year:

  2. Pingback: Windows 10 Enterprise: Does setting telemetry to zero disable cumulative updates? @ AskWoody

  3. Susan Bradley says:
    "Ironically, one Group Policy option available only in Enterprise and Education editions causes these settings to be completely ignored. If Allow Telemetry is set to 0 (that is, set to the lowest possible level), then Windows Update for Business settings have no effect."

  4. Advertising

  5. Mateo Amatria says:

    First of all, sorry for my English. You have to configure the update policies for Windows Update in the group policies before setting the telemetry to 0. I leave two links where it is better explained:

Leave a Reply

Your email address will not be published. Required fields are marked *