deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

chore: Renormalize line endings

Browse Source 
Ran `git add --renormalize .`
This commit is contained in:
Nick Schonning
2019-06-17 12:42:08 -04:00
parent 937026d20c
commit 0185f9b143
27 changed files with 10969 additions and 10969 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
windows/privacy/TOC.md
View File

@ -1,32 +1,32 @@
# [Privacy](index.yml)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md)
## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## Diagnostic Data Viewer
### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
## Enhanced level Windows diagnostic data events and fields
### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
## Full level categories
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## Manage Windows 10 connection endpoints
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)
# [Privacy](index.yml)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md)
## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## Diagnostic Data Viewer
### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
## Enhanced level Windows diagnostic data events and fields
### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
## Full level categories
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## Manage Windows 10 connection endpoints
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)

908
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -1,454 +1,454 @@
---
description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
title: Configure Windows diagnostic data in your organization (Windows 10)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/29/2019
---
# Configure Windows diagnostic data in your organization
**Applies to**
- Windows 10 Enterprise
- Windows 10 Mobile
- Windows Server
This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
## Overview of Windows diagnostic data
At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating systems development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
To frame a discussion about diagnostic data, it is important to understand Microsofts privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
- **Strong legal protections.** We respect customers local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
## Understanding Windows diagnostic data
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
### What is Windows diagnostic data?
Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
Here are some specific examples of Windows diagnostic data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
### What is NOT diagnostic data?
Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a users location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the users request.
There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If youre an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The following are specific examples of functional data:
- Current location for weather
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
### Diagnostic data gives users a voice
Windows and Windows Server diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Improve app and driver quality
Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
#### Real-world example of how Windows diagnostic data helps
There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating systems features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect peoples expectations when they turn on their device for the first time.
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
#### Upgrade Readiness
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How Microsoft handles diagnostic data
The diagnostic data is categorized into four levels:
- [**Security**](#security-level). Information thats required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section.
### Data collection
Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The following table defines the endpoints for Connected User Experiences and Telemetry component:
Windows release | Endpoint
--- | ---
Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com</br></br>**Functional** - v20.vortex-win.data.microsoft.com</br>**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>**Settings** - win.data.microsoft.com
Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com</br></br>**Functional** - v20.vortex-win.data.microsoft.com</br>**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>**Settings** - win.data.microsoft.com
Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com</br></br>**Functional** - v20.vortex-win.data.microsoft.com</br>**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>**Settings** - win.data.microsoft.com
The following table defines the endpoints for other diagnostic data services:
| Service | Endpoint |
| - | - |
| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| | ceuswatcab01.blob.core.windows.net |
| | ceuswatcab02.blob.core.windows.net |
| | eaus2watcab01.blob.core.windows.net |
| | eaus2watcab02.blob.core.windows.net |
| | weus2watcab01.blob.core.windows.net |
| | weus2watcab02.blob.core.windows.net |
| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.com</br>https://wdcpalt.microsoft.com |
### Data use and access
The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
## Manage enterprise diagnostic data level
### Enterprise management
Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If youre using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface.
#### Manage your diagnostic data settings
Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization.
> [!IMPORTANT]
> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls).
The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**.
### Configure the diagnostic data level
You can configure your device's diagnostic data settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
Use the appropriate value in the table below when you configure the management policy.
| Level | Value |
| - | - |
| Security | **0** |
| Basic | **1** |
| Enhanced | **2** |
| Full | **3** |
> [!NOTE]
> When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
### Use Group Policy to set the diagnostic data level
Use a Group Policy object to set your organizations diagnostic data level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the diagnostic data level
Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the diagnostic data level
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Additional diagnostic data controls
There are a few more settings that you can turn off that may send diagnostic data information:
- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
- Turn off **Improve inking and typing** in **Settings** &gt; **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
## Diagnostic data levels
These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server.
### Security level
The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
The data gathered at this level includes:
- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsofts servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
> [!NOTE]
> You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
> This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
- Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
- **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This level is needed to quickly identify and address Windows and Windows Server quality issues.
