What is User Experience and Telemetry Services
In the age of software subscriptions, it is expected for over the air updates and bug fixes to happen instantaneously. To fix bugs and improve the user experience the software must be able to contact the creator to inform them of what is in need of optimization.
The Connected User Experience and Telemetry service, also known as DiagTrack or Customer Experience Improvement Program (CEIP), is a built-in Windows service that collects and transmits anonymized data about user experience and device health to Microsoft. This data can include things such as device specs, installed programs, basic error info, and Windows update details.
What is Authenticated Proxy usage?
An authenticated proxy is a type of proxy server that requires user authentication. When sending User Experience and Telemetry service data to Microsoft servers there are two options. When the setting is enabled, the data will be sent utilizing an authenticated proxy server (requiring username and password) configured within your network environment. If disabled, a direct connection with Microsoft endpoints is established, bypassing any proxy servers.
The difference between using an authenticated proxy and direct
While the Connected User Experience and Telemetry service data is anonymized, it is not a perfect system and can still pose a security threat if in the wrong hands. Therefore sending the data through an existing third party authenticated proxy can be perceived as additional unnecessary risk.
Allowing the service to use authenticated proxies can help ensure that telemetry data is successfully transmitted, which is useful for keeping systems updated and secure. However, organizations must balance this with privacy considerations, ensuring that only necessary data is shared and that it complies with privacy policies and regulations.
Audit
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location:
| HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDataCollection:Disable EnterpriseAuthProxy |
Disable connected user experiences and telemetry service
To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Disable Authenticated Proxy usage:
| Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsData Collection and Preview BuildsConfigure Authenticated Proxy usage for the Connected User Experience and Telemetry service |
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Default value
Disabled. (The Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft.)
Recommended setting for Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage.
Best practices
It is always best to evaluate the necessity of each setting on an individual basis for the needs of the company and ensure they align with your organization’s privacy policies and regulatory requirements.
By using server hardening it is possible to configure security settings specifically in line with the needs of the company, balancing security and privacy considerations.
