Microsoft gives third-parties access to Windows 10 Telemetry data

Martin Brinkmann
Nov 23, 2016
Updated • Jul 5, 2017
Windows, Windows 10

Microsoft struck a deal with security company FireEye recently according to a report on Australian news magazin Arn which gives FireEye access to all Windows 10 Telemetry data.

Update: Microsoft told Betanews that it is not sharing Windows 10 Telemetry data with the company.

The nature of the deal between Microsoft and FireEye is to license threat intelligence content from FireEye iSIGHT Intelligence. This additional layer of intelligence includes indicators and reports of past attacks collected and edited by FireEye and enhances detection capabilities of Windows Defender Advanced Threat Protection (WDATP). The deal does not include the sharing of Microsoft telemetry.

The report states that FireEye in return will provide Microsoft with the company's iSIGHT Intelligence software for Windows Defender Advanced Threat Protection on Windows 10 devices.

FireEye iSIGHT Intelligence is a proactive, forward-looking means of qualifying threats poised to disrupt business based on the intents, tools and tactics of the attacker.

Windows Defender is built-in to Windows 10 and enabled by default unless other security software is recognized by the operating system.

Pro and Enterprise customers may upgrade to Windows Defender Advanced Threat Protection featuring endpoint behavioral sensors, cloud security analysis and threat intelligence.

The news article suggests that the partnership benefits Microsoft, and specifically the reputation and credibility of the commercial version of Windows Defender.

A press release by FireEye on November 3, 2016 provides additional details on the deal. The company's iSIGHT Intelligence software is available through Windows Defender Advanced Threat Protection (WDATP) but not the free version of Windows Defender.

WDATP customers gain access to several technical indicators that are provided by the software. These include the main motivation of the attacker, related tools, information about target sectors and geographies, and a description of the actor and operation.

According to the report on ARN, security teams may also get their hands on Windows 10 Telemetry data via subscription billing models.

Third-parties will get access to telemetry data of all Windows 10 devices. An overview of what that may include is provided on this Technet page.

Neither FireEye, Microsoft or ARN reveal details on the range of Telemetry data that FireEye gains access to.

windows 10 telemetry

Windows 10 Telemetry data is loosely sorted into the four groups security, basic, enhanced and full.

Tip: you can check the Telemetry level on any Windows 10 device by using Windows-I to open the Settings app, and checking the "Diagnostics and usage data" value under Privacy > Feedback & Diagnostics.

Security level

The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates.

Data gathered at this level includes the Malicious Software Removal Tool reports, information that Windows Defender and Endpoint Protection require to function.

This includes anti-malware signatures, diagnostic information, User Account Control settings, UEFI settings, and IP address.

No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID

Basic Level

The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the Security level data.

Basic device data such as attributes, Internet Explorer version, hardware information, operating system information, network attributes and more are collected at this level.

Collected data includes app usage data, Internet Explorer add-ons, driver data, system data, Windows Store activity and more on top of that.

Enhanced Level

The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the Basic and Security levels.

Operating system events, app events, device specific events and "some" crash dump types are included at this level.

Full Level

The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.

Microsoft may pull additional information from a device if the diagnostics request is approved by Microsoft’s privacy governance team, including privacy and other subject matter experts.

Closing Words

Terms of the deal are not known so that we don't know whether FireEye gets access to all Telemetry data or only to a snapshot.

That Telemetry data is offered to third-parties is quite problematic however if true. While it seems unlikely that Microsoft would provide third-parties with all data, it would be reassuring to Windows 10 users if Microsoft would reveal the data that it shares with third-parties.

Now You: What's your take on this?

Microsoft gives third-parties access to Windows 10 Telemetry data
Article Name
Microsoft gives third-parties access to Windows 10 Telemetry data
Microsoft struck a deal with security company FireEye recently according to a report on Australian news magazin Arn which gives FireEye access to all Windows 10 Telemetry data.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Owl said on November 27, 2016 at 10:36 am

    joeschmoe: (Your comment about Android)…”Then there’s 1000x more under the hood, even then there are persistent areas which you will never access and persist across wipes, factory resets and selling your device on.” Can you elaborate please? (The other things you mentioned can be worked around).

  2. Brandon said on November 26, 2016 at 3:04 am

    This claim has been debunked by Microsoft. Telemetry data is not being shared with FireEye.

    1. nat32support said on November 27, 2016 at 10:30 pm

      Any software running on your PC can access all kinds of data via the Trace Logging API, the Event Tracing API and several other public, documented APIs. Now, if a program like FireEye iSight has access to telemetry data that other programs don’t have access to, then surely Microsoft has shared confidential data with the authors of that program by virtue of the fact that it has given that vendor access to non-public APIs within the Operating System.

