Merge branch 'brianlic-privacy-updates' into privacy-update-vb

This commit is contained in:
Sinead O'Sullivan 2021-09-13 10:29:20 +01:00
commit f4dbd0ab1f
4 changed files with 69 additions and 48 deletions

View File

@ -13,30 +13,28 @@ author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/21/2020
ms.date: 09/08/2021
---
# Changes to Windows diagnostic data collection
**Applies to**
- Windows 11
- Windows 10, version 1903 and newer
- The next version of Windows Server
- Windows Server 2022
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
- [Taxonomy changes](#taxonomy-changes)
- [Behavioral changes](#behavioral-changes)
> [!NOTE]
> You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later.
## Summary of changes
In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
Additionally, in an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. Were also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
Additionally, starting in Windows 11 and Windows Server 2022, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. Were also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
## Taxonomy changes
@ -50,7 +48,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
## Behavioral changes
In an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
Starting in Windows 11 and Windows Server 2022, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11:
@ -93,10 +91,7 @@ The following provides information on the current configurations:
## New Windows diagnostic data processor configuration
**Applies to**
- Windows 10 Edu, Pro, Enterprise editions, version 1809 with July 2021 update and newer
Enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices.
Starting in Windows 10 Education, Professional, and Enterprise editions, version 1809 with July 2021 update and newer, enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices.
Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows 10 operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.

View File

@ -13,13 +13,14 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/13/2020
ms.date: 09/08/2021
---
# Configure Windows diagnostic data in your organization
**Applies to**
- Windows 11
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
@ -27,18 +28,15 @@ ms.date: 10/13/2020
This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
>[!IMPORTANT]
>Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
## Overview
Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customers needs.
For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
### Diagnostic data gives users a voice
Diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
Diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
### _Improve app and driver quality_
@ -66,7 +64,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be
- Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component.
- Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component.
- Diagnostic logs for additional troubleshooting, also managed by the Connected User Experiences and Telemetry component.
- Crash reporting and crash dumps, managed by [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
@ -78,7 +76,7 @@ All diagnostic data is encrypted using Transport Layer Security (TLS) and uses c
### Endpoints
The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see [Manage connection endpoints for Windows 10 Enterprise, version 1903](manage-windows-1903-endpoints.md).
The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see [Manage connection endpoints for Windows 10 Enterprise, version 20H2](manage-windows-20h2-endpoints.md).
| Windows service | Endpoint |
| - | - |
@ -86,7 +84,7 @@ The following table lists the endpoints related to how you can manage the collec
| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com <br></br> watson.microsoft.com <br></br> umwatsonc.telemetry.microsoft.com <br></br> umwatsonc.events.data.microsoft.com <br></br> *-umwatsonc.events.data.microsoft.com <br></br> ceuswatcab01.blob.core.windows.net <br></br> ceuswatcab02.blob.core.windows.net <br></br> eaus2watcab01.blob.core.windows.net <br></br> eaus2watcab02.blob.core.windows.net <br></br> weus2watcab01.blob.core.windows.net <br></br> weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com <br></br> <br></br> IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com <br></br> oca.microsoft.com <br></br> kmwatsonc.telemetry.microsoft.com <br></br> *-kmwatsonc.telemetry.microsoft.com |
|Settings | settings-win.data.microsoft.com <br></br> <br></br> IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data |
|Settings | settings-win.data.microsoft.com <br></br> <br></br> IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. |
### Data access
@ -102,7 +100,7 @@ There are four diagnostic data collection settings. Each setting is described in
- Diagnostic data off (Security)
- Required diagnostic data (Basic)
- Enhanced
- Enhanced (This setting is only available on devices running Windows 10 and Windows Server 2019 and earlier. It is not supported on Windows 11 and Windows Server 2022.)
- Optional diagnostic data (Full)
Heres a summary of the types of data that is included with each setting:
@ -157,10 +155,12 @@ Required diagnostic data includes:
### Enhanced diagnostic data
>[!NOTE]
>Were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
In Windows 10 and Windows Server 2019, enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users.
Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
>[!Important]
>This diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. More information on these settings are avaialble in the Manage enterprise diagnostic data section of this document.
When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
- Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
@ -221,9 +221,34 @@ You can use Group Policy to set your organizations diagnostic data setting:
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
### Use Group Policy to manage optional diagnostic data collection
There were two new policies added in Windows 11 to help you further managed your optional diagnostic data collection. These policies are not supported on Windows 10.
The following policy lets you limit the types of [crash dumps](/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
2. Double-click **Limit dump collection**.
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
You can also limit the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
2. Double-click **Limit diagnostic log collection**.
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
### Use MDM to manage diagnostic data collection
Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the following MDM policies:
- System/AllowTelemetry
- System/LimitDumpCollection (supported on Windows 11 only)
- System/LimitDiagnosticLogCollection (supported on Windows 11 only)
## Enable Windows diagnostic data processor configuration
@ -231,7 +256,7 @@ The Windows diagnostic data processor configuration enables you to be the contro
### Prerequisites
- The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer.
- The device must have Windows 11, Windows 10 Professional, Education or Enterprise edition, version 1809 with July 2021 update or newer.
- The device must be joined to Azure Active Directory.
The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable:

