Looking at the right data is the only way to understand what Windows 10 is really doing.
There's been a lot of discussion recently about the telemetry data that Windows sends back to Microsoft. There's also been a lot of bad data out there, data that can make it easy to draw some of the wrong conclusions.
When you need data, it pays to use the right tools. And when it comes to network traffic analysis, one of the best tools around is the free Wireshark. Using the WinPcap network drivers, it lets you see every packet that runs through a network adapter - including IPv6 traffic.
So if we're to get a picture of what data is being sent from a Windows 10 PC to Microsoft's telemetry servers and how frequently, it was the tool I turned to. In order to capture a basic working set of network traffic data, I installed it on a Surface Pro 3 running the current main branch build of Windows 10 Pro. I could use the standard WinPcap drivers, as I was using a docking station - a set of USB WinPcap drivers are available if you're using a USB network card.
My network is relatively simple: a VDSL FTTC broadband router drops into a gigabit switch, with a mix of domain-joined and workgroup PCs, servers, and notebooks using both wired and wireless connections. That meant much of the traffic would be internal network operations, and I'd need to filter it out from my results. I also shut down as many services and applications as possible; so that I wouldn't drown out any telemetry HTTPS connections using my browser and other Internet and cloud applications. I left Windows 10's core functions running, including OneDrive and Windows Defender.
In order to get a baseline set of readings, I ran Wireshark initially for around 30 minutes, capturing over 130,000 network transactions. Of those, only 27 were to Microsoft's watson and telecommand servers at telemetry.microsoft.com.nsatc.net. Wireshark is able to calculate reverse DNS names for the IP addresses tracked at your network card, with source and destination information and details of the protocols used.
You're also able to see the contents of any data delivered to a server, though in the case of Microsoft's Windows 10 telemetry this is encrypted using TLS v1.2, and so there's no way of actually seeing the content of a telemetry packet. However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft...