Merged PR 8082: Adding new privacy node and updated privacy content

Hoping for 0 conflicts

windows/privacy/TOC.md

@@ -1 +1,15 @@
-# [Index](index.md)
+# [Privacy](index.yml)
+## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
+## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
+## Basic level diagnostics events and fields
+### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+## Enhanced level diagnostics events and fields
+### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
+## Full level diagnostics events and fields
+### [Windows 10, version 1709 and later diagnostic data for the Full level](windows-diagnostic-data.md)
+### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
+## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
+## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

windows/privacy/configure-windows-diagnostic-data-in-your-organization.md

@@ -0,0 +1,445 @@
+---
+description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
+title: Configure Windows diagnostic data in your organization (Windows 10)
+keywords: privacy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 04/04/2018
+---
+
+# Configure Windows diagnostic data in your organization
+
+**Applies to**
+
+-   Windows 10 Enterprise
+-   Windows 10 Mobile
+-   Windows Server
+
+At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
+
+To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
+
+-	**Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+-	**Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+-	**Security.** We encrypt diagnostic data in transit from your device and protect that data at our secure data centers.
+-	**Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+-	**No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system.  Customer content inadvertently collected is kept confidential and not used for user targeting.
+-	**Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+
+This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
+
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+
+## Overview
+
+In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
+
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
+
+## Understanding Windows diagnostic data
+
+Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
+
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. 
+
+### What is Windows diagnostic data?
+Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+
+- 	Keep Windows up to date
+-	Keep Windows secure, reliable, and performant
+-	Improve Windows – through the aggregate analysis of the use of Windows
+-	Personalize Windows engagement surfaces
+
+Here are some specific examples of Windows diagnostic data:
+
+-	Type of hardware being used
+-	Applications installed and usage details
+-	Reliability information on device drivers
+
+### What is NOT diagnostic data?
+
+Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
+
+There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash).    On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+
+If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+
+The following are specific examples of functional data:
+
+- Current location for weather
+- Bing searches
+- Wallpaper and desktop settings synced across multiple devices
+
+### Diagnostic data gives users a voice
+
+Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+
+### Drive higher app and driver quality
+
+Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+
+#### Real-world example of how Windows diagnostic data helps
+There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+
+### Improve end-user productivity
+
+Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+
+-	**Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+-	**Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+-	**Application switching.**  Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications.  After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
+
+**These examples show how the use of diagnostic data data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+
+
+### Insights into your own organization
+
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well.  Microsoft is in the process of developing a set of analytics customized for your internal use.  The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+#### Upgrade Readiness
+
+Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. 
+ 
+To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. 
+
+With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. 
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer, driver, and application inventory
+- Powerful computer level search and drill-downs 
+- Guidance and insights into application and driver compatibility issues with suggested fixes 
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools 
+
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+## How is diagnostic data data handled by Microsoft?
+
+### Data collection
+
+Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+
+1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
+2. Events are gathered using public operating system event logging and tracing APIs.
+3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
+4. The Connected User Experiences and Telemetry component transmits the diagnostic data data.
+
+Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+
+### Data transmission
+
+All diagnostic data data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day,  but occasionally up to 2 MB per device per day).
+
+
+### Endpoints
+
+The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+
+The following table defines the endpoints for Connected User Experiences and Telemetry component:
+
+Windows release | Endpoint
+--- | ---
+Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1</br></br>Functional: v20.vortex-win.data.microsoft.com/collect/v1</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1</br>settings-win.data.microsoft.com
+Windows 10, version 1607 | v10.vortex-win.data.microsoft.com</br></br>settings-win.data.microsoft.com
+
+The following table defines the endpoints for other diagnostic data services:
+
+| Service | Endpoint |
+| - | - |
+| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
+| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
+
+### Data use and access
+
+The principle of least privileged access guides access to diagnostic data data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+
+### Retention
+
+Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. 
+
+## Diagnostic data levels
+This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
+
+The diagnostic data data is categorized into four levels:
+
+-   **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+-   **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
+
+-   **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+
+-   **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
+
+The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
+
+![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png)
+
+### Security level
+
+The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
+
+> [!NOTE]  
+> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.
+
+The data gathered at this level includes:
+
+-   **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+-   **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+    > [!NOTE]  
+    > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+-   **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+
+    > [!NOTE]  
+    > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
+
+    Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+
+For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+
+No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+### Basic level
+
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
+
+The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
+
+The data gathered at this level includes:
+
+-   **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
+
+    -   Device attributes, such as camera resolution and display type
+
+    -   Internet Explorer version
+
+    -   Battery attributes, such as capacity and type
+
+    -   Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+
+    -   Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+
+    -   Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+
+    -   Operating system attributes, such as Windows edition and virtualization state
+
+    -   Storage attributes, such as number of drives, type, and size
+
+-   **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+
+-   **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+-   **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+    -   **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+    -   **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
+
+    -   **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+    -   **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+    -   **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+-   **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
+
+
+### Enhanced level
+
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+
+The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
+
+The data gathered at this level includes:
+
+-   **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+
+-   **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+
+-   **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+-   **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+
+If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
+
+#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics
+Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
+
+In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
+
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
+
+- **Some crash dump types.** All crash dump types, except for heap and full dumps.
+
+**To turn on this behavior for devices**
+
+1.	Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
+
+    a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
+
+    -OR-
+
+    b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
+
+    -AND-
+
+2.	Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
+
+    a.	Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
+    
+    -OR-
+
+    b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
+
+### Full level
+
+The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro.
+
+Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
+
+However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+-   Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+-   Ability to get registry keys.
+
+-   All crash dump types, including heap dumps and full dumps.
+
+## Enterprise management
+
+Sharing diagnostic data data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
+
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
+
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level.  If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface.
+
+
+### Manage your diagnostic data settings
+
+We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+
+> [!IMPORTANT]  
+> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+
+You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on.
+
+The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**.
+
+### Configure the operating system diagnostic data level
+
+You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
+
+Use the appropriate value in the table below when you configure the management policy.
+
+| Level    | Data gathered | Value |
+| - | - | -  |
+| Security | Security data only. | **0** |
+| Basic | Security data, and basic system and quality data. | **1** |
+| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
+| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
+
+   > [!NOTE] 
+   > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting.
+
+### Use Group Policy to set the diagnostic data level
+
+Use a Group Policy object to set your organization’s diagnostic data level.
+
+1.  From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
+
+2.  Double-click **Allow Telemetry**.
+
+3.  In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the diagnostic data level
+
+Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+
+### Use Registry Editor to set the diagnostic data level
+
+Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+
+1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+
+2.  Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+
+3.  Type **AllowTelemetry**, and then press ENTER.
+
+4.  Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+
+5.  Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Configure System Center 2016 diagnostic data
+
+For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps:
+
+-   Turn off diagnostic data by using the System Center UI Console settings workspace.
+
+-   For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+
+### Additional diagnostic data controls
+
+There are a few more settings that you can turn off that may send diagnostic data information:
+
+-   To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+-   Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
+
+-   Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+-   Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+
+    > [!NOTE]  
+    > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+## Additional resources
+
+FAQs
+
+- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
+- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
+- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
+- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
+- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
+- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
+- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
+- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
+- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
+
+Blogs
+
+- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
+
+Privacy Statement
+
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+
+TechNet
+
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+
+Web Pages
+
+- [Privacy at Microsoft](http://privacy.microsoft.com)
+
+ 

windows/privacy/diagnostic-data-viewer-overview.md

@@ -0,0 +1,102 @@
+---
+title: Diagnostic Data Viewer Overview (Windows 10)
+description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
+keywords: privacy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 01/17/2018
+---
+
+# Diagnostic Data Viewer Overview
+
+**Applies to**
+
+-   Windows 10, version 1803
+
+## Introduction
+The Diagnostic Data Viewer is a Windows app that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
+
+## Install and Use the Diagnostic Data Viewer
+You must turn on data viewing and download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data.
+
+### Turn on data viewing
+Before you can use this tool, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device.
+
+**To turn on data viewing**
+1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
+
+2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
+
+    ![Location to turn on data viewing](images/ddv-data-viewing.png)
+
+### Download the Diagnostic Data Viewer
+Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
+
+### Start the Diagnostic Data Viewer
+You must start this app from the **Settings** panel.
+
+**To start the Diagnostic Data Viewer**
+1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
+
+2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
+
+    ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
+    
+    Go to **Start** and search for _Diagnostic Data Viewer_.
+
+3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
+
+    >[!Important]
+    >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article.
+
+### Use the Diagnostic Data Viewer
+The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data.
+
+- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. 
+
+    Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
+
+- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. 
+
+    Selecting an event opens the detailed JSON view, with the matching text highlighted.
+
+- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.
+
+    Selecting a check box lets you filter between the diagnostic event categories.
+
+- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
+
+    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
+
+- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
+
+    Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
+	
+    >[!Important]
+    >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
+
+## Turn off data viewing
+When you're done reviewing your diagnostic data, you should turn of data viewing.
+
+**To turn off data viewing**
+1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
+
+2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
+
+    ![Location to turn off data viewing](images/ddv-settings-off.png)
+
+## View additional diagnostic data in the View problem reports tool
+You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
+
+**To view your Windows Error Reporting diagnostic data**
+1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.<br><br>-OR-<br><br>
+	Go to **Start** and search for _Problem Reports_.
+
+    The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
+
+    ![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png)

windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md

@@ -0,0 +1,253 @@
+---
+description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics
+title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10)
+keywords: privacy, diagnostic data
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+ms.date: 10/16/2017
+author: jaimeo
+ms.author: jaimeo
+---
+
+
+# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics
+
+ **Applies to**
+
+- Windows 10, version 1709 and later
+
+Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced. 
+
+In Windows 10, version 1709, we introduce a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+
+
+## KernelProcess.AppStateChangeSummary
+This event summarizes application usage and performance characteristics to help Microsoft improve performance and reliability. Organizations can use this event with Windows Analytics to gain insights into application reliability.
+
+The following fields are available:
+
+- **CommitChargeAtExit_Sum:** Total memory commit charge for a process when it exits
+- **CommitChargePeakAtExit_Sum**: Total peak memory commit charge for a process when it exits
+- **ContainerId:** Server Silo Container ID
+- **CrashCount:** Number of crashes for a process instance
+- **CycleCountAtExit_Sum:** Total processor cycles for a process when it exited
+- **ExtraInfoFlags:** Flags indicating internal states of the logging
+- **GhostCount_Sum:** Total number of instances where the application stopped responding
+- **HandleCountAtExit_Sum:** Total handle count for a process when it exits
+- **HangCount_Max:** Maximum number of hangs detected
+- **HangCount_Sum:** Total number of application hangs detected
+- **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits
+- **HeartbeatCount:** Heartbeats logged for this summary
+- **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended
+- **LaunchCount:** Number of process instances started
+- **LicenseType:** Reserved for future use
+- **ProcessDurationMS_Sum:** Total duration of wall clock process instances
+- **ReadCountAtExit_Sum:** Total IO reads for a process when it exited
+- **ReadSizeInKBAtExit_Sum:**Total IO read size for a process when it exited
+- **ResumeCount:** Number of times a process instance has resumed
+- **RunningDurationMS_Sum:** Total uptime
+- **SuspendCount:** Number of times a process instance was suspended
+- **TargetAppId:** Application identifier
+- **TargetAppType:** Application type
+- **TargetAppVer:** Application version
+- **TerminateCount:** Number of times a process terminated
+- **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited
+- **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited          
+
+## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
+This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Windows Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices.
+
+The following fields are available:
+
+- **CredTileProviderId:** ID of the Credential Provider
+- **IsConnectedUser:** Flag indicating whether a user is connected or not
+- **IsPLAPTile:** Flag indicating whether this credential tile is a pre-logon access provider or not
+- **IsRemoteSession:** Flag indicating whether the session is remote or not
+- **IsV2CredProv:** Flag indicating whether the credential provider of V2 or not
+- **OpitonalStatusText:** Status text
+- **ProcessImage:** Image path to the process
+- **ProviderId:** Credential provider ID
+- **ProviderStatusIcon:** Indicates which status icon should be displayed
+- **ReturnCode:** Output of the ReportResult function
+- **SessionId:** Session identifier
+- **Sign-in error status:** The sign-in error status
+- **SubStatus:** Sign-in error sub-status
+- **UserTag:** Count of the number of times a user has selected a provider
+
+## Microsoft.Windows.Kernel.Power.OSStateChange
+This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to monitor reliability and performance of managed devices
+
+The following fields are available:
+
+- **AcPowerOnline:** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
+- **ActualTransitions:** The number of transitions between operating system states since the last system boot
+- **BatteryCapacity:** Maximum battery capacity in mWh
+- **BatteryCharge:** Current battery charge as a percentage of total capacity
+- **BatteryDischarging:** Flag indicating whether the battery is discharging or charging
+- **BootId:** Total boot count since the operating system was installed
+- **BootTimeUTC:** Date and time of a particular boot event (identified by BootId)
+- **EnergyChangeV2:** A snapshot value in mWh reflecting a change in power usage
+- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
+- **EventSequence:** A sequential number used to evaluate the completeness of the data
+- **LastStateTransition:** ID of the last operating system state transition
+- **LastStateTransitionSub:** ID of the last operating system sub-state transition
+- **StateDurationMS:** Number of milliseconds spent in the last operating system state
+- **StateTransition:** ID of the operating system state the system is transitioning to
+- **StateTransitionSub:** ID of the operating system sub-state the system is transitioning to
+- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
+- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
+- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
+- **UptimeDeltaMS:** Total time (in milliseconds) added to Uptime since the last event
+
+## Microsoft.Windows.LogonController.LogonAndUnlockSubmit
+Sends details of the user attempting to sign into or unlock the device.
+
+The following fields are available:
+
+- **isSystemManagedAccount:** Indicates if the user's account is System Managed
+- **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock
+- **PartA_UserSid:** The security identifier of the user
+- **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user
+
+## Microsoft.Windows.LogonController.SignInFailure
+Sends details about any error codes detected during a failed sign-in.
+
+The following fields are available:
+
+- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
+- **ntsSubstatus:** The NTSTATUS error code sub-status returned from an attempted sign-in 
+
+## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
+Indicates that a biometric capture was compared to known templates
+
+The following fields are available:
+
+- **captureDetail:** Result of biometric capture, either matched to an enrollment or an error 
+- **captureSuccessful:** Indicates whether a biometric capture was successfully matched or not
+- **hardwareId:** ID of the sensor that collected the biometric capture
+- **isSecureSensor:** Flag indicating whether a biometric sensor was in enhanced security mode
+- **isTrustletRunning:** Indicates whether an enhanced security component is currently running
+- **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not
+
+## Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics
+The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
+
+The following fields are available:
+
+- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys)
+- **certThumbprint:** Certificate thumbprint
+
+## Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics
+The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
+
+The following fields are available:
+
+- **caThumbprints:** Intermediate certificate thumbprints
+- **rootThumbprint:** Root certificate thumbprint
+- **serverName:** Server name associated with the certificate
+- **serverThumbprint:** Server certificate thumbprint
+- **statusBits:** Certificate status
+
+## Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics
+The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
+
+The following fields are available:
+
+- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys)
+- **certThumbprint:** Certificate thumbprint
+
+## Microsoft.Windows.Security.Winlogon.SystemBootStop
+System boot has completed.
+
+The following field is available:
+
+- **ticksSinceBoot:** Duration of boot event (milliseconds)
+
+## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
+This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Windows Analytics organizations can help identify logon problems on managed devices.
+
+The following fields are available:
+
+- **isAadUser:** Indicates whether the current logon is for an Azure Active Directory account
+- **isDomainUser:** Indicates whether the current logon is for a domain account
+- **isMSA:** Indicates whether the current logon is for a Microsoft Account
+- **logonOptimizationFlags:** Flags indicating optimization settings for this logon session
+- **logonTypeFlags:** Flags indicating logon type (first logon vs. a later logon)
+- **systemManufacturer:** Device manufacturer
+- **systemProductName:** Device product name
+- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
+
+## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
+This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability.
+
+The following fields are available:
+
+- **isStartWaitTask:** Flag indicating whether the task starts a background task 
+- **isWaitMethod:** Flag indicating the task is waiting on a background task
+- **logonTask:** Indicates which logon step is currently occurring
+- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
+
+## Microsoft.Windows.Shell.Explorer.DesktopReady
+Initialization of Explorer is complete.
+
+## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning
+For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption.
+
+The following fields are available:
+
+- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
+- **appIdType:** Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
+- **appname:** App that triggered the event
+- **status:** Indicates whether errors occurred during WIP learning events
+
+## Win32kTraceLogging.AppInteractivitySummary
+Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Windows Analytics) to understand and improve application reliability on managed devices.
+
+The following fields are available:
+   
+- **AggregationDurationMS:** Actual duration of aggregation period (in milliseconds)
+- **AggregationFlags:** Flags denoting aggregation settings
+- **AggregationPeriodMS:** Intended duration of aggregation period (in milliseconds)
+- **AggregationStartTime:** Start date and time of AppInteractivity aggregation
+- **AppId:** Application ID for usage
+- **AppSessionId:** GUID identifying the application's usage session
+- **AppVersion:** Version of the application that produced this event
+- **AudioInMS:** Audio capture duration (in milliseconds)
+- **AudioOutMS:** Audio playback duration (in milliseconds)
+- **BackgroundMouseSec:** Indicates that there was a mouse hover event while the app was in the background
+- **BitPeriodMS:** Length of the period represented by InFocusBitmap
+- **CommandLineHash:** A hash of the command line
+- **CompositionDirtyGeneratedSec:** Represents the amount of time (in seconds) during which the active app reported that it had an update
+- **CompositionDirtyPropagatedSec:** Total time (in seconds) that a separate process with visuals hosted in an app signaled updates
+- **CompositionRenderedSec:** Time (in seconds) that an app's contents were rendered
+- **EventSequence:** [need more info]
+- **FocusLostCount:** Number of times that an app lost focus during the aggregation period
+- **GameInputSec:** Time (in seconds) there was user input using a game controller
+- **HidInputSec:** Time (in seconds) there was user input using devices other than a game controller
+- **InFocusBitmap:** Series of bits representing application having and losing focus
+- **InFocusDurationMS:** Total time (in milliseconds) the application had focus
+- **InputSec:** Total number of seconds during which there was any user input
+- **InteractiveTimeoutPeriodMS:** Total time (in milliseconds) that inactivity expired interactivity sessions
+- **KeyboardInputSec:** Total number of seconds during which there was keyboard input
+- **MonitorFlags:** Flags indicating app use of individual monitor(s)
+- **MonitorHeight:** Number of vertical pixels in the application host monitor resolution
+- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
+- **MouseInputSec:** Total number of seconds during which there was mouse input
+- **NewProcessCount:** Number of new processes contributing to the aggregate
+- **PartATransform_AppSessionGuidToUserSid:** Flag which influences how other parts of the event are constructed
+- **PenInputSec:** Total number of seconds during which there was pen input
+- **SpeechRecognitionSec:** Total number of seconds of speech recognition
+- **SummaryRound:** Incrementing number indicating the round (batch) being summarized
+- **TargetAsId:** Flag which influences how other parts of the event are constructed
+- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
+- **TouchInputSec:** Total number of seconds during which there was touch input
+- **UserActiveDurationMS:** Total time that the user was active including all input methods
+- **UserActiveTransitionCount:** Number of transitions in and out of user activity
+- **UserOrDisplayActiveDurationMS:** Total time the user was using the display
+- **ViewFlags:** Flags denoting  properties of an app view (for example, special VR view or not)
+- **WindowFlags:** Flags denoting runtime properties of an app window
+- **WindowHeight:** Number of vertical pixels in the application window
+- **WindowWidth:** Number of horizontal pixels in the application window

