The CEIP Service is the Customer Experience Improvement Program that sends telemetry data back to Microsoft.
When you install Microsoft SQL Server, the CEIP Service is installed too. You can’t disable it during installation: it shows up in your services list whether you want it or not.
What data does the CEIP Service collect?
Microsoft goes into a lot of detail here, and the short answer is things like:
- Crash dumps – which may contain your data and the exact contents of your queries, which can contain personally identifiable information
- Login names, email addresses, location information, server names (read the “End-user identifiable information” section, in particular the part about “may be emitted to Microsoft to deliver new hybrid and cloud features”)
- Behavioral/usage data, server configuration, feature configuration, hardware manufacturers
- Database names, table names, and column names
If you’d like to see examples of the exact queries it runs, I captured a trace of the CEIP Service’s queries in this post.
Can you disable the CEIP Service?
If you’re using SQL Server Standard Edition or Enterprise Edition, then on the SQL Server, go into the Start menu, Microsoft SQL Server, SQL Server Error and Usage Reporting. A dialog box will let you un-check the error reporting and feature usage reporting.
After you uncheck those boxes and click OK, the CEIP Service will still be running, but it won’t send any data back to Microsoft. The documentation says so, so it must be true, right? (Tin foil hat goes here.) If you’re managing a lot of servers in an enterprise, you can also use Group Policy to push out these registry keys to control data collection and crash dump collection.
A security-conscious customer of mine goes so far as to disable the service, then change the logon account for the SQLCEIP service to an invalid account & password, and uses PowerShell to check its login on a regular basis, making sure it doesn’t get re-enabled by a Cumulative Update.
However, if you’re using SQL Server Developer Edition or Express Edition, you can’t disable CEIP for SQL Server. Microsoft’s policy is that people who use free versions of SQL Server are paying for that by sending in their private data to Microsoft. The CEIP Service documentation page says:
Even if you follow the above instructions on Developer Edition, they’ll appear to work, but you’ll still be sending telemetry data back to Microsoft.
28 Comments. Leave new
Interesting…
Although if your SQL Server’s can’t access the internet then the CEIP service wouldn’t be able to send the telemetry data back to the mother ship (unless carrier pigeon is involved). Any idea if there is any impact to the instance if it can’t phone home for a long period of time?
Your best bet there would be to ask Microsoft rather than me. 😉
I can answer that – we have seen an instance where SSRS reports were dramatically slowed down (20-30sec wait before rendering) due to aggressive internet traffic blocking which prevented watson.telemetry.microsoft.com from being reachable. Disabling the CEIP options immediately removed that delay.
Thanks for sharing this.
Oooo the powershell script to check it regularly is a good idea!
Another solution is to disable internet access from the database server.
Thanks for reminding me – forgot to disable this on a fresh installation. Added to my install checklist.
However, when I tried to disable on this server, starting up SQL Error and Usage Reporting resulted in a brief command prompt window, followed by nothing. I had to follow the final suggestion in this thread to get it working: https://feedback.azure.com/forums/908035-sql-server/suggestions/39081679-sql-server-error-and-usage-report-does-not-work
Strictly speaking I believe that disabling the CEIP service puts you into an unsupported configuration – it is in the remarks of the doc https://docs.microsoft.com/en-us/sql/sql-server/usage-and-diagnostic-data-in-local-audit?view=sql-server-ver15#remarks
Not sure if it is checked or if it may break a future CU that may expect to be able to start the service but it’s in the docs.
To prevent the CEIP service from ever starting, I make use of the slightly obscure Image File Execution Options registry key to specify an non-existent debugger for “sqlceip.exe”, which prevents any attempt to execute “sqlceip.exe” (in any path) to fail with an ERROR_FILE_NOT_FOUND.
Combining this with usual service disabling techniques add another layer of defence against data leakage through this service.
I’m curious, I’ve personally never worked in a shop where the database servers had access to internet. Isn’t that standard practice? I would be really interested to know the percentage of servers that CEIP can actually do something.
It’s pretty high. I’d say more than half of the shops I see have access to the Internet.
Most of our developers have SQL Server installed on their laptops and they are constantly connected to the internet. ?
Having worked with some major customers, I can pretty much guarantee that there are a ton of them with full internet access. Why use WSUS when you can browse the internet from the database server?
I wrote a PowerShell script to disable it. We run this on all of our new servers as part of our standard build config: http://www.sqlnuggets.com/blog/disable-telemetry-on-multiple-sql-servers-with-powershell/
If it helps anyone out, I use a little app called ExecTI that allows you to run apps in the context of the TrustedInstaller account (lots of utilities around that do similar). You can use this to open snap-ins such as Services and TaskScheduller and can then have full control to disable many services and tasks you might not otherwise be able to, including the CEIP and related services.
The SQL Server Integration Services CEIP service exists as well. Does it do all the bad things that the SQL server CEIP service does so I would need to disable it as well?
CEIP phone home.
Hello,
On a FCI cluster, is it safe to remove the SQL Server CEIP role ?
Otherwise, the whole role stay in failed status when disabling CEIP service.
Thanks,
Ka
For personal production support, contact Microsoft.
Dear Brent,
are we sure about SQL logins ? :
Specifically, Microsoft does not send any of the following types of information through this mechanism:
Any values from inside user tables
Any logon credentials or other authentication information
Personal information
Sources: https://docs.microsoft.com/en-us/sql/sql-server/usage-and-diagnostic-data-configuration-for-sql-server?view=sql-server-ver15
Yes, “we” are sure, because “we” read all of the links in the post.
“Crash Dumps may contain Access Control Data.” – https://docs.microsoft.com/en-us/sql/sql-server/sql-server-privacy?view=sql-server-ver15#access-control
Pal I just ask question, no need to reply like that. Nevertheless it is a crash dump. Not normal or daily base situation which customer might be experiencing. I agree to block/disable this service. But you wrote about it as granted and now only possible way might be, only might be, during a crash dump. And it is for 30 days. Common, customers are uploading production databases to azure for single databaze tier with all the production data / financial data / personal data. Microsoft has it already if you are using their cloud 🙂 B.
OK, cool, sounds like you’ve got all the knowledge you need. Take care!
Sorry, given that “telemetry cannot be disabled in Developer, Enterprise Evaluation, and Express editions”… Ok, but, are these editions sending data back to Microsoft even if the CEIP related services are not running (whatever reason)?
How might one prove that they are or are not?
Nice question…
I think the only way could be a packet sniffer and a great deal of patience. I hope someone already faced the task 😉
In the famous words of Abraham Roosevelt, “Hope is not a strategy.”
… But it can make all the difference. 😉 Thank you Brent. Time permitting…
I just deactivated the CEIP service (services.msc) and SQL Express still is working like before…