The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
### Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
However, before more data is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- All crash dump types, including heap dumps and full dumps.
> [!NOTE]
> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc.
## Limit Enhanced diagnostic data to the minimum required by Windows Analytics
Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode.
>[!NOTE]
> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump.
### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics
1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
-OR-
b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
-AND-
2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
-OR-
b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
## Additional resources
FAQs
- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
Blogs
- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
Privacy Statement
- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
TechNet
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
Web Pages
- [Privacy at Microsoft](https://privacy.microsoft.com)
---
description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
title: Configure Windows diagnostic data in your organization (Windows 10)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/29/2019
---
# Configure Windows diagnostic data in your organization
**Applies to**
- Windows 10 Enterprise
- Windows 10 Mobile
- Windows Server
This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
## Overview of Windows diagnostic data
At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating systems development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
To frame a discussion about diagnostic data, it is important to understand Microsofts privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
- **Strong legal protections.** We respect customers local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
## Understanding Windows diagnostic data
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
### What is Windows diagnostic data?
Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
Here are some specific examples of Windows diagnostic data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
### What is NOT diagnostic data?
Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a users location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the users request.
There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If youre an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The following are specific examples of functional data:
- Current location for weather
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
### Diagnostic data gives users a voice
Windows and Windows Server diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Improve app and driver quality
Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
#### Real-world example of how Windows diagnostic data helps
There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating systems features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect peoples expectations when they turn on their device for the first time.
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
#### Upgrade Readiness
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How Microsoft handles diagnostic data
The diagnostic data is categorized into four levels:
- [**Security**](#security-level). Information thats required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section.
### Data collection
Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The following table defines the endpoints for Connected User Experiences and Telemetry component:
Windows release | Endpoint
--- | ---
Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com</br></br>**Functional** - v20.vortex-win.data.microsoft.com</br>**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>**Settings** - win.data.microsoft.com
Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com</br></br>**Functional** - v20.vortex-win.data.microsoft.com</br>**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>**Settings** - win.data.microsoft.com
Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com</br></br>**Functional** - v20.vortex-win.data.microsoft.com</br>**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>**Settings** - win.data.microsoft.com
The following table defines the endpoints for other diagnostic data services:
| Service | Endpoint |
| - | - |
| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| | ceuswatcab01.blob.core.windows.net |
| | ceuswatcab02.blob.core.windows.net |
| | eaus2watcab01.blob.core.windows.net |
| | eaus2watcab02.blob.core.windows.net |
| | weus2watcab01.blob.core.windows.net |
| | weus2watcab02.blob.core.windows.net |
| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.com</br>https://wdcpalt.microsoft.com |
### Data use and access
The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
## Manage enterprise diagnostic data level
### Enterprise management
Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If youre using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface.
#### Manage your diagnostic data settings
Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization.
> [!IMPORTANT]
> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls).
The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**.
### Configure the diagnostic data level
You can configure your device's diagnostic data settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
Use the appropriate value in the table below when you configure the management policy.
| Level | Value |
| - | - |
| Security | **0** |
| Basic | **1** |
| Enhanced | **2** |
| Full | **3** |
> [!NOTE]
> When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
### Use Group Policy to set the diagnostic data level
Use a Group Policy object to set your organizations diagnostic data level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the diagnostic data level
Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the diagnostic data level
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Additional diagnostic data controls
There are a few more settings that you can turn off that may send diagnostic data information:
- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
- Turn off **Improve inking and typing** in **Settings** &gt; **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
## Diagnostic data levels
These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server.
### Security level
The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
The data gathered at this level includes:
- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsofts servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
> [!NOTE]
> You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
> This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
- Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
- **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This level is needed to quickly identify and address Windows and Windows Server quality issues.
The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
### Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
However, before more data is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- All crash dump types, including heap dumps and full dumps.
> [!NOTE]
> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc.
## Limit Enhanced diagnostic data to the minimum required by Windows Analytics
Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode.
>[!NOTE]
> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump.
### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics
1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
-OR-
b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
-AND-
2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
-OR-
b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
## Additional resources
FAQs
- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
Blogs
- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
Privacy Statement
- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
TechNet
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
Web Pages
- [Privacy at Microsoft](https://privacy.microsoft.com)

618
windows/privacy/gdpr-it-guidance.md
View File

@ -1,309 +1,309 @@
---
title: Windows and the GDPR-Information for IT Administrators and Decision Makers
description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
keywords: privacy, GDPR, windows, IT
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 05/11/2018
ms.reviewer:
---
# Windows and the GDPR: Information for IT Administrators and Decision Makers
Applies to:
- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
- Windows 10, version 1703
- Windows 10 Team Edition, version 1703 for Surface Hub
- Windows Server 2019
- Windows Server 2016
- Windows Analytics
This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
For more information about the GDPR, see:
* [Microsoft GDPR Overview](https://aka.ms/GDPROverview)
* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq)
* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp)
* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
## GDPR fundamentals
Here are some GDPR fundamentals:
* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance.
* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals both customers and employees.
* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice no matter where data is sent, processed, or stored.
* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
### What is personal data under the GDPR?
Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a persons private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to:
* Name
* Email address
* Credit card numbers
* IP addresses
* Social media posts
* Location information
* Handwriting patterns
* Voice input to cloud-based speech services
### Controller and processor under the GDPR: Who does what
#### Definition
The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario.
* **Controller**: GDPR Article 4 (7) defines the controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
* **Processor**: According to the GDPR Article 4 (8) processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
#### Controller scenario
For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the users device data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled.
#### Processor scenario
In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the users device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx).
## GDPR relationship between a Windows 10 user and Microsoft
For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data.
### Types of data exchanged with Microsoft
Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services.
Microsoft discloses data collection and privacy practices in detail, for example:
* As part of the Windows 10 installation;
* In the Windows 10 privacy settings;
* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and
* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement).
It is important to differentiate between two distinct types of data Windows services are dealing with.
#### Windows functional data
A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
Some other examples of Windows functional data:
* The Weather app which can use the devices location to retrieve local weather or community news.
* Wallpaper and desktop settings that are synchronized across multiple devices.
For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
#### Windows diagnostic data
Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft.
Some examples of diagnostic data include:
* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
>[!IMPORTANT]
>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
### Windows services where Microsoft is the processor under the GDPR
Most Windows 10 services are controller services in terms of the GDPR for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp).
>[!NOTE]
>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)).
#### Windows Analytics
[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics.
>[!NOTE]
>The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
>[!IMPORTANT]
>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
#### Windows Defender ATP
[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organizations devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP.
>[!NOTE]
>The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes.
#### At a glance Windows 10 services GDPR mode of operations
The following table lists in what GDPR mode controller or processor Windows 10 services are operating.
| Service | Microsoft GDPR mode of operation |
| --- | --- |
| Windows Functional data | Controller or Processor* |
| Windows Diagnostic data | Controller |
| Windows Analytics | Processor |
| Windows Defender Advanced Threat Detection (ATP) | Processor |
*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
*/*Depending on which application/feature this is referring to.*
## Windows diagnostic data and Windows 10
### Recommended Windows 10 settings
Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
>[!NOTE]
>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
>[!NOTE]
>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
### Additional information for Windows Analytics
Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
>[!NOTE]
>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
).
## Controlling Windows 10 data collection and notification about it
Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
### Adjusting privacy settings by the user
A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices.
For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says Some settings are hidden or managed by your organization when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all.
### Users can lower the diagnostic level
Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**.
If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”.
### Notification at logon
Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection.
This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon.
### Diagnostic Data Viewer (DDV)
In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft.
A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the Diagnostic data viewer section, the user has to enable the If data viewing is enabled, you can see your diagnostics data option. After DDV is installed on the device, the user can start it by clicking the Diagnostic Data Viewer in the Diagnostic data viewer section of *Start > Settings > Privacy > Diagnostics & feedback*.
Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the Delete button in the Delete diagnostic data section of *Start > Settings > Privacy > Diagnostics & feedback*.