windows/privacy/gdpr-win10-whitepaper.md

@@ -0,0 +1,335 @@
+---
+title: Beginning your General Data Protection Regulation (GDPR) journey for Windows 10 (Windows 10)
+description: Use this article to understand what GDPR is and about the products Microsoft provides to help you get started towards compliance.
+keywords: privacy, GDPR
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: pwiglemsft
+ms.author: pwigle
+ms.date: 09/25/2017
+---
+
+# Beginning your General Data Protection Regulation (GDPR) journey for Windows 10
+
+This article provides info about the GDPR, including what it is, and the products Microsoft provides to help you to become compliant.
+
+## Introduction
+On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security, and compliance.
+
+The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy rights of individuals. The GDPR establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice — no matter where data is sent, processed, or stored.
+
+Microsoft and our customers are now on a journey to achieve the privacy goals of the GDPR. At Microsoft, we believe privacy is a fundamental right, and we believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. But we also recognize that the GDPR will require significant changes by organizations all over the world.
+
+We have outlined our commitment to the GDPR and how we are supporting our customers within the [Get GDPR compliant with the Microsoft Cloud](https://blogs.microsoft.com/on-the-issues/2017/02/15/get-gdpr-compliant-with-the-microsoft-cloud/#hv52B68OZTwhUj2c.99) blog post by our Chief Privacy Officer [Brendon Lynch](https://blogs.microsoft.com/on-the-issues/author/brendonlynch/) and the [Earning your trust with contractual commitments to the General Data Protection Regulation](https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-regulation/#6QbqoGWXCLavGM63.99)” blog post by [Rich Sauer](https://blogs.microsoft.com/on-the-issues/author/rsauer/) - Microsoft Corporate Vice President & Deputy General Counsel.
+
+Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information about the GDPR, our commitments and how to begin your journey, please visit the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
+
+## GDPR and its implications
+The GDPR is a complex regulation that may require significant changes in how you gather, use and manage personal data. Microsoft has a long history of helping our customers comply with complex regulations, and when it comes to preparing for the GDPR, we are your partner on this journey.
+
+The GDPR imposes rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where those businesses are located. Among the key elements of the GDPR are the following:
+
+- **Enhanced personal privacy rights.** Strengthened data protection for residents of EU by ensuring they have the right to access to their personal data, to correct inaccuracies in that data, to erase that data, to object to processing of their personal data, and to move it.
+
+- **Increased duty for protecting personal data.** Reinforced accountability of organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.
+
+- **Mandatory personal data breach reporting.** Organizations that control personal data are required to report personal data breaches that pose a risk to the rights and freedoms of individuals to their supervisory authorities without undue delay, and, where feasible, no later than 72 hours once they become aware of the breach.
+
+As you might anticipate, the GDPR can have a significant impact on your business, potentially requiring you to update privacy policies, implement and strengthen data protection controls and breach notification procedures, deploy highly transparent policies, and further invest in IT and training. Microsoft Windows 10 can help you effectively and efficiently address some of these requirements.
+
+## Personal and sensitive data
+As part of your effort to comply with the GDPR, you will need to understand how the regulation defines personal and sensitive data and how those definitions relate to data held by your organization.
+
+The GDPR considers personal data to be any information related to an identified or identifiable natural person. That can include both direct identification (such as, your legal name) and indirect identification (such as, specific information that makes it clear it is you the data references). The GDPR also makes clear that the concept of personal data includes online identifiers (such as, IP addresses, mobile device IDs) and location data.
+
+The GDPR introduces specific definitions for genetic data (such as, an individual’s gene sequence) and biometric data. Genetic data and biometric data along with other sub categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership: data concerning health; or data concerning a person’s sex life or sexual orientation) are treated as sensitive personal data under the GDPR. Sensitive personal data is afforded enhanced protections and generally requires an individual’s explicit consent where these data are to be processed.
+
+### Examples of info relating to an identified or identifiable natural person (data subject)
+This list provides examples of several types of info that will be regulated through GDPR. This is not an exhaustive list.
+
+- 	Name
+
+- 	Identification number (such as, SSN)
+
+- 	Location data (such as, home address)
+
+- 	Online identifier (such as, e-mail address, screen names, IP address, device IDs)
+
+- 	Pseudonymous data (such as, using a key to identify individuals)
+
+- 	Genetic data (such as, biological samples from an individual)
+
+- 	Biometric data (such as, fingerprints, facial recognition)
+
+## Getting started on the journey towards GDPR compliance
+Given how much is involved to become GDPR-compliant, we strongly recommend that you don't wait to prepare until enforcement begins. You should review your privacy and data management practices now. We recommend that you begin your journey to GDPR compliance by focusing on four key steps:
+
+- 	**Discover.** Identify what personal data you have and where it resides. 
+
+- 	**Manage.** Govern how personal data is used and accessed.
+
+- 	**Protect.** Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.	
+
+- 	**Report.** Act on data requests, report data breaches, and keep required documentation.
+
+    ![Diagram about how the 4 key GDPR steps work together](images/gdpr-steps-diagram.png)
+
+For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,” we've included links for you to find out more details, and more information is available in the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
+
+## Windows 10 security and privacy
+As you work to comply with the GDPR, understanding the role of your desktop and laptop client machines in creating, accessing, processing, storing and managing data that may qualify as personal and potentially sensitive data under the GDPR is important. Windows 10 provides capabilities that will help you comply with the GDPR requirements to implement appropriate technical and organizational security measures to protect personal data.
+
+With Windows 10, your ability to protect, detect and defend against the types of attacks that can lead to data breaches is greatly improved. Given the stringent requirements around breach notification within the GDPR, ensuring that your desktop and laptop systems are well defended will lower the risks you face that could result in costly breach analysis and notification.
+
+In this section, we'll talk about how Windows 10 provides capabilities that fit squarely in the **Protect** stage of your journey, including these 4 scenarios:
+
+- **Threat protection: Pre-breach threat resistance.** Disrupt the malware and hacking industry by moving the playing field to one where they lose the attack vectors that they depend on.
+
+- **Threat protection: Post-breach detection and response.** Detect, investigate, and respond to advanced threats and data breaches on your networks.
+
+- **Identity protection.** Next generation technology to help protect your user’s identities from abuse.
+
+- **Information protection.** Comprehensive data protection while meeting compliance requirements and maintaining user productivity.
+
+These capabilities, discussed in more detail below with references to specific GDPR requirements, are built on top of advanced device protection that maintains the integrity and security of the operating system and data.
+
+A key provision within the GDPR is data protection by design and by default, and helping with your ability to meet this provision are features within Windows 10 such as the Trusted Platform Module (TPM) technology designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations.
+
+The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
+-	Generate, store, and limit the use of cryptographic keys.
+
+-	Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
+
+-	Help to ensure platform integrity by taking and storing security measurements.
+
+Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses.
+
+### Threat protection: Pre-breach threat resistance
+The GDPR requires you to implement appropriate technical and organizational security measures to protect personal data.
+
+Your ability to meet this requirement to implement appropriate technical security measures should reflect the threats you face in today’s increasingly hostile IT environment. Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom.
+
+Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge.
+
+Not only are these threats a risk to your ability to maintain control of any personal or sensitive data you may have, but they are a material risk to your overall business as well. Consider recent data from Ponemon Institute, Verizon, and Microsoft:
+
+- The average cost of the type of data breach the GDPR will expect you to report is $3.5M. (Ponemon Institute).
+
+- 63% of these breaches involve weak or stolen passwords that the GDPR expects you to address. (2016 Data Breach Investigations Report, Verizon Enterprise).
+
+- Over 300,000 new malware samples are created and spread every day making your task to address data protection even more challenging. (Microsoft Malware Protection Center, Microsoft).
+
+As seen with recent ransomware attacks, once called the "black plague" of the Internet, attackers are going after bigger targets that can afford to pay more, with potentially catastrophic consequences. Desktops and laptops, that contain personal and sensitive data, are commonly targeted where control over data might be lost.
+
+In response to these threats and as a part of your mechanisms to resist these types of breaches so that you remain in compliance with the GDPR, Windows 10 provides built in technology, detailed below including the following:
+
+- Windows Defender Antivirus to respond to emerging threats on data.
+
+- Microsoft Edge to systemically disrupt phishing, malware, and hacking attacks.
+
+- Windows Defender Device Guard to block all unwanted applications on client machines.
+
+#### Responding to emerging data threats
+Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to improve antimalware:
+
+- **Cloud-delivered protection.** Helps to detect and block new malware within seconds, even if the malware has never been seen before.
+
+- **Rich local context.** Improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes, but also where the content came from, where it's been stored, and more. 
+
+- **Extensive global sensors.** Help to keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
+
+- **Tamper proofing.** Helps to guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on.
+
+- **Enterprise-level features.** Give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution.
+
+#### Systemically disrupting phishing, malware, and hacking attacks 
+In today’s threat landscape, your ability to provide those mechanisms should be tied to the specific data-focused attacks you face through phishing, malware and hacking due to the browser-related attacks. 
+
+As part of Windows 10, Microsoft has brought you Microsoft Edge, our safest and most secure browser to-date. Over the past two years, we have been continuously innovating, and we’re proud of the progress we’ve made. This quality of engineering is reflected by the reduction of Common Vulnerabilities and Exposures (CVE) when comparing Microsoft Edge with Internet Explorer over the past year. Browser-related attacks on personal and sensitive data that you will need to protect under the GDPR means this innovation in Windows 10 is important.
+
+While no modern browser — or any complex application — is free of vulnerabilities, many of the vulnerabilities for Microsoft Edge have been responsibly reported by professional security researchers who work with the Microsoft Security Response Center (MSRC) and the Microsoft Edge team to ensure customers are protected well before any attacker might use these vulnerabilities in the wild. Even better, there is no evidence that any vulnerabilities have been exploited in the wild as zero-day attacks.
+
+![Graph of the Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database](images/gdpr-cve-graph.png)
+
+However, many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a specific business, attempting to take control of corporate networks and data.
+
+#### Blocking all unwanted apps 
+Application Control is your best defense in a world where there are more than 300,000 new malware samples each day. As part of Windows 10, Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period.
+
+With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+
+Windows Defender Device Guard protects threats that can expose personal or sensitive data to attack, including:
+
+- Exposure to new malware, for which the "signature" is not yet known
+
+- Exposure to unsigned code (most malware is unsigned)
+
+- Malware that gains access to the kernel and then, from within the kernel, captures sensitive information or damages the system
+
+- DMA-based attacks, for example, attacks launched from a malicious device that read secrets from memory, making the enterprise more vulnerable to attack; and 
+
+- Exposure to boot kits or to a physically present attacker at boot time.
+
+### Threat protection: Post-breach detection and response