View File

@ -14,7 +14,7 @@ metadata:
author: dansimp
ms.author: dansimp
manager: dansimp
ms.date: 07/21/2020 #Required; mm/dd/yyyy format.
ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority: high
# highlightedContent section (optional)
@ -37,25 +37,25 @@ highlightedContent:
# productDirectory section (optional)
productDirectory:
title: Understand Windows diagnostic data in Windows 10
summary: For the latest Windows 10 version, learn more about what Windows diagnostic data is collected at various diagnostics levels.
title: Understand Windows diagnostic data in Windows 10 and Windows 11
summary: For the latest Windows 10 version and Windows 11, learn more about what Windows diagnostic data is collected under the different settings.
items:
# Card
- title: Required diagnostic data
- title: Windows 11 required diagnostic data
# imageSrc should be square in ratio with no whitespace
imageSrc: https://docs.microsoft.com/media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected.
url: required-windows-diagnostic-data-events-and-fields-2004.md
url: required-windows-11-diagnostic-events-and-fields.md
# Card
- title: Windows 10 required diagnostic data
imageSrc: https://docs.microsoft.com/media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
url: required-windows-diagnostic-data-events-and-fields-2004.md
# Card
- title: Optional diagnostic data
imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg
summary: Get examples of the types of optional diagnostic data collected from Windows
url: windows-diagnostic-data.md
# Card
- title: Changes to Windows diagnostic data collection
imageSrc: https://docs.microsoft.com/media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
url: changes-to-windows-diagnostic-data-collection.md
# conceptualContent section (optional)
# conceptualContent:

View File

@ -1,5 +1,5 @@
---
title: Windows 10 & Privacy Compliance Guide
title: Windows 10 & Windows 11 Privacy Compliance Guide
description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10.
keywords: privacy, GDPR, compliance
ms.prod: w10
@ -16,10 +16,11 @@ ms.topic: article
ms.date: 07/21/2020
---
# Windows 10 & Privacy Compliance:<br />A Guide for IT and Compliance Professionals
# Windows 10 and Windows 11 Privacy Compliance:<br />A Guide for IT and Compliance Professionals
Applies to:
- Windows 11
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
@ -27,15 +28,15 @@ Applies to:
## Overview
At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10.
At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows.
Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
Microsoft collects data through multiple interactions with users of Windows devices. This information can contain personal data that may be used to provide, secure, and improve Windows services. To help users and organizations control the collection of personal data, Windows provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR)
## 1. Windows 10 data collection transparency
## 1. Windows data collection transparency
Transparency is an important part of the data collection process in Windows 10. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up.
Transparency is an important part of the data collection process in Windows. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up.
### 1.1 Device set up experience and support for layered transparency
@ -44,7 +45,7 @@ When setting up a device, a user can configure their privacy settings. Those pri
The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
> [!NOTE]
> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
> This table is limited to the privacy settings that are available as part of setting up a Windows 10 (Windows 10, version 1809 and newer) or Windows 11 device. For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
| Feature/Setting | Description | Supporting Content | Privacy Statement |
| --- | --- | --- | --- |
@ -67,13 +68,13 @@ An administrator can also use the Diagnostic Data Viewer for PowerShell module t
> [!Note]
> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular users device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights).
## 2. Windows 10 data collection management
## 2. Windows data collection management
Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start > Settings > Privacy**). The organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
Windows provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using Windows settings (**Start > Settings > Privacy**). The organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
### 2.1 Privacy setting options for users
Once a Windows 10 device is set up, a user can manage data collection settings by navigating to **Start > Settings > Privacy**. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to **Start > Settings > Privacy**. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
Once a Windows device is set up, a user can manage data collection settings by navigating to **Start > Settings > Privacy**. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to **Start > Settings > Privacy**. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
### 2.2 Privacy setting controls for administrators
@ -123,7 +124,7 @@ For more details, see [Manage connections from Windows operating system componen
Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
[Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
#### _2.3.4 Limited functionality baseline_