### Windows 10 personal data services configuration
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md).
### Windows 10 connections to Microsoft
To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
### At-a-glance: the relationship between an IT organization and the GDPR
Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
## Windows Server
Windows Server follows the same mechanisms as Windows 10 for handling of personal data for example, when collecting Windows diagnostic data.
More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
### Windows diagnostic data and Windows Server
The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
There are two options for deleting Windows diagnostic data from a Windows Server machine:
- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that devices diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**.
- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData).
### Backups and Windows Server
Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
## Windows 10 Team Edition, Version 1703 for Surface Hub
Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
>[!NOTE]
>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
## Further reading
### Optional settings / features that further improve the protection of personal data
Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
>[!NOTE]
>Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5).
### Windows Security Baselines
Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
### Windows Restricted Traffic Limited Functionality Baseline
To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
>[!IMPORTANT]
>Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.
### Microsoft Trust Center and Service Trust Portal
Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
### Additional resources
#### FAQs
* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
#### Blogs
* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
#### Privacy Statement
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
#### Other resources
* [Privacy at Microsoft](https://privacy.microsoft.com/)
---
title: Windows and the GDPR-Information for IT Administrators and Decision Makers
description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
keywords: privacy, GDPR, windows, IT
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 05/11/2018
ms.reviewer:
---
# Windows and the GDPR: Information for IT Administrators and Decision Makers
Applies to:
- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
- Windows 10, version 1703
- Windows 10 Team Edition, version 1703 for Surface Hub
- Windows Server 2019
- Windows Server 2016
- Windows Analytics
This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
For more information about the GDPR, see:
* [Microsoft GDPR Overview](https://aka.ms/GDPROverview)
* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq)
* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp)
* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
## GDPR fundamentals
Here are some GDPR fundamentals:
* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance.
* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals both customers and employees.
* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice no matter where data is sent, processed, or stored.
* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
### What is personal data under the GDPR?
Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a persons private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to:
* Name
* Email address
* Credit card numbers
* IP addresses
* Social media posts
* Location information
* Handwriting patterns
* Voice input to cloud-based speech services
### Controller and processor under the GDPR: Who does what
#### Definition
The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario.
* **Controller**: GDPR Article 4 (7) defines the controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
* **Processor**: According to the GDPR Article 4 (8) processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
#### Controller scenario
For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the users device data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled.
#### Processor scenario
In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the users device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx).
## GDPR relationship between a Windows 10 user and Microsoft
For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data.
### Types of data exchanged with Microsoft
Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services.
Microsoft discloses data collection and privacy practices in detail, for example:
* As part of the Windows 10 installation;
* In the Windows 10 privacy settings;
* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and
* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement).
It is important to differentiate between two distinct types of data Windows services are dealing with.
#### Windows functional data
A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
Some other examples of Windows functional data:
* The Weather app which can use the devices location to retrieve local weather or community news.
* Wallpaper and desktop settings that are synchronized across multiple devices.
For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
#### Windows diagnostic data
Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft.
Some examples of diagnostic data include:
* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
>[!IMPORTANT]
>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
### Windows services where Microsoft is the processor under the GDPR
Most Windows 10 services are controller services in terms of the GDPR for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp).
>[!NOTE]
>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)).
#### Windows Analytics
[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics.
>[!NOTE]
>The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
>[!IMPORTANT]
>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
#### Windows Defender ATP
[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organizations devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP.
>[!NOTE]
>The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes.
#### At a glance Windows 10 services GDPR mode of operations
The following table lists in what GDPR mode controller or processor Windows 10 services are operating.
| Service | Microsoft GDPR mode of operation |
| --- | --- |
| Windows Functional data | Controller or Processor* |
| Windows Diagnostic data | Controller |
| Windows Analytics | Processor |
| Windows Defender Advanced Threat Detection (ATP) | Processor |
*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
*/*Depending on which application/feature this is referring to.*
## Windows diagnostic data and Windows 10
### Recommended Windows 10 settings
Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
>[!NOTE]
>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
>[!NOTE]
>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
### Additional information for Windows Analytics
Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
>[!NOTE]
>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
).
## Controlling Windows 10 data collection and notification about it
Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
### Adjusting privacy settings by the user
A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices.
For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says Some settings are hidden or managed by your organization when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all.
### Users can lower the diagnostic level
Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**.
If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”.
### Notification at logon
Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection.
This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon.
### Diagnostic Data Viewer (DDV)
In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft.
A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the Diagnostic data viewer section, the user has to enable the If data viewing is enabled, you can see your diagnostics data option. After DDV is installed on the device, the user can start it by clicking the Diagnostic Data Viewer in the Diagnostic data viewer section of *Start > Settings > Privacy > Diagnostics & feedback*.
Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the Delete button in the Delete diagnostic data section of *Start > Settings > Privacy > Diagnostics & feedback*.
### Windows 10 personal data services configuration
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md).
### Windows 10 connections to Microsoft
To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
### At-a-glance: the relationship between an IT organization and the GDPR
Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
## Windows Server
Windows Server follows the same mechanisms as Windows 10 for handling of personal data for example, when collecting Windows diagnostic data.
More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
### Windows diagnostic data and Windows Server
The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
There are two options for deleting Windows diagnostic data from a Windows Server machine:
- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that devices diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**.
- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData).
### Backups and Windows Server
Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
## Windows 10 Team Edition, Version 1703 for Surface Hub
Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
>[!NOTE]
>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
## Further reading
### Optional settings / features that further improve the protection of personal data
Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
>[!NOTE]
>Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5).
### Windows Security Baselines
Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
### Windows Restricted Traffic Limited Functionality Baseline
To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
>[!IMPORTANT]
>Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.
### Microsoft Trust Center and Service Trust Portal
Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
### Additional resources
#### FAQs
* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
#### Blogs
* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
#### Privacy Statement
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
#### Other resources
* [Privacy at Microsoft](https://privacy.microsoft.com/)

590
windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
View File

@ -1,295 +1,295 @@
---
title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 6/26/2018
ms.reviewer:
---
# Windows 10, version 1709, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1709
- Windows 10 Professional, version 1709
- Windows 10 Education, version 1709
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.*.akamai.net | HTTP | Used to download content. |
| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| fs.microsoft.com | HTTPS | Used to download fonts on demand |
| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspw65.akamai.net | HTTP | Used to download content. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamai.net | HTTP | Used to download content. |
| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com/* | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
---
title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 6/26/2018
ms.reviewer:
---
# Windows 10, version 1709, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1709
- Windows 10 Professional, version 1709
- Windows 10 Education, version 1709
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.*.akamai.net | HTTP | Used to download content. |
| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| fs.microsoft.com | HTTPS | Used to download fonts on demand |
| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspw65.akamai.net | HTTP | Used to download content. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamai.net | HTTP | Used to download content. |
| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com/* | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

330
windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
View File

@ -1,165 +1,165 @@
---
title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 6/26/2018
ms.reviewer:
---
# Windows 10, version 1803, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1803
- Windows 10 Professional, version 1803
- Windows 10 Education, version 1803
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. |
| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). |
| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry |
| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  |
| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store
| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  |
| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
---
title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 6/26/2018
ms.reviewer:
---
# Windows 10, version 1803, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1803
- Windows 10 Professional, version 1803
- Windows 10 Education, version 1803
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. |
| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). |
| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry |
| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  |
| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office. |
| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store
| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  |
| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

816
windows/privacy/windows-personal-data-services-configuration.md
View File

@ -1,408 +1,408 @@
---
title: Windows 10 personal data services configuration
description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR)
keywords: privacy, GDPR, windows, IT
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 05/11/2018
ms.reviewer:
---
# Windows 10 personal data services configuration
Applies to:
- Windows 10, version 1803
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149).
## Introduction
Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services.
Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.
Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
## Windows diagnostic data
Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs.
The following options for configuring Windows diagnostic data are relevant in this context.
### Diagnostic level
This setting determines the amount of Windows diagnostic data sent to Microsoft.
>[!NOTE]
>In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Allow Telemetry |
>| **Default setting** | 2 - Enhanced |
>| **Recommended** | 2 - Enhanced |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Allow Telemetry |
>| **Default setting** | 2 - Enhanced |
>| **Recommended** | 2 - Enhanced |
>[!NOTE]
>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | AllowTelemetry |
>| **Type** | REG_DWORD |
>| **Setting** | "00000002" |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | AllowTelemetry |
>| **Type** | REG_DWORD |
>| **Setting** | "00000002" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | System |
>| **Policy** | AllowTelemetry (scope: device and user) |
>| **Default setting** | 2 Enhanced |
>| **Recommended** | 2 Allowed |
### Diagnostic opt-in change notifications
This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Configure telemetry opt-in change notifications |
>| **Default setting** | Enabled |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | DisableTelemetryOptInChangeNotification |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | System |
>| **Policy** | ConfigureTelemetryOptInChangeNotification |
>| **Default setting** | 0 Enabled |
>| **Recommended** | 0 Enabled |
### Configure telemetry opt-in setting user interface
This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Configure telemetry opt-in setting user interface |
>| **Default setting** | Enabled |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | DisableTelemetryOptInSettingsUx |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | System |
>| **Policy** | ConfigureTelemetryOptInSettingsUx |
>| **Default setting** | 0 Enabled |
>| **Recommended** | 0 Enabled |
## Policies affecting personal data protection managed by the Enterprise IT
There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.
The following options for configuring these policies are relevant in this context.
### BitLocker
The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption.
#### Fixed Data Drives
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives |
>| **Policy Name** | Deny write access to fixed drives not protected by BitLocker |
>| **Default setting** | Not configured |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
>| **Value** | FDVDenyWriteAccess |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | BitLocker |
>| **Policy** | FixedDrivesRequireEncryption |
>| **Default setting** | Disabled |
>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) |
#### Removable Data Drives
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives |
>| **Policy Name** | Deny write access to removable drives not protected by BitLocker |
>| **Default setting** | Not configured |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
>| **Value** | RDVDenyWriteAccess |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\FVE |
>| **Value** | RDVDenyCrossOrg |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | BitLocker |
>| **Policy** | RemovableDrivesRequireEncryption |
>| **Default setting** | Disabled |
>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) |
### Privacy AdvertisingID
This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles |
>| **Policy Name** | Turn off the advertising ID |
>| **Default setting** | Not configured |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo |
>| **Value** | DisabledByGroupPolicy |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | Privacy |
>| **Policy** | DisableAdvertisingId |
>| **Default setting** | 65535 (default) - Not configured |
>| **Recommended** | 1 Enabled |
### Edge
These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
>[!NOTE]
>Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge |
>| **Policy Name** | Configure Do Not Track |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge |
>| **Policy Name** | Configure Do Not Track |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | Browser |
>| **Policy** | AllowDoNotTrack (scope: device + user) |
>| **Default setting** | 0 (default) Not allowed |
>| **Recommended** | 0 Not allowed |
### Internet Explorer
These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
>| **Policy Name** | Always send Do Not Track header |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
>| **Policy Name** | Always send Do Not Track header |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
#### Registry
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **MDM CSP** | N/A |
## Additional resources
### FAQs
* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
### Blogs
* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
### Privacy Statement
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
### Windows Privacy on docs.microsoft.com
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data)
* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
### Other resources
* [Privacy at Microsoft](https://privacy.microsoft.com/)
---
title: Windows 10 personal data services configuration
description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR)
keywords: privacy, GDPR, windows, IT
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 05/11/2018
ms.reviewer:
---
# Windows 10 personal data services configuration
Applies to:
- Windows 10, version 1803
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149).
## Introduction
Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services.
Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.
Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
## Windows diagnostic data
Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs.
The following options for configuring Windows diagnostic data are relevant in this context.
### Diagnostic level
This setting determines the amount of Windows diagnostic data sent to Microsoft.
>[!NOTE]
>In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Allow Telemetry |
>| **Default setting** | 2 - Enhanced |
>| **Recommended** | 2 - Enhanced |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Allow Telemetry |
>| **Default setting** | 2 - Enhanced |
>| **Recommended** | 2 - Enhanced |
>[!NOTE]
>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | AllowTelemetry |
>| **Type** | REG_DWORD |
>| **Setting** | "00000002" |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | AllowTelemetry |
>| **Type** | REG_DWORD |
>| **Setting** | "00000002" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | System |
>| **Policy** | AllowTelemetry (scope: device and user) |
>| **Default setting** | 2 Enhanced |
>| **Recommended** | 2 Allowed |
### Diagnostic opt-in change notifications
This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Configure telemetry opt-in change notifications |
>| **Default setting** | Enabled |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | DisableTelemetryOptInChangeNotification |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | System |
>| **Policy** | ConfigureTelemetryOptInChangeNotification |
>| **Default setting** | 0 Enabled |
>| **Recommended** | 0 Enabled |
### Configure telemetry opt-in setting user interface
This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
>| **Policy Name** | Configure telemetry opt-in setting user interface |
>| **Default setting** | Enabled |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | DisableTelemetryOptInSettingsUx |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | System |
>| **Policy** | ConfigureTelemetryOptInSettingsUx |
>| **Default setting** | 0 Enabled |
>| **Recommended** | 0 Enabled |
## Policies affecting personal data protection managed by the Enterprise IT
There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.
The following options for configuring these policies are relevant in this context.
### BitLocker
The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption.
#### Fixed Data Drives
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives |
>| **Policy Name** | Deny write access to fixed drives not protected by BitLocker |
>| **Default setting** | Not configured |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
>| **Value** | FDVDenyWriteAccess |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | BitLocker |
>| **Policy** | FixedDrivesRequireEncryption |
>| **Default setting** | Disabled |
>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) |
#### Removable Data Drives
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives |
>| **Policy Name** | Deny write access to removable drives not protected by BitLocker |
>| **Default setting** | Not configured |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
>| **Value** | RDVDenyWriteAccess |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\FVE |
>| **Value** | RDVDenyCrossOrg |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | BitLocker |
>| **Policy** | RemovableDrivesRequireEncryption |
>| **Default setting** | Disabled |
>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) |
### Privacy AdvertisingID
This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles |
>| **Policy Name** | Turn off the advertising ID |
>| **Default setting** | Not configured |
>| **Recommended** | Enabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo |
>| **Value** | DisabledByGroupPolicy |
>| **Type** | REG_DWORD |
>| **Setting** | "00000001" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | Privacy |
>| **Policy** | DisableAdvertisingId |
>| **Default setting** | 65535 (default) - Not configured |
>| **Recommended** | 1 Enabled |
### Edge
These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
>[!NOTE]
>Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge |
>| **Policy Name** | Configure Do Not Track |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge |
>| **Policy Name** | Configure Do Not Track |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
#### Registry
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **MDM CSP** | Browser |
>| **Policy** | AllowDoNotTrack (scope: device + user) |
>| **Default setting** | 0 (default) Not allowed |
>| **Recommended** | 0 Not allowed |
### Internet Explorer
These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites.
#### Group Policy
> [!div class="mx-tableFixed"]
>| | |
>|:-|:-|
>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
>| **Policy Name** | Always send Do Not Track header |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
>| **Policy Name** | Always send Do Not Track header |
>| **Default setting** | Disabled |
>| **Recommended** | Disabled |
#### Registry
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main |
>| **Value** | DoNotTrack |
>| **Type** | REG_DWORD |
>| **Setting** | "00000000" |
#### MDM
> [!div class="mx-tableFixed"]
>|||
>|:-|:-|
>| **MDM CSP** | N/A |
## Additional resources
### FAQs
* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
### Blogs
* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
### Privacy Statement
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
### Windows Privacy on docs.microsoft.com
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data)
* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
### Other resources
* [Privacy at Microsoft](https://privacy.microsoft.com/)