+The GDPR includes explicit requirements for breach notification where a personal data breach means, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
+
+As noted in the Windows Security Center white paper, [Post Breach: Dealing with Advanced Threats](http://wincom.blob.core.windows.net/documents/Post_Breach_Dealing_with_Advanced_Threats_Whitepaper.pdf), “_Unlike pre-breach, post-breach assumes a breach has already occurred – acting as a flight recorder and Crime Scene Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate, and respond to attacks that otherwise will stay undetected and below the radar._”
+
+#### Insightful security diagnostic data
+For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify our platform and protect customers. Today, with the immense computing advantages afforded by the cloud, we are finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.
+
+By applying a combination of automated and manual processes, machine learning and human experts, we can create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to detect and respond to new incidents across our products.
+
+![Diagram of Microsoft's Intelligent Security Graph](images/gdpr-intelligent-security-graph.png)
+
+The scope of Microsoft’s threat intelligence spans, literally, billions of data points: 35 billion messages scanned monthly, 1 billion customers across enterprise and consumer segments accessing 200+ cloud services, and 14 billion authentications performed daily. All this data is pulled together on your behalf by Microsoft to create the Intelligent Security Graph that can help you protect your front door dynamically to stay secure, remain productive, and meet the requirements of the GDPR.
+
+#### Detecting attacks and forensic investigation
+Even the best endpoint defenses may be breached eventually, as cyberattacks become more sophisticated and targeted.
+
+Windows Defender Advanced Threat Protection (ATP) helps you detect, investigate, and respond to advanced attacks and data breaches on your networks. GDPR expects you to protect against attacks and breaches through technical security measures to ensure the ongoing confidentiality, integrity, and availability of personal data.
+
+Among the key benefits of ATP are the following:
+
+- Detecting the undetectable - sensors built deep into the operating system kernel, Windows security experts, and unique optics from over 1 billion machines and signals across all Microsoft services.
+
+- Built in, not bolted on - agentless with high performance and low impact, cloud-powered; easy management with no deployment. 
+
+- Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security events from Windows Defender ATP, Windows Defender Antivirus.
+
+- Power of the Microsoft graph - leverages the Microsoft Intelligence Security Graph to integrate detection and exploration with Office 365 ATP subscription, to track back and respond to attacks.
+
+Read more at [What’s new in the Windows Defender ATP Creators Update preview](https://blogs.microsoft.com/microsoftsecure/2017/03/13/whats-new-in-the-windows-defender-atp-creators-update-preview/).
+
+To provide Detection capabilities, Windows 10 improves our OS memory and kernel sensors to enable detection of attackers who are employing in-memory and kernel-level attacks – shining a light into previously dark spaces where attackers hid from conventional detection tools. We’ve already successfully leveraged this new technology against zero-days attacks on Windows.
+
+![Windows Defender Security Center](images/gdpr-security-center.png)
+
+We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends. Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.
+
+Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.
+
+Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.
+
+Security Operations (SecOps) can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no longer exist.
+
+![Windows Defender Security Center - User screen](images/gdpr-security-center2.png)
+
+When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the network, kill or quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important – shutting them down is even more so.
+
+![Windows Defender Security Center - Machine screen](images/gdpr-security-center3.png)
+
+### Identity Protection
+Identify and access management is another area where the GDPR has placed special emphasis by calling for mechanisms to grant and restrict access to data subject personal data (for example, role-based access, segregation of duties).
+
+#### Multi-factor protection 
+Biometric authentication – using your face, iris, or fingerprint to unlock your devices – is much safer than traditional passwords. You– uniquely you– plus your device are the keys to your apps, data, and even websites and services – not a random assortment of letters and numbers that are easily forgotten, hacked, or written down and pinned to a bulletin board.
+
+Your ability to protect personal and sensitive data, that may be stored or accessed through desktop or laptops will be further enhanced by adopting advanced authentication capabilities such as Windows Hello for Business and Windows Hello companion devices. Windows Hello for Business, part of Windows 10, gives users a personal, secured experience where the device is authenticated based on their presence. Users can log in with a look or a touch, with no need for a password.
+
+In conjunction with Windows Hello for Business, biometric authentication uses fingerprints or facial recognition and is more secure, more personal, and more convenient. If an application supports Hello, Windows 10 enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all.
+Windows Hello for Business works with the Companion Device Framework to enhance the user authentication experience. Using the Windows Hello Companion Device Framework, a companion device can provide a rich experience for Windows Hello even when biometrics are not available (for example, if the Windows 10 desktop lacks a camera for face authentication or fingerprint reader device).
+
+There are numerous ways one can use the Windows Hello Companion Device Framework to build a great Windows unlock experience with a companion device. For example, users can:
+
+- Work offline (for example, while traveling on a plane)
+
+- Attach their companion device to PC via USB, touch the button on the companion device, and automatically unlock their PC.
+
+- Carry a phone in their pocket that is already paired with their PC over Bluetooth. Upon hitting the spacebar on their PC, their phone receives a notification. Approve it and the PC simply unlocks.
+
+- Tap their companion device to an NFC reader to quickly unlock their PC.
+
+- Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a special gesture (like clapping), the PC unlocks.
+
+#### Protection against attacks by isolating user credentials
+As noted in the [Windows 10 Credential Theft Mitigation Guide](https://www.microsoft.com/en-us/download/confirmation.aspx?id=54095), “_the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network._”
+
+An important design consideration for Windows 10 was mitigating credential theft — in particular, derived credentials. Windows Defender Credential Guard provides significantly improved security against derived credential theft and reuse by implementing a significant architectural change in Windows designed to help eliminate hardware-based isolation attacks rather than simply trying to defend against them.
+
+When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard, as described above, and other security strategies and architectures.
+
+### Information Protection
+The GDPR is focused on information protection regarding data that is considered as personal or sensitive in relation to a natural person, or data subject. Device protection, protection against threats, and identity protection are all important elements of a Defense in Depth strategy surrounding a layer of information protection in your laptop and desktop systems.
+
+As to the protection of data, the GDPR recognizes that in assessing data security risk, consideration should be given to the risks that are presented such as accidental loss, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. It also recommends that measures taken to maintain an appropriate level of security should consider the state-of-the-art and the costs of implementation in relation to the risks among other factors.
+
+Windows 10 provides built in risk mitigation capabilities for today’s threat landscape. In this section, we will look at the types of technologies that will help your journey toward GDPR compliance and at the same time provide you with solid overall data protection as part of a comprehensive information protection strategy.
+
+![Diagram of Microsoft's comprehensive information protection strategy](images/gdpr-comp-info-protection.png)
+
+#### Encryption for lost or stolen devices
+The GDPR calls for mechanisms that implement appropriate technical security measures to confirm the ongoing confidentiality, integrity, and availability of both personal data and processing systems. BitLocker Encryption, first introduced as part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 and made available with Windows Vista, is a built-in data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+
+BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to protect user data and to ensure that a computer has not been tampered with while the system was offline. 
+
+Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
+
+Related to BitLocker are Encrypted Hard Drives, a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. Encrypted Hard Drives use the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
+
+By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+
+Some of the benefits of Encrypted Hard Drives include:
+
+- **Better performance.** Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
+
+- **Strong security based in hardware.** Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
+
+- **Ease of use.** Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+
+- **Lower cost of ownership.** There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
+
+#### Preventing accidental data leaks to unauthorized users
+Part of the reality of your operating in a mobile-first, cloud-first world is the notion that some laptops will have multiple purposes – both business and personal. Yet that data that is considered as personal and sensitive regarding EU residents considered as “data subjects” must be protected in line with the requirements of the GDPR.
+
+Windows Information Protection helps people separate their work and personal data and keeps data encrypted wherever it’s stored. Your employees can safely use both work and personal data on the same device without switching applications. Windows Information Protection helps end users avoid inadvertent data leaks by sending a warning when copy/pasting information in non-corporate applications – end users can still proceed but the action will be logged centrally. 
+
+For example, employees can’t send protected work files from a personal email account instead of their work account. They also can’t accidently post personal or sensitive data from a corporate site into a tweet. Windows Information Protection also helps ensure that they aren’t saving personal or sensitive data in a public cloud storage location. 
+
+#### Capabilities to classify, assign permissions and share data
+Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. 
+
+To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
+
+Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests.
+
+Azure Information Protection can be used to help you classify and label your data at the time of creation or modification. Protection in the form of encryption, which the GDPR recognizes may be appropriate at times, or visual markings can then be applied to data needing protection. 
+
+With Azure Information Protection, you can either query for data marked with a sensitivity label or intelligently identify sensitive data when a file or email is created or modified. Once identified, you can automatically classify and label the data – all based on the company’s desired policy. 
+
+Azure Information Protection also helps your users share sensitive data in a secure manner. In the example below, information about a sensitive acquisition was encrypted and restricted to a group of people who were granted only a limited set of permissions on the information – they could modify the content but could not copy or print it.
+
+![Azure Information Protection screen with limitations](images/gdpr-azure-info-protection.png)
+
+## Related content for associated Windows 10 solutions
+
+- **Windows Hello for Business:** https://www.youtube.com/watch?v=WOvoXQdj-9E and https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification
+
+- **Windows Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10
+
+- **Windows Defender Advanced Threat Protection:** https://www.youtube.com/watch?v=qxeGa3pxIwg and https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
+
+- **Windows Defender Device Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
+
+- **Windows Defender Credential Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
+
+- **Windows Information Protection:** https://www.youtube.com/watch?v=wLkQOmK7-Jg and https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip
+
+- Windows 10 Security Guide: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-10-security-guide
+
+## Disclaimer
+This article is a commentary on the GDPR, as Microsoft interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.
+
+As a result, this article is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally-qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance.
+
+MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS ARTICLE. This article is provided “as-is.” Information and views expressed in this article, including URL and other Internet website references, may change without notice.
+
+This article does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this article for your internal, reference purposes only.  
+
+Published September 2017<br>
+Version 1.0<br>
+© 2017 Microsoft. All rights reserved.

windows/privacy/index.md

@@ -1 +0,0 @@
-# Welcome to privacy!

windows/privacy/index.yml

@@ -0,0 +1,148 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+
+title: Windows Privacy
+
+metadata:
+
+  document_id: 
+
+  title: Windows Privacy
+
+  description: Learn about how privacy is managed in Windows.
+
+  keywords: Windows 10, Windows Server, Windows Server 2016, privacy, GDPR, compliance, endpoints
+
+  ms.localizationpriority: high
+
+  author: danihalfin
+
+  ms.author: daniha
+
+  ms.date: 04/25/2018
+
+  ms.topic: article
+
+  ms.devlang: na
+
+sections:
+
+- items:
+
+  - type: markdown
+
+    text: Get ready for General Data Protection Regulation (GDPR) by viewing and configuring diagnostics data in your organization. 
+
+- items:
+
+  - type: list
+
+    style: cards
+
+    className: cardsM
+
+    columns: 3
+
+    items:
+
+    - href: \windows\privacy\gdpr-win10-whitepaper
+
+      html: <p>Learn about GDPR and how Microsoft helps you get started towards compliance</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_advanced.svg
+
+      title: Begin your GDPR journey
+
+    - href: \windows\privacy\configure-windows-diagnostic-data-in-your-organization
+
+      html: <p>Make informed decisions about how you can configure diagnostic data in your organization</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_filter.svg
+
+      title: Configure Windows diagnostic data
+
+    - href: \windows\privacy\diagnostic-data-viewer-overview
+
+      html: <p>Review the diagnostic data sent to Microsoft by device in your organization</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_investigate.svg
+
+      title: View diagnostic data
+
+- title: Understand Diagnostic Data in Windows 10 
+
+  items:
+
+  - type: paragraph
+
+    text: 'For the latest Windows 10 version, Learn more about what Windows Diagnostic Data is gathered at various diagnostics levels.'
+
+  - type: list
+
+    style: cards
+
+    className: cardsM
+
+    columns: 3
+
+    items:
+
+    - href: \windows\privacy\basic-level-windows-diagnostic-events-and-fields
+
+      html: <p>Learn more about basic diagnostics events and fields collected</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_extend.svg
+      
+      title: Basic level events and fields
+
+    - href: \windows\privacy\enhanced-diagnostic-data-windows-analytics-events-and-fields
+
+      html: <p>Learn more about diagnostics events and fields used by Windows Analytics</p>  
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_delivery.svg
+      
+      title: Enhanced level events and fields
+
+    - href: \windows\privacy\windows-diagnostic-data
+    
+      html: <p>Learn more about all diagnostics data collected</p>
+
+      image:
+
+        src: https://docs.microsoft.com/media/common/i_get-started.svg
+      
+      title: Full level events and fields
+
+- items:
+
+  - type: list
+
+    style: cards
+
+    className: cardsL
+
+    items:
+
+    - title: View and manage Windows 10 connection endpoints
+
+      html: <p><a class="barLink" href="/windows/privacy/manage-windows-endpoints-version-1709">Manage Windows 10 connection endpoints</a></p>
+
+            <p><a class="barLink" href="/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services">Manage connections from Windows to Microsoft services</a></p>
+
+    - title: Additional resources
+
+      html: <p><a class="barLink" href="https://www.microsoft.com/en-us/trustcenter/cloudservices/windows10">Windows 10 on Trust Center</a></p>
+
+            <p><a class="barLink" href="https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr">GDPR on Microsoft365 Compliance solutions</a></p>
+      

windows/privacy/manage-windows-endpoints.md

@@ -0,0 +1,739 @@
+---
+title: Windows 10 connection endpoints
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 11/21/2017
+---
+# Manage Windows 10 connection endpoints
+
+**Applies to**
+
+- Windows 10, version 1709 and later
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+-	Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+-	Connecting to email servers to send and receive email.
+-	Connecting to the web for every day web browsing.
+-	Connecting to the cloud to store and access backups.
+-	Using your location to show a weather forecast.
+
+This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709 and later.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). 
+Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. 
+
+We used the following methodology to derive these network endpoints:
+
+1.	Set up the latest version of Windows 10 Enterprise test virtual machine using the default settings. 
+2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+4.	Compile reports on traffic going to public IP addresses.
+5.  The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Apps
+
+The following endpoint is used to download updates to the Weather app Live Tile. 
+If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| explorer        | HTTP     | tile-service.weather.microsoft.com  | 1709 |
+|   | HTTP  | blob.weather.microsoft.com | 1803 |
+
+The following endpoint is used for OneNote Live Tile. 
+To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTPS   | cdn.onenote.net/livetile/?Language=en-US | 1709 |
+
+The following endpoints are used for Twitter updates. 
+To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTPS   | wildcard.twimg.com | 1709 |
+| svchost.exe |             | oem.twimg.com/windows/tile.xml | 1709 |
+
+The following endpoint is used for Facebook updates. 
+To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  |    | star-mini.c10r.facebook.com | 1709 |
+
+The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. 
+To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 |
+
+The following endpoint is used for Candy Crush Saga updates. 
+To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | TLS v1.2    | candycrushsoda.king.com | 1709 |
+
+The following endpoint is used for by the Microsoft Wallet app. 
+To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 |
+
+The following endpoint is used by the Groove Music app for update HTTP handler status. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 |
+
+## Cortana and Search
+
+The following endpoint is used to get images that are used for Microsoft Store suggestions.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| searchui        | HTTPS |store-images.s-microsoft.com  | 1709 |
+
+The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/client | 1709 |
+
+The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/proactive | 1709 |
+
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| searchui <br> backgroundtaskhost | HTTPS   | www.bing.com/threshold/xls.aspx | 1709 |
+
+## Certificates
+
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. 
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost        | HTTP     | ctldl.windowsupdate.com | 1709 |
+
+The following endpoints are used to download certificates that are publicly known to be fraudulent.
+These settings are critical for both Windows security and the overall security of the Internet. 
+We do not recommend blocking this endpoint.
+If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost        | HTTP     | ctldl.windowsupdate.com | 1709 |
+
+## Device authentication
+
+The following endpoint is used to authenticate a device.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|   | HTTPS   | login.live.com/ppsecure | 1709 |
+
+## Device metadata
+
+The following endpoint is used to retrieve device metadata.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|   |    | dmd.metaservices.microsoft.com.akadns.net | 1709 |
+|   |  HTTP  | dmd.metaservices.microsoft.com | 1803 |
+
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost |   | cy2.vortex.data.microsoft.com.akadns.net | 1709 |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost |    | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| wermgr |        | watson.telemetry.microsoft.com  | 1709 |
+|        | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 |
+
+## Font streaming
+
+The following endpoints are used to download fonts on demand.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost  |     | fs.microsoft.com      | 1709 |
+|          |     | fs.microsoft.com/fs/windows/config.json | 1709 | 
+
+## Licensing
+
+The following endpoint is used for online activation and some app licensing.
+To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| licensemanager  | HTTPS   | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 |
+
+## Location
+
+The following endpoint is used for location data.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTP   | location-inference-westus.cloudapp.net  | 1709 |
+
+## Maps
+
+The following endpoint is used to check for updates to maps that have been downloaded for offline use.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost | HTTPS   | *g.akamaiedge.net  | 1709 |
+
+## Microsoft account
+
+The following endpoints are used for Microsoft accounts to sign in. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  |   | login.msa.akadns6.net  | 1709 |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 |
+
+## Microsoft Store
+
+The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  |    | *.wns.windows.com | 1709 |
+
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. 
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTP   | storecatalogrevocation.storequality.microsoft.com | 1709 |
+
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTPS   | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 |
+| backgroundtransferhost | HTTPS   | store-images.microsoft.com | 1803 |
+
+The following endpoints are used to communicate with Microsoft Store. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTP   | storeedgefd.dsx.mp.microsoft.com  | 1709 |
+|  | HTTP   | pti.store.microsoft.com  | 1709 |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 |
+| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 |
+
+## Network Connection Status Indicator (NCSI)
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  | HTTP   | www.msftconnecttest.com/connecttest.txt | 1709 |
+
+## Office
+
+The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|   |    | *.a-msedge.net  | 1709 | 
+| hxstr  |    | *.c-msedge.net  | 1709 | 
+|   |    | *.e-msedge.net  | 1709 |
+|   |    | *.s-msedge.net  | 1709 |
+|   | HTTPS | ocos-office365-s2s.msedge.net | 1803 |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 |
+
+The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 |
+
+## OneDrive
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| onedrive | HTTP \ HTTPS   | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 |
+
+The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| onedrive | HTTPS   | oneclient.sfx.ms | 1709 |
+
+## Settings
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| dmclient |   | cy2.settings.data.microsoft.com.akadns.net  | 1709 |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| dmclient  | HTTPS  | settings.data.microsoft.com | 1709 |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost | HTTPS   | settings-win.data.microsoft.com | 1709 |
+
+## Skype
+
+The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 |
+
+
+
+## Windows Defender
+
+The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|   |    | wdcp.microsoft.com | 1709 |
+
+The following endpoints are used for Windows Defender definition updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|   |    | definitionupdates.microsoft.com | 1709 |
+|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 |
+
+## Windows Spotlight
+
+The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| backgroundtaskhost  | HTTPS   | arc.msn.com | 1709 |
+| backgroundtaskhost  |    | g.msn.com.nsatc.net | 1709 |
+|    |TLS v1.2| *.search.msn.com | 1709 |
+|   | HTTPS   | ris.api.iris.microsoft.com | 1709 |
+|    | HTTPS | query.prod.cms.rt.microsoft.com | 1709 |
+
+## Windows Update
+
+The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost  | HTTPS   | *.prod.do.dsp.mp.microsoft.com  | 1709 |
+
+The following endpoints are used to download operating system patches and updates. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost | HTTP  | *.windowsupdate.com | 1709 |
+|         | HTTP   | fg.download.windowsupdate.com.c.footprint.net | 1709 |
+
+The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  |            | cds.d2s7q6s2.hwcdn.net | 1709 |
+
+The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  |  HTTP          | *wac.phicdn.net | 1709 |
+|  |                | *wac.edgecastcdn.net | 1709 |
+
+The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost |    | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 |
+
+The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost |    | emdl.ws.microsoft.com  | 1709 |
+
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost | HTTPS   | fe2.update.microsoft.com | 1709 |
+| svchost |    | fe3.delivery.mp.microsoft.com  | 1709 |
+|       |      | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 |
+| svchost | HTTPS   | sls.update.microsoft.com | 1709 |
+|   | HTTP | *.dl.delivery.mp.microsoft.com | 1803 |
+
+The following endpoint is used for content regulation.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+| svchost | HTTPS   | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 |
+
+The following endpoints are used to download content.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|  |    | a122.dscd.akamai.net  | 1709 |
+|  |    | a1621.g.akamai.net   | 1709 |
+
+## Microsoft forward link redirection service (FWLink)
+
+The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
+
+If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
+
+| Source process | Protocol | Destination | Applies from Windows 10 version |
+|----------------|----------|------------|----------------------------------|
+|Various|HTTPS|go.microsoft.com| 1709 |
+
+## Endpoints for other Windows editions
+
+In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other editions of Windows 10, version 1709.
+
+## Windows 10 Home
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
+HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
+HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
+| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/
+HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2/
+HTTPS | Enables connections to Windows Update. |
+| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.*.akamai.net | HTTP | Used to download content. |
+| *.*.akamaiedge.net | HTTP/
+TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
+HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
+| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
+HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| fs.microsoft.com | HTTPS | Used to download fonts on demand |
+| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
+| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspw65.akamai.net | HTTP | Used to download content. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamai.net | HTTP | Used to download content. |
+| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.msn.com.nsatc.net | HTTP/
+TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com/* | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
+| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)

