From bec0a9d00ac34fecc24205323f057e5d4833b06e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 20 Jun 2022 13:19:42 -0700 Subject: [PATCH 01/15] 40012854 - Clarify LogAnalytics may extract MI logs after opt-in --- .../event-id-explanations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..0c3579cf09 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -52,6 +52,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI) +> [!NOTE] +> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs. + Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above. | Event ID | Explanation | From 210cc4b2bbfa0bad13212bbba799a8ae1403b41a Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 20 Jun 2022 14:03:21 -0700 Subject: [PATCH 02/15] 40023533 - UTF-8 certificates are incompatible with signed WDAC policy --- ...t-windows-defender-application-control-against-tampering.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index f99d35706c..ee63feb1cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -48,6 +48,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components: > [!NOTE] > All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) +> +>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. + If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: From e391b756708309767a2c9bfdd671eb26bdaef736 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 23 Jun 2022 17:34:16 -0400 Subject: [PATCH 03/15] Added PE hash explanation to the WDAC docs --- .../select-types-of-rules-to-create.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 94be9da4e5..a6c838737d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -88,7 +88,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the | Rule level | Description | |----------- | ----------- | -| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | +| **Hash** | Specifies individual [Authenticode/PE image hash values](#More-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. | | **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. | | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. | @@ -146,6 +146,10 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE% ## More information about hashes +WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated. + +The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files. + ### Why does scan create four hash rules per XML file? The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash. From a80d6df2e9ecfcdb69a42d1b488f78bc74c27fe2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:15:34 -0700 Subject: [PATCH 04/15] Update event-id-explanations.md --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 2e324713fc..e96c186076 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -9,7 +9,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/09/2022 +ms.date: 06/27/2022 ms.topic: reference --- From 9b6f93fda97bcd9ea0c0be49d2483357fdab4755 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:15:49 -0700 Subject: [PATCH 05/15] Update use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md --- ...-windows-defender-application-control-against-tampering.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index ef443c5c9f..1b87884a5e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/03/2018 +ms.date: 06/27/2022 ms.technology: windows-sec --- @@ -111,4 +111,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). > [!NOTE] -> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. \ No newline at end of file +> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. From c64e32e065cbf4d265700fd36111a913b0b4805e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:16:30 -0700 Subject: [PATCH 06/15] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index a6c838737d..4e2e839d51 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -14,7 +14,7 @@ author: dansimp ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 01/26/2022 +ms.date: 06/27/2022 ms.technology: windows-sec --- From 1ebab7ccf17f53425bce730ff4a38ffceba75315 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:26:11 -0700 Subject: [PATCH 07/15] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ee1790a3c9..c950b5e298 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -146,7 +146,7 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE% ## More information about hashes -WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated. +WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated. The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files. From fe0b2a9084677fdef712746fdab4a23605bf1a97 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Jun 2022 16:26:50 -0700 Subject: [PATCH 08/15] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index c950b5e298..d59f353405 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -88,7 +88,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the | Rule level | Description | |----------- | ----------- | -| **Hash** | Specifies individual [Authenticode/PE image hash values](#More-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | +| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. | | **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. | | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. | From 5c56265e13b95801430eda31eef96e2c66288c95 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Tue, 28 Jun 2022 05:09:08 -0700 Subject: [PATCH 09/15] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index d59f353405..6b53f74788 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -14,7 +14,7 @@ author: dansimp ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 06/27/2022 +ms.date: 06/28/2022 ms.technology: windows-sec --- @@ -26,8 +26,8 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. From f60948f39677a824c8905e74c68efcb7d2c19f0c Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 28 Jun 2022 08:12:44 -0700 Subject: [PATCH 10/15] update personalization csp for SE --- windows/client-management/mdm/personalization-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 736959df4e..2a21d44f28 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 06/26/2017 +ms.date: 06/28/2022 ms.reviewer: manager: dansimp --- @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| -|Windows SE|No|No| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| From ffa8efe8213de19a6c2c3de5d5025814db030fcc Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 28 Jun 2022 08:14:56 -0700 Subject: [PATCH 11/15] Added hyperlink to what a service profile is. --- .../operate/windows-autopatch-microsoft-365-apps-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 2175c45a94..5a95e0b786 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -102,7 +102,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi ## Microsoft 365 Apps servicing profiles -A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. +A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type. From f2feb22443793e545848c58b24f21aad173df7d5 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Tue, 28 Jun 2022 09:42:54 -0700 Subject: [PATCH 12/15] fixed spelling error --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 6b53f74788..1b68313de8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -146,7 +146,7 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE% ## More information about hashes -WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated. +WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated. The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files. From df919101303d667c951a72783e1fe82ac81f1f8b Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 28 Jun 2022 11:35:12 -0700 Subject: [PATCH 13/15] Move info about data proc config changes --- ...s-to-windows-diagnostic-data-collection.md | 59 ++++++++++++++++--- ...ws-diagnostic-data-in-your-organization.md | 59 +------------------ .../windows-10-and-privacy-compliance.md | 2 +- 3 files changed, 52 insertions(+), 68 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index b672974ebd..d8bef9aa31 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -74,18 +74,59 @@ The following provides information on the current configurations: - [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data) - [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) -## New Windows diagnostic data processor configuration +## Significant changes coming to the Windows diagnostic data processor configuration -> [!IMPORTANT] -> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level. -Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory-joined devices. This configuration option is supported on the following versions of Windows: +To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on. -- Windows 11 Enterprise, Professional, and Education -- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update. +***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.