    2. Martin Brinkmann said on November 26, 2016 at 8:26 am

      Do you have a source for that?

      1. Martin Brinkmann said on November 26, 2016 at 2:54 pm

        Thank you Brandon, I have updated the article to reflect that.

  3. nat32support said on November 25, 2016 at 11:56 pm

    Many reasons exist why people continue to use Windows. The Windows feature that is important for me is that the Windows unit of scheduling is the thread. Linux, the only real alternative, uses the process as it unit of scheduling. What that means is that multi-threaded programs run more efficiently on Windows than they do on Linux.
    Of course, such issues are not important for many users, but they are important for my networking software.

  4. Dave said on November 25, 2016 at 9:05 pm

    Where are the windows 10 apologists now ? Hidden? LOOOL

  5. max said on November 25, 2016 at 3:57 pm

    “Mobile first. Cloud first.”
    Nobody said anything about “User first”.

  6. Alan Robertson said on November 25, 2016 at 7:58 am

    What an about turn! Remember Scroogled:

    I guess we’ve been bingled (bungled?). If you can’t beat them, then join them?

    Microsoft, “Where can we sell you today?”

  7. CHEF-KOCH said on November 24, 2016 at 4:29 pm

    So before everyone whine:

    1) Do you know if your 3th-party AV not sell data too (especiall free ones? and how can you ensure that especially if they using own firewalls and certificates?) No Audit != trust?
    2) Do you think that the internal firewall von MS really can block own hardcoded domains which are in fact in e.g. dnsapi.dll?
    3) Transpeancy starts with truth, now we get ‘some’ proof/truth an it’s not really shocking. The thing is how they use and what data they are really collect? Do you know if google and others not collecting same/more stuff on your daily surfing?!
    4) From the article I see that most if not all data are metadata which not compromise your security setup at all. Why you trust other companies more/less?
    5) Do people not understand that more blocking means == more spying and tools to even bypass traditional stuff like firewall blocking?!
    6) A better way would be to stay in contact with MS and ask them to make better switches instead of trying to complain. Eff and others already fighting for us.

    1. 420 said on November 24, 2016 at 10:11 pm

      It has been proven time and time again that “anonymous meta data” can and is being used to pinpoint who you are.

      1. CHEF-KOCH said on December 14, 2016 at 10:56 pm

        Proof pls.

  8. AAA said on November 24, 2016 at 12:35 pm

    What? This kind of headline still exist? I am actually surprised to learn.

    When I gave you my server to retrieve, send and store your information — what makes you think it’s my generosity or kindness paying the bills? Awww… who knew being silly would come of so naively cute :)
    BTW, all those apps running in the background in Windows 8 and 10 (even when your PC is on standby mode)…. they do more than just sitting idle. :D
    Sssshhhh…. hello darkness my friend,
    Welcome to the internet.

    P.S. Now let’s skip these 5 pages long T&Co so that you could start your account right away. Wonderful! isn’t it?

  9. Jeff said on November 24, 2016 at 12:23 pm

    Why do idiots use Windows 10 in the first place?

  10. aaas said on November 24, 2016 at 11:19 am

    for home users.. there’s no “security” level. only basic and more.

  11. Carlos Eduardo said on November 24, 2016 at 10:17 am

    I don’t care about Windows 10 telemetry, it is very useful to help Microsoft to improve the system which is very good for me. Most other operating systems respected as IOS, Android and Mac already has something like this for a long time before.

    1. Metan said on November 26, 2016 at 7:08 am

      Not true, only Windows 10 collects this type of ‘telemetry’. No other OS does it. You don’t use IOS, Android or Mac because you don’t know this. I use all of them (but mostly use Windows) and any data collection can be turned completely off, and its trivial data collection compared to what Microsoft collects as ‘telemetry’.

      1. joeschmoe said on November 26, 2016 at 4:11 pm

        After using android a while and tinkering around id say spying and tracking there is way more pervasive than anything ms has ever done, its been a real eye opener. I was always anti-ms but.. damn… google..

        Google are sneaky as heck, very adept at hiding thousands of services / data tentacles right in your pocket and providing a ‘surface’ that appears to be all nice and open and customisable.

        Actually, all the things people feared with ms are normalized on the surface of android. Backdoored (cloud connected) keyboard, face detection in photos, automatic upload and analytics of entire location history, personal photos, messaging, accounts, passwords, calender.. all-seeing ai assistant that rifles through everything ready to notify you when you’ll be home, when your appointment is, the traffic on the road ahead, its all there, accepted and even desired.

        Then there’s 1000x more under the hood, even then there are persistent areas which you will never access and persist across wipes, factory resets and selling your device on.

        Google are crafty little b*stards make no mistake.

    2. Jeff said on November 24, 2016 at 12:24 pm

      Really? iOS and Android do this? Maybe you mean Google does this with their search engine? Android specifically and iOS collects large amounts of private user data without any way to opt out and sells to third parties for their profit? Can you show any evidence for this?

  12. Sweaty Steve Ballmer is Back! said on November 24, 2016 at 6:37 am

    Question for those who know, are Windows 10 Enterprise LTSB Edition the same as all the other editions (Home, Pro, Education, Enterprise etc) regarding Telemetry and all the other nasty stuff, or this is indeed the only “Clean” Windows 10 that’s available?

    Thanks in advance!

    1. A different Martin said on November 24, 2016 at 8:10 am

      I’m guessing that whatever custom version of Windows 10 Enterprise Microsoft is supplying to the US Department of Defense* — which has around a million “seats” (users), serious computer-forensics talent at its disposal, and a number of black-ops units to deal with people who try to screw them — is probably pretty secure. If you’re getting garden-variety Windows 10 Enterprise, I wouldn’t be as sanguine. In the US, the only personal privacy laws with serious financial sanctions (so far as I’m aware) are for medical/healthcare data. Based on what I’ve read from HIPAA and HITECH consultants, who say that it is “unclear” whether Windows 10 is compliant, if I were covered by those acts I wouldn’t touch Windows 10 with a ten-foot pole.

      *By way of assurance, in the US military I believe Windows is just for administrative work and that mission-critical command-and-control stuff is mostly Linux (e.g., Red Hat in the US Navy). The same can’t be said of the UK’s Royal Navy, which uses Windows in their nuclear-missile-equipped submarines. Forget God Save the Queen; God save us all….

  13. Jack Alexander said on November 24, 2016 at 5:27 am

    So happy I stayed with 8.1. Turned of Windows Defender (can be done in Win 10 too). And am sorry for friends and family who allowed this malicious update. There is no excuse for the telemetry that M$ has foisted on those with Win 10. It’s downright criminal.
    With 8.1 I can stop all of the telemetry, as I could if I decided to use Win 7 as it is there also. But it can be circumvented.

    1. max said on November 24, 2016 at 4:53 pm

      windows 7 and 8.1 has the same amount of telemetry as windows 10, except you can’t disable it.

      1. Metan said on November 26, 2016 at 7:05 am

        Not true. The ‘telemetry’ for Windows 7 and 8.1 is there only if you allowed it to be installed in the first place and can easily be removed by removing the ‘telemetry’ updates with very little difficulty.

        The same can’t be done with Windows 10 – you’ve got the spyware/telemetry/third party data collection tools that Microsoft has bundled with your OS. Microsoft has treated its users like sheep.

  14. Chris Penworth said on November 24, 2016 at 4:19 am

    @420 I’ll bite: Most critical business programs are Windows-only, most interesting games are Windows-only, it’s the dominant platform, thanks to MS’ OEM bundling, user-ignorance of alternatives, lazy developers, we’ve no other choice, MS is abusing that monopoly, yes I want to use Linux and do, but where’s the vertical-industry programs and other industry standard apps in Linux? Until all the PC’s in shops and online are sold with Linux, and all the critical business apps are available for Linux, we’re stuck in this MS nightmare. And it is a nightmare. This is the worst time in my 20 year career of using and supporting computers. I haven’t updated my Windows 7 PCs in over a year, and won’t ever again. I can’t trust Microsoft any more. I won’t run Windows 10 ever, or Windows 8.

  15. 420 said on November 24, 2016 at 3:11 am

    What I find amusing is every other day it seems, M$ is doing this shitty thing, M$i s doing that shitty thing. Yet most of you continue to put up with it. What does M$ have to do, to make you quit being f’d in the a?

    1. kalmly said on November 24, 2016 at 4:02 pm

      To simplify Chris Penworth’s answer: Because all the great software is written for Windows.

  16. Chryss said on November 24, 2016 at 2:22 am

    @Count Soxington – whether stabbed in the back or stabbed in the front, you’re still left bleeding (data in this case).