windows/privacy/windows-diagnostic-data-1703.md

@@ -0,0 +1,105 @@
+---
+title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10)
+description: Use this article to learn about the types of data that is collected the the Full diagnostic data level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: eross-msft
+ms.author: lizross
+ms.date: 11/28/2017
+---
+
+# Windows 10 diagnostic data for the Full diagnostic data level
+
+**Applies to:**
+- Windows 10, version 1703
+
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs.   This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md).
+
+The data covered in this article is grouped into the following categories:
+
+-   Common Data (diagnostic header information)
+-   Device, Connectivity, and Configuration data
+-   Product and Service Usage data
+-   Product and Service Performance data
+-   Software Setup and Inventory data
+-   Browsing History data
+-   Inking, Typing, and Speech Utterance data
+
+> [!NOTE]  
+> The majority of diagnostic data falls into the first four categories.
+
+## Common data
+
+Most diagnostic events contain a header of common data:
+
+| Category Name | Examples |
+| - | - |
+| Common Data | Information that is added to most diagnostic events, if relevant and available:<br><ul><li>OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)</li><li>User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data</li><li>Xbox UserID</li><li>Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.</li><li>The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags</li><li>HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.</li><li>Various IDs that are used to correlate and sequence related events together.</li><li>Device ID. This is not the user provided device name, but an ID that is unique for that device.</li><li>Device class -- Desktop, Server, or Mobile</li><li>Event collection time</li><li>Diagnostic level --  Basic or Full, Sample level -- for sampled data, what sample level is this device opted into</li></ul> |
+
+## ​Device, Connectivity, and Configuration data
+
+This type of data includes details about the device, its configuration and connectivity capabilities, and status.
+
+| Category Name |  Examples |
+| - | - |
+| Device properties | Information about the OS and device hardware, such as:<br><ul><li> OS - version name, Edition</li><li>Installation type, subscription status, and genuine OS status</li><li>Processor architecture, speed, number of cores, manufacturer, and model</li><li>OEM details --manufacturer, model, and serial number<li>Device identifier and Xbox serial number</li><li>Firmware/BIOS -- type, manufacturer, model, and version</li><li>Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory</li><li>Storage -- total capacity and disk type</li><li>Battery -- charge capacity and InstantOn support</li><li>Hardware chassis type, color, and form factor</li><li>Is this a virtual machine?</li></ul> |
+| Device capabilities | Information about the specific device capabilities such as:<br/><ul><li>Camera -- whether the device has a front facing, a rear facing camera, or both.</li><li>Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?</li><li>Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2</li><li>Trusted Platform Module (TPM) – whether present and what version</li><li>Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware</li><li>Voice – whether voice interaction is supported and the number of active microphones</li><li>Number of displays, resolutions, DPI</li><li>Wireless capabilities</li><li>OEM or platform face detection</li><li>OEM or platform video stabilization and quality level set</li><li>Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability</li></ul> |
+| Device preferences and settings | Information about the device settings and user preferences such as:<br><ul><li>User Settings – System, Device, Network &amp; Internet, Personalization, Cortana, Apps, Accounts, Time &amp; Language, Gaming, Ease of Access, Privacy, Update &amp; Security</li><li>User-provided device name</li><li>Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)</li><li>Hashed representation of the domain name</li><li>MDM (mobile device management) enrollment settings and status</li><li>BitLocker, Secure Boot, encryption settings, and status</li><li>Windows Update settings and status</li><li>Developer Unlock settings and status</li><li>Default app choices</li><li>Default browser choice</li><li>Default language settings for app, input, keyboard, speech, and display</li><li>App store update settings</li><li>Enterprise OrganizationID, Commercial ID</li></ul> |
+| Device peripherals | Information about the device peripherals such as:<br><ul><li>Peripheral name, device model, class, manufacturer and description</li><li>Peripheral device state, install state, and checksum</li><li>Driver name, package name, version, and manufacturer</li><li>HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)</li><li>Driver state, problem code, and checksum</li><li>Whether driver is kernel mode, signed, and image size</li></ul> |
+| Device network info | Information about the device network configuration such as:<br><ul><li>Network system capabilities</li><li>Local or Internet connectivity status</li><li>Proxy, gateway, DHCP, DNS details and addresses</li><li>Paid or free network</li><li>Wireless driver is emulated or not</li><li>Access point mode capable</li><li>Access point manufacturer, model, and MAC address</li><li>WDI Version</li><li>Name of networking driver service</li><li>Wi-Fi Direct details</li><li>Wi-Fi device hardware ID and manufacturer</li><li>Wi-Fi scan attempt counts and item counts</li><li>Mac randomization is supported/enabled or not</li><li>Number of spatial streams and channel frequencies supported</li><li>Manual or Auto Connect enabled</li><li>Time and result of each connection attempt</li><li>Airplane mode status and attempts</li><li>Interface description provided by the manufacturer</li><li>Data transfer rates</li><li>Cipher algorithm</li><li>Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)</li><li>Mobile operator and service provider name</li><li>Available SSIDs and BSSIDs</li><li>IP Address type -- IPv4 or IPv6</li><li>Signal Quality percentage and changes</li><li>Hotspot presence detection and success rate</li><li>TCP connection performance</li><li>Miracast device names</li><li>Hashed IP address</li></ul>
+
+## Product and Service Usage data
+
+This type of data includes details about the usage of the device, operating system, applications and services. 
+
+| Category Name | Examples |
+| - | - |
+| App usage | Information about Windows and application usage such as:<ul><li>OS component and app feature usage</li><li>User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.</li><li>Time of and count of app/component launches, duration of use, session GUID, and process ID</li><li>App time in various states – running foreground or background, sleeping, or receiving active user interaction</li><li>User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller</li><li>Cortana launch entry point/reason</li><li>Notification delivery requests and status</li><li>Apps used to edit images and videos</li><li>SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line</li><li>Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line</li><li>Emergency alerts are received or displayed statistics</li><li>Content searches within an app</li><li>Reading activity -- bookmarking used, print used, layout changed</li></ul>|
+| App or product state | Information about Windows and application state such as:<ul><li>Start Menu and Taskbar pins</li><li>Online/Offline status</li><li>App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.</li><li>Personalization impressions delivered</li><li>Whether the user clicked or hovered on UI controls or hotspots</li><li>User feedback Like or Dislike or rating was provided</li><li>Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.</li></ul>|
+| Login properties | <ul><li>Login success or failure</li><li>Login sessions and state</li></ul>|
+
+
+## Product and Service Performance data
+
+This type of data includes details about the health of the device, operating system, apps and drivers.
+
+| Category Name | Description and Examples |
+| - | - |
+|Device health and crash data | Information about the device and software health such as:<br><ul><li>Error codes and error messages, name and ID of the app, and process reporting the error</li><li>DLL library predicted to be the source of the error -- xyz.dll</li><li>System generated files -- app or product logs and trace files to help diagnose a crash or hang</li><li>System settings such as registry keys</li><li>User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang</li><li>Details and counts of abnormal shutdowns, hangs, and crashes</li><li>Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data</li><li>Crash and Hang dumps<ul><li>The recorded state of the working memory at the point of the crash.</li><li>Memory in use by the kernel at the point of the crash.</li><li>Memory in use by the application at the point of the crash.</li><li>All the physical memory used by Windows at the point of the crash.</li><li>Class and function name within the module that failed.</li></li></ul> |
+|Device performance and reliability data | Information about the device and software performance such as:<br><ul><li>User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.</li><li>Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).</li><li>In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.</li><li>User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.</li><li>UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance</li><li>Disk footprint -- Free disk space, out of memory conditions, and disk score.</li><li>Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states</li><li>Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results</li><li>Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times</li><li>Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.</li><li>Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions</li><li>Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.</li><li>Diagnostic heartbeat – regular signal to validate the health of the diagnostics system</li></ul>|
+|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>Video Width, height, color pallet, encoding (compression) type, and encryption type</li><li>Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth</li><li>URL for a specific two second chunk of content if there is an error</li><li>Full screen viewing mode details|
+|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service</li><li>Content type (video, audio, surround audio)</li><li>Local media library collection statistics -- number of purchased tracks, number of playlists</li><li>Region mismatch -- User OS Region, and Xbox Live region</li></ul>|
+|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>App accessing content and status and options used to open a Microsoft Store book</li><li>Language of the book</li><li>Time spent reading content</li><li>Content type and size details</li></ul>|
+|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>File source data -- local, SD card, network device, and OneDrive</li><li>Image &amp; video resolution, video length, file sizes types and encoding</li><li>Collection view or full screen viewer use and duration of view</li></ul></ul>|
+|On-device file query | Information about local search activity on the device such as: <ul><li>Kind of query issued and index type (ConstraintIndex, SystemIndex)</li><li>Number of items requested and retrieved</li><li>File extension of search result user interacted with</li><li>Launched item kind, file extension, index of origin, and the App ID of the opening app.</li><li>Name of process calling the indexer and time to service the query.</li><li>A hash of the search scope (file, Outlook, OneNote, IE history) </li><li>The state of the indices (fully optimized, partially optimized, being built)</li></ul> |
+|Purchasing| Information about purchases made on the device such as:<br><ul><li>Product ID, edition ID and product URI</li><li>Offer details -- price</li><li>Order requested date/time</li><li>Store client type -- web or native client</li><li>Purchase quantity and price</li><li>Payment type -- credit card type and PayPal</li></ul> |
+|Entitlements | Information about entitlements on the device such as:<br><ul><li>Service subscription status and errors</li><li>DRM and license rights details -- Groove subscription or OS volume license</li><li>Entitlement ID, lease ID, and package ID of the install package</li><li>Entitlement revocation</li><li>License type (trial, offline vs online) and duration</li><li>License usage session</li></ul> |
+
+## Software Setup and Inventory data
+
+This type of data includes software installation and update information on the device.
+
+| Category Name | Data Examples |
+| - | - |
+| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:<br><ul><li>App, driver, update package, or component’s Name, ID, or Package Family Name</li><li>Product, SKU, availability, catalog, content, and Bundle IDs</li><li>OS component, app or driver publisher, language, version and type (Win32 or UWP)</li><li>Install date, method, and install directory, count of install attempts</li><li>MSI package code and product code</li><li>Original OS version at install time</li><li>User or administrator or mandatory installation/update</li><li>Installation type – clean install, repair, restore, OEM, retail, upgrade, and update</li></ul> |
+| Device update information | Information about Windows Update such as:<br><ul><li>Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)</li><li>Number of applicable updates, importance, type</li><li>Update download size and source -- CDN or LAN peers</li><li>Delay upgrade status and configuration</li><li>OS uninstall and rollback status and count</li><li>Windows Update server and service URL</li><li>Windows Update machine ID</li><li>Windows Insider build details</li></ul>
+
+## Browsing History data
+
+This type of data includes details about web browsing in the Microsoft browsers.
+
+| Category Name | Description and Examples |
+| - | - |
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:<ul><li>Text typed in address bar and search box</li><li>Text selected for Ask Cortana search</li><li>Service response time </li><li>Auto-completed text if there was an auto-complete</li><li>Navigation suggestions provided based on local history and favorites</li><li>Browser ID</li><li>URLs (which may include search terms)</li><li>Page title</li></ul>|
+
+
+## Inking Typing and Speech Utterance data
+
+This type of data gathers details about the voice, inking, and typing input features on the device.
+
+| Category Name | Description and Examples |
+| - | - |
+| Voice, inking, and typing | Information about voice, inking and typing features such as:<br><ul><li>Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double click, pan, zoom, rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text of speech recognition results -- result codes and recognized text</li><li>Language and model of the recognizer, System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and Success/Failure of speech recognition</li></ul> |