*** -Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether. +We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region. -Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller. +### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) -This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) +For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. + +From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). + +### Devices in Azure AD tenants with a billing address outside of the EU and EFTA + +For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: + +- [Update Compliance](/windows/deployment/update/update-compliance-monitor) +- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) +- [Microsoft Managed Desktop](/managed-desktop/intro/) +- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview) + +*(Additional licensing requirements may apply to use these services.)* + +If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. + +> [!NOTE] +> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +### Rollout plan for this change + +This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. + +During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: + +- Devices can't be enabled for the Windows diagnostic data processor configuration at this time. +- The processor configuration will be disabled in any devices that were previously enabled. +- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +It's recommended Insiders on these devices pause flighting if these changes aren't acceptable. + +For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022. + +To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. + +As part of this change, the following policies will no longer be supported to configure the processor option: + - Allow commercial data pipeline + - Allow Desktop Analytics Processing + - Allow Update Compliance Processing + - Allow WUfB Cloud Processing + - Configure the Commercial ID \ No newline at end of file diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 9278a481b7..c28627092b 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -256,7 +256,7 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm ## Enable Windows diagnostic data processor configuration > [!IMPORTANT] -> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration) The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements. @@ -325,63 +325,6 @@ Windows Update for Business: - [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) -### Significant changes coming to the Windows diagnostic data processor configuration - -Currently, to enroll devices in the Window diagnostic data processor configuration option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level. - -To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on. - -***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.*** - -We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region. - -#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) - -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. - -From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). - -#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA - -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: - -- [Update Compliance](/windows/deployment/update/update-compliance-monitor) -- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) -- [Microsoft Managed Desktop](/managed-desktop/intro/) -- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview) - -*(Additional licensing requirements may apply to use these services.)* - -If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. - -> [!NOTE] -> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -#### Rollout plan for this change - -This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. - -During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: - -- Devices can't be enabled for the Windows diagnostic data processor configuration at this time. -- The processor configuration will be disabled in any devices that were previously enabled. -- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -It's recommended Insiders on these devices pause flighting if these changes aren't acceptable. - -For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022. - -To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. - -As part of this change, the following policies will no longer be supported to configure the processor option: - - Allow commercial data pipeline - - Allow Desktop Analytics Processing - - Allow Update Compliance Processing - - Allow WUfB Cloud Processing - - Configure the Commercial ID - ## Limit optional diagnostic data for Desktop Analytics For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing). diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 831b6eb589..6da75f6110 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -147,7 +147,7 @@ An administrator can disable a user’s ability to delete their device’s diagn #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ > [!IMPORTANT] -> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information]((changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration)). **Applies to:** From 7e4310ec45a9fe26b277963517f4af3935c20c5e Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 28 Jun 2022 11:57:08 -0700 Subject: [PATCH 14/15] fix link issues --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +- windows/privacy/windows-10-and-privacy-compliance.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index d8bef9aa31..5e15ca25f9 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -122,7 +122,7 @@ For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022. -To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. +To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. As part of this change, the following policies will no longer be supported to configure the processor option: - Allow commercial data pipeline diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 6da75f6110..e4e7e22ec9 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -147,7 +147,7 @@ An administrator can disable a user’s ability to delete their device’s diagn #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ > [!IMPORTANT] -> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information]((changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration)). +> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). **Applies to:** From eb65c39ea16740b6f7acab6235e01d3a96bd3036 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 28 Jun 2022 13:45:07 -0700 Subject: [PATCH 15/15] Add missing punctuation --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index c28627092b..b8cdecf995 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -256,7 +256,7 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm ## Enable Windows diagnostic data processor configuration > [!IMPORTANT] -> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration) +> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.