  17. Count Soxington said on November 24, 2016 at 2:17 am

    See the difference is Microsoft isnt really hiding the fact they collect this data, unlike many other companies like Google (sorry alphabet) and Apple who are doing this and a very quite about it!

    1. Lurking About said on November 24, 2016 at 6:35 pm

      Neither Google or Apple are hiding there practices. To some extent Apple’s can be avoided by what services you use/do not use. Google can be avoided completely. The major difference is this is a desktop OS that has never been used for this and now is leaking user data to third or fourth parties.

      1. John Smith said on November 24, 2016 at 7:32 pm

        Alexa spyware (another word for telemetry) in Windows XP:

    2. Velocity.Wave said on November 24, 2016 at 4:29 am

      If that’s true about Google and Apple… it still doesn’t do anything to change the fact what Microsoft is doing with this whole Windows 10 fiasco, and now selling telemetry data, is utterly HORRIFIC to many people.

  18. Nebulus said on November 24, 2016 at 12:35 am

    It is funny how Microsoft gets money BOTH from selling licenses for Win10 and at the same time from selling data about the users to third parties.

  19. Steve Hare said on November 24, 2016 at 12:29 am

    There is a site…
    These are firewall rules for Windows that block a lot of MS telemetry IPs.
    I’ve monitored the effectiveness of the list with Wireshark and find it very reliable.

    1. Ray said on November 25, 2016 at 2:58 am

      Thanks for mentioning Windows Spy Blocker.

      I’m using what they recommended with DNSCrypt. Works good so far.

  20. Chryss said on November 24, 2016 at 12:23 am

    Doesn’t the law require an opt-out? Just when I think they can’t get worse – stupid me. So glad I didn’t drink the Win 10 kool-aid.

    1. Dave said on November 24, 2016 at 1:52 am

      The law requires your consent. Did you give it?

      1. Metan said on November 26, 2016 at 6:58 am

        The ‘telemetry’ is encrypted, so what are you going to give consent to?

    2. berttie said on November 24, 2016 at 12:41 am

      >So glad I didn’t drink the Win 10 kool-aid.

      Win 7, 8, 8.1 are also increasingly phoning home with telemetry and given Defender is also on these systems M$ may soon be supplying data to FireEye from them too, if it isn’t already.

      1. Metan said on November 24, 2016 at 11:51 am

        Only if you let the spyware/telemetry be installed on your system which a lot of users blocked Microsoft from doing.

        Seems now it was a really good move.

  21. troet said on November 24, 2016 at 12:19 am

    “Your privacy is very important to us.” Yes, and we all know, why.

  22. David said on November 23, 2016 at 11:30 pm

    Could’ve gone worse had M$ made deals with advertising companies.

    1. Matt said on November 23, 2016 at 11:42 pm

      Fair enough. Problem is, the chain doesn’t end with Microsoft. FireEye could also sell the data. Maybe not for advertising but statistics.

      1. god damn spies said on November 24, 2016 at 3:05 am

        That FireEye data is going to your friendly three-letter agencies. Now Microsoft has deniability. Waiting for the gullible public to realize what US tech companies are doing… (other countries are doing it too, but not on this scale, yet).

  23. nat32support said on November 23, 2016 at 11:25 pm

    You wrote:

    “The fact that Telemetry data is offered to third-parties is quite problematic however.”

    That has to be the understatement of the year!
    If only a Windows-compatible OS (like ReactOS) were ready, I would use it right away.
    Until then, I will keep redirecting all unwanted Microsoft traffic to my honeypot.

  24. Matt said on November 23, 2016 at 11:23 pm

    Horrorshow. Hopefully developers like O&O (ShutUp10) will add further functionalities to their programs.

  25. Anonymous said on November 23, 2016 at 10:34 pm

    So how do we switch all telemetry off, why did Microsoft force drive this onto our machines so you couldnt get out of it, and when are they going to replace my beloved windows 7 which I bought
    Arseholes. Time for linux to prosper.
    Games companies start supporting Linux so we can all move on to a more secure and private life again please. Thanks.

    1. Jim said on November 24, 2016 at 9:47 am

      “So how do we switch all telemetry off…”

      Realistically, you don’t. If you limit yourself to the controls within Windows 10, you can only disable what Microsoft allows you to disable. You can use third-party programs that dig a little deeper and disable more. You can block known telemetry IPs in your router (not your hosts file or Windows firewall). But you will never get it all. With forced updates, Microsoft holds all the cards and can add new telemetry items and hardcoded IPs anytime it wants.

      Note: Even this site uses trackers. I had to unblock GoogleUserContent plus several other trackers just to post this.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.