windows/privacy/windows-diagnostic-data.md

@@ -0,0 +1,263 @@
+---
+title: Windows 10, version 1709 and newer diagnostic data for the Full level (Windows 10)
+description: Use this article to learn about the types of diagnostic data that is collected at the Full level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 03/13/2018
+---
+
+# Windows 10, version 1709 and newer diagnostic data for the Full level
+
+Applies to:
+- Windows 10, version 1803
+- Windows 10, version 1709
+
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1803 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
+
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+
+The data covered in this article is grouped into the following types:
+
+- Common data (diagnostic header information)
+
+- Device, Connectivity, and Configuration data
+
+- Product and Service Usage data
+
+- Product and Service Performance data
+
+- Software Setup and Inventory data
+
+- Browsing History data
+
+- Inking, Typing, and Speech Utterance data
+
+## Common data
+Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017.
+
+**Data Use for Common data**
+Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
+
+### Data Description for Common data type
+|Sub-type|Description and examples|
+|- |- |
+|Common Data|Information that is added to most diagnostic events, if relevant and available:<ul><li>Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)</li><li>Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)</li><li>Event collection time (8.2.3.2.2 Telemetry data)</li><li>User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)</li><li>Xbox UserID (8.2.5 Account data)</li><li>Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)</li><li>Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)</li><li>Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)</li><li>Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)</li><li>HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)</li><li>Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)</li></ul>|
+
+## Device, Connectivity, and Configuration data
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+
+### Data Use for Device, Connectivity, and Configuration data 
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example:
+
+- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
+
+    - Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues.
+
+    - Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues.
+
+    - Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices.
+
+- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
+
+- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
+
+- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.  
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
+
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.  
+  
+### Data Description for Device, Connectivity, and Configuration data type
+|Sub-type|Description and examples|
+|- |- |
+|Device properties |Information about the operating system and device hardware, such as:<br><ul><li>Operating system - version name, edition</li><li>Installation type, subscription status, and genuine operating system status</li><li>Processor architecture, speed, number of cores, manufacturer, and model</li><li>OEM details --manufacturer, model, and serial number</li><li>Device identifier and Xbox serial number</li><li>Firmware/BIOS operating system -- type, manufacturer, model, and version</li><li>Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory</li><li>Storage -- total capacity and disk type</li><li>Battery -- charge capacity and InstantOn support</li><li>Hardware chassis type, color, and form factor</li><li>Is this a virtual machine?</li></ul>|
+|Device capabilities|Information about the specific device capabilities, such as:<br/><ul><li>Camera -- whether the device has a front facing camera, a rear facing camera, or both.</li><li>Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?</li><li>Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2</li><li>Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version</li><li>Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware</li><li>Voice -- whether voice interaction is supported and the number of active microphones</li><li>Number of displays, resolutions, and DPI</li><li>Wireless capabilities</li><li>OEM or platform face detection</li><li>OEM or platform video stabilization and quality-level set</li><li>Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability</li></ul>|
+|Device preferences and settings |Information about the device settings and user preferences, such as:<br><ul><li>User Settings -- System, Device, Network &amp; Internet, Personalization, Cortana, Apps, Accounts, Time &amp; Language, Gaming, Ease of Access, Privacy, Update &amp; Security</li><li>User-provided device name</li><li>Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)</li><li>Hashed representation of the domain name</li><li>MDM (mobile device management) enrollment settings and status</li><li>BitLocker, Secure Boot, encryption settings, and status</li><li>Windows Update settings and status</li><li>Developer Unlock settings and status</li><li>Default app choices</li><li>Default browser choice</li><li>Default language settings for app, input, keyboard, speech, and display</li><li>App store update settings</li><li>Enterprise OrganizationID, Commercial ID</li></ul>|
+|Device peripherals |Information about the device peripherals, such as:<br><ul><li>Peripheral name, device model, class, manufacturer, and description</li><li>Peripheral device state, install state, and checksum</li><li>Driver name, package name, version, and manufacturer</li><li>HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)</li><li>Driver state, problem code, and checksum</li><li>Whether driver is kernel mode, signed, and image size</li></ul>|
+|Device network info |Information about the device network configuration, such as:<br><ul><li>Network system capabilities</li><li>Local or Internet connectivity status</li><li>Proxy, gateway, DHCP, DNS details, and addresses</li><li>Whether it's a paid or free network</li><li>Whether the wireless driver is emulated</li><li>Whether it's access point mode-capable</li><li>Access point manufacturer, model, and MAC address</li><li>WDI Version</li><li>Name of networking driver service</li><li>Wi-Fi Direct details</li><li>Wi-Fi device hardware ID and manufacturer</li><li>Wi-Fi scan attempt  and item counts</li><li>Whether MAC randomization is supported and enabled</li><li>Number of supported spatial streams and channel frequencies</li><li>Whether Manual or Auto-connect is enabled</li><li>Time and result of each connection attempt</li><li>Airplane mode status and attempts</li><li>Interface description provided by the manufacturer</li><li>Data transfer rates</li><li>Cipher algorithm</li><li>Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)</li><li>Mobile operator and service provider name</li><li>Available SSIDs and BSSIDs</li><li>IP Address type -- IPv4 or IPv6</li><li>Signal Quality percentage and changes</li><li>Hotspot presence detection and success rate</li><li>TCP connection performance</li><li>Miracast device names</li><li>Hashed IP address</li></ul>
+
+## Product and Service Usage data
+This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+
+### Data Use for Product and Service Usage data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. 
+
+- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
+
+- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
+
+- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
+
+- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
+
+- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
+
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+
+
+### Data Description for Product and Service Usage data type
+|Sub-type|Description and examples |
+|- |- |
+|App usage|Information about Windows and application usage, such as:<ul><li>Operating system component and app feature usage</li><li>User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites</li><li>Time of and count of app and component launches, duration of use, session GUID, and process ID</li><li>App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction</li><li>User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long</li><li>Cortana launch entry point and reason</li><li>Notification delivery requests and status</li><li>Apps used to edit images and videos</li><li>SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines</li><li>Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines</li><li>Emergency alerts are received or displayed statistics</li><li>Content searches within an app</li><li>Reading activity -- bookmarked, printed, or had the layout changed</li></ul>|
+|App or product state|Information about Windows and application state, such as:<ul><li>Start Menu and Taskbar pins</li><li>Online and offline status</li><li>App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture</li><li>Personalization impressions delivered</li><li>Whether the user clicked on, or hovered over, UI controls or hotspots</li><li>User provided feedback, such as Like, Dislike or a rating</li><li>Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.</li></ul>|
+|Purchasing|Information about purchases made on the device, such as:<br><ul><li>Product ID, edition ID and product URI</li><li>Offer details -- price</li><li>Date and time an order was requested</li><li>Microsoft Store client type -- web or native client</li><li>Purchase quantity and price</li><li>Payment type -- credit card type and PayPal</li></ul> |
+|Login properties|Information about logins on the device, such as:<ul><li>Login success or failure</li><li>Login sessions and state</li></ul>|
+
+## Product and Service Performance data
+This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
+
+### Data Use for Product and Service Performance data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
+
+- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
+
+- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
+
+- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
+
+- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
+
+- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
+
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+
+**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
+
+### Data Description for Product and Service Performance data type
+|Sub-type|Description and examples |
+|- |- |
+|Device health and crash data|Information about the device and software health, such as:<br><ul><li>Error codes and error messages, name and ID of the app, and process reporting the error</li><li>DLL library predicted to be the source of the error -- for example, xyz.dll</li><li>System generated files -- app or product logs and trace files to help diagnose a crash or hang</li><li>System settings, such as registry keys</li><li>User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files</li><li>Details and counts of abnormal shutdowns, hangs, and crashes</li><li>Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data</li><li>Crash and hang dumps, including:<ul><li>The recorded state of the working memory at the point of the crash</li><li>Memory in-use by the kernel at the point of the crash.</li><li>Memory in-use by the application at the point of the crash</li><li>All the physical memory used by Windows at the point of the crash</li><li>Class and function name within the module that failed.</li></li></ul>|
+|Device performance and reliability data|Information about the device and software performance, such as:<br><ul><li>User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability</li><li>Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)</li><li>In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction</li><li>User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score</li><li>UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance</li><li>Disk footprint -- Free disk space, out of memory conditions, and disk score</li><li>Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states</li><li>Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results</li><li>Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times</li><li>Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account</li><li>Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions</li><li>Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol</li><li>Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system</li></ul>|
+|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>Video Width, height, color palette, encoding (compression) type, and encryption type</li><li>Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth</li><li>URL for a specific two-second chunk of content if there is an error</li><li>Full-screen viewing mode details</li></ul>|
+|Music &amp; TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service</li><li>Content type (video, audio, or surround audio)</li><li>Local media library collection statistics -- number of purchased tracks and number of playlists</li><li>Region mismatch -- User's operating system region and Xbox Live region</li></ul>|
+|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>App accessing content and status and options used to open a Microsoft Store book</li><li>Language of the book</li><li>Time spent reading content</li><li>Content type and size details</li></ul>|
+|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>File source data -- local, SD card, network device, and OneDrive</li><li>Image and video resolution, video length, file sizes types, and encoding</li><li>Collection view or full screen viewer use and duration of view</li></ul>|
+|On-device file query |Information about local search activity on the device, such as: <ul><li>Kind of query issued and index type (ConstraintIndex or SystemIndex)</li><li>Number of items requested and retrieved</li><li>File extension of search result with which the user interacted</li><li>Launched item type, file extension, index of origin, and the App ID of the opening app</li><li>Name of process calling the indexer and the amount of time to service the query</li><li>A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)</li></ul> |
+|Entitlements |Information about entitlements on the device, such as:<ul><li>Service subscription status and errors</li><li>DRM and license rights details -- Groove subscription or operating system volume license</li><li>Entitlement ID, lease ID, and package ID of the install package</li><li>Entitlement revocation</li><li>License type (trial, offline versus online) and duration</li><li>License usage session</li></ul>|
+
+## Software Setup and Inventory data
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+
+### Data Use for Software Setup and Inventory data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+
+- Data about when a download starts and finishes on a device is used to understand and address download problems.
+
+- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
+
+- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
+
+### Data Description for Software Setup and Inventory data type
+|Sub-type|Description and examples |
+|- |- |
+|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:<ul><li>App, driver, update package, or component’s Name, ID, or Package Family Name</li><li>Product, SKU, availability, catalog, content, and Bundle IDs</li><li>Operating system component, app or driver publisher, language, version and type (Win32 or UWP)</li><li>Install date, method, install directory, and count of install attempts</li><li>MSI package and product code</li><li>Original operating system version at install time</li><li>User, administrator, or mandatory installation or update</li><li>Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update</li></ul>|
+|Device update information |Information about Windows Update, such as:<ul><li>Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)</li><li>Number of applicable updates, importance, and type</li><li>Update download size and source -- CDN or LAN peers</li><li>Delay upgrade status and configuration</li><li>Operating system uninstall and rollback status and count</li><li>Windows Update server and service URL</li><li>Windows Update machine ID</li><li>Windows Insider build details</li></ul>|
+
+## Browsing History data
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+
+### Data Use for Browsing History data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
+
+- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
+
+- Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation.
+
+- Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature.
+
+- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
+
+**With (optional) Tailored experiences:**<br> 
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+
+### Data Description for Browsing History data type
+|Sub-type|Description and examples |
+|- |- |
+|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:<ul><li>Text typed in **Address** bar and **Search** box</li><li>Text selected for an **Ask Cortana** search</li><li>Service response time</li><li>Auto-completed text, if there was an auto-complete</li><li>Navigation suggestions provided based on local history and favorites</li><li>Browser ID</li><li>URLs (may include search terms)</li><li>Page title</li></ul>|
+
+## Inking Typing and Speech Utterance data
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+
+### Data Use for Inking, Typing, and Speech Utterance data
+
+**For Diagnostics:**<br>
+[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
+
+- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
+
+- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
+
+- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+
+- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
+
+- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. 
+
+**With (optional) Tailored experiences:**
+
+**Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.**
+
+### Data Description for Inking, Typing, and Speech Utterance data type
+|Sub-type|Description and examples |
+|- |- |
+|Voice, inking, and typing|Information about voice, inking and typing features, such as:<ul><li>Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double click, pan, zoom, or rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user</li><li>Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user</li><li>Text of speech recognition results -- result codes and recognized text</li><li>Language and model of the recognizer and the System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and success or failure of speech recognition</li></ul>|
+
+## ISO/IEC 19944:2017-specific terminology
+This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
+
+|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
+|-|-|-|
+|<a name="#provide">Provide</a> |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.|
+|<a name="#improve">Improve</a> |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.|
+|<a name="#personalize">Personalize</a> |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.|
+|<a name="#recommend">Recommend</a> |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.<br><br>Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.|
+|<a name="#offer">Offer</a> |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.<br><br>Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.|
+|<a name="#promote">Promote</a>|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.|
+
+<br><br>
+|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
+|-|-|-|
+|<a name="#pseudo">Pseudonymized Data</a> |8.3.3 Pseudonymized data|As defined|
+|<a name="#anon">Anonymized Data</a> |8.3.5 Anonymized data|As defined|
+|<a name="#aggregate">Aggregated Data</a> |8.3.6 Aggregated data|As defined|