From f9fc1dcd19007234a816cf8050f5ca9bd4ab2148 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 12 Jan 2023 15:30:12 -0800 Subject: [PATCH 1/5] Remove Desktop Analytics/add WUfB reports --- ...ndows-diagnostic-data-in-your-organization.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index ac1febdc26..f03f515683 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -348,21 +348,19 @@ If you wish to disable, at any time, switch the same setting to **0**. The defau > - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. > - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. -You can also enable the Windows diagnostic data processor configuration by enrolling in services that use Windows diagnostic data. These services currently include Desktop Analytics, Update Compliance, Microsoft Managed Desktop, and Windows Update for Business. +You can also enable the Windows diagnostic data processor configuration by enrolling in services that use Windows diagnostic data. These services currently include Update Compliance, Windows Update for Business reports, Microsoft Managed Desktop, and Windows Update for Business. For information on these services and how to configure the group policies, refer to the following documentation: -Desktop Analytics: - -- [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing) -- [Desktop Analytics data privacy](/mem/configmgr/desktop-analytics/privacy) -- [Group policy settings for Desktop Analytics](/mem/configmgr/desktop-analytics/group-policy-settings) - Update Compliance: - [Privacy in Update Compliance](/windows/deployment/update/update-compliance-privacy) - [Manually configuring devices for Update Compliance](/windows/deployment/update/update-compliance-configuration-manual#required-policies) +Windows Update for Business reports + +- [Windows Update for Business reports prerequisites](/windows/deployment/update/wufb-reports-prerequisites) + Microsoft Managed Desktop: - [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data) @@ -371,10 +369,6 @@ Windows Update for Business: - [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) -## Limit optional diagnostic data for Desktop Analytics - -For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing). - ## Change privacy settings on a single server You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings). From 24a267e33f106b1a4a8d3342d3a834a965c757d8 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 12 Jan 2023 21:51:39 -0800 Subject: [PATCH 2/5] Add new info to processor config section --- ...ws-diagnostic-data-in-your-organization.md | 47 +++++++++++++++---- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index f03f515683..3816da6feb 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -25,7 +25,7 @@ ms.topic: conceptual - Surface Hub - Hololens -This topic describes the types of Windows diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. +This article describes the types of Windows diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. ## Overview @@ -301,15 +301,12 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm ## Enable Windows diagnostic data processor configuration -> [!IMPORTANT] -> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). - The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements. ### Prerequisites - Use a supported version of Windows 10 or Windows 11 -- The following editions are supported: +- The following editions are supported: - Enterprise - Professional - Education @@ -319,14 +316,48 @@ For the best experience, use the most current build of any operating system spec The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: -- v10c.events.data.microsoft.com -- umwatsonc.events.data.microsoft.com -- kmwatsonc.events.data.microsoft.com +- us-v10c.events.data.microsoft.com (eu-v10c.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) +- umwatsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) - settings-win.data.microsoft.com - *.blob.core.windows.net ### Enabling Windows diagnostic data processor configuration +> [!NOTE] +> The information in this section applies to the following versions of Windows: +> - Windows 10, versions 20H2, 21H2 and 22H2 +> - Windows 11, versions 21H2 and 22H2 + +Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. + +### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) + +For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. + +From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). + +### Devices in Azure AD tenants with a billing address outside of the EU and EFTA + +For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: + +- [Update Compliance](/windows/deployment/update/update-compliance-monitor) +- [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) +- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) +- [Microsoft Managed Desktop](/managed-desktop/intro/) +- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview) + +*(Additional licensing requirements may apply to use these services.)* + +If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. + +> [!NOTE] +> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +### Enabling Windows diagnostic data processor configuration (older versions of Windows 10) + +> [!NOTE] +> The information in this section applies to Windows 10, versions 1809, 1903, 1909, and 2004. + Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution. In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. From 8824f5d081433019df31657d2655d009869b0d2a Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 13 Jan 2023 14:02:27 -0800 Subject: [PATCH 3/5] Updates based on feedback --- ...ws-diagnostic-data-in-your-organization.md | 43 ++++++------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 3816da6feb..2809134a14 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -325,8 +325,8 @@ The diagnostic data setting on the device should be set to Required diagnostic d > [!NOTE] > The information in this section applies to the following versions of Windows: -> - Windows 10, versions 20H2, 21H2 and 22H2 -> - Windows 11, versions 21H2 and 22H2 +> - Windows 10, versions 20H2, 21H2, 22H2, and newer +> - Windows 11, versions 21H2, 22H2, and newer Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. @@ -334,8 +334,15 @@ Starting with the January 2023 preview cumulative update, how you enable the pro For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. +> [!NOTE] +> The Windows diagnostic data processor configuration has components for which work is in progress to be included in the EU Data Boundary, but completion of this work is delayed beyond January 1, 2023. These components will be included in the EU Data Boundary in the coming months. In the meantime, Microsoft will temporarily transfer data out of the EU Data Boundary as part of service operations to ensure uninterrupted operation of the services customers signed up for. + From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). +>[!Note] +> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. +> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. + ### Devices in Azure AD tenants with a billing address outside of the EU and EFTA For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: @@ -353,10 +360,12 @@ If you don’t sign up for any of these enterprise services, Microsoft will act > [!NOTE] > In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. -### Enabling Windows diagnostic data processor configuration (older versions of Windows 10) +### Enabling Windows diagnostic data processor configuration on older versions of Windows > [!NOTE] -> The information in this section applies to Windows 10, versions 1809, 1903, 1909, and 2004. +> The information in this section applies to the following versions of Windows: +> - Windows 10, versions 1809, 1903, 1909, and 2004. +> - Newer versions of Windows 10 and Windows 11 that have not updated yet to at least the January 2023 preview cumulative update. Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution. @@ -374,32 +383,6 @@ Under **Value**, use **1** to enable the service. If you wish to disable, at any time, switch the same setting to **0**. The default value is **0**. ->[!Note] -> - If you have any additional policies that also enable you to be a controller of Windows diagnostic data, such as the services listed below, you will need to turn off all the applicable policies in order to stop being a controller for Windows diagnostic data. -> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. -> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. - -You can also enable the Windows diagnostic data processor configuration by enrolling in services that use Windows diagnostic data. These services currently include Update Compliance, Windows Update for Business reports, Microsoft Managed Desktop, and Windows Update for Business. - -For information on these services and how to configure the group policies, refer to the following documentation: - -Update Compliance: - -- [Privacy in Update Compliance](/windows/deployment/update/update-compliance-privacy) -- [Manually configuring devices for Update Compliance](/windows/deployment/update/update-compliance-configuration-manual#required-policies) - -Windows Update for Business reports - -- [Windows Update for Business reports prerequisites](/windows/deployment/update/wufb-reports-prerequisites) - -Microsoft Managed Desktop: - -- [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data) - -Windows Update for Business: - -- [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) - ## Change privacy settings on a single server You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings). From b0cbda2824a774015bc833a1e9c49465b2c3bba4 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 13 Jan 2023 14:21:40 -0800 Subject: [PATCH 4/5] Move some info around --- ...ows-diagnostic-data-in-your-organization.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 2809134a14..f8fc2daacd 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -312,6 +312,9 @@ The Windows diagnostic data processor configuration enables you to be the contro - Education - The device must be joined to Azure Active Directory (can be a hybrid Azure AD join). +> [!NOTE] +> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education) The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: @@ -321,6 +324,10 @@ The diagnostic data setting on the device should be set to Required diagnostic d - settings-win.data.microsoft.com - *.blob.core.windows.net +>[!Note] +> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. +> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. + ### Enabling Windows diagnostic data processor configuration > [!NOTE] @@ -330,7 +337,7 @@ The diagnostic data setting on the device should be set to Required diagnostic d Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. -### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) +#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. @@ -339,11 +346,7 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). ->[!Note] -> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. -> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. - -### Devices in Azure AD tenants with a billing address outside of the EU and EFTA +#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: @@ -357,9 +360,6 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. -> [!NOTE] -> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - ### Enabling Windows diagnostic data processor configuration on older versions of Windows > [!NOTE] From d1b9e8a568597e951a0ea09128aaabc4624172b0 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 13 Jan 2023 14:28:45 -0800 Subject: [PATCH 5/5] Update lifecycle link --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index f8fc2daacd..669941fd55 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -315,7 +315,7 @@ The Windows diagnostic data processor configuration enables you to be the contro > [!NOTE] > In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. -For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education) +For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. For release information, see [Windows 10 Enterprise and Education](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11 Enterprise and Education](/lifecycle/products/windows-11-enterprise-and-education) on the Microsoft Lifecycle Policy site. The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: