deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/privacy/changes-to-windows-diagnostic-data-collection.md
Albert Cabello Serrano de7bc797d5
Update changes-to-windows-diagnostic-data-collection.md 
added windows insider dev channel build number that included the changes
2022-08-19 08:25:02 -07:00

12 KiB
Raw Blame History

title, description, ms.prod, ms.localizationpriority, author, ms.author, manager, ms.collection, ms.topic, ms.date, ms.technology
title description ms.prod ms.localizationpriority author ms.author manager ms.collection ms.topic ms.date ms.technology
Changes to Windows diagnostic data collection This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11. m365-security high DHB-MSFT danbrown dougeby M365-security-compliance article 11/29/2021 privacy

Changes to Windows diagnostic data collection

Applies to

  • Windows 11
  • Windows 10, version 1903 and later
  • Windows Server 2022

Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either Required or Optional. We believe this will provide our customers with a simpler experience information should be easier to find, easier to understand, and easier to act upon through the tools we provide.

This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:

Summary of changes

In Windows 10, version 1903 and later, you will see taxonomy updates in both the Out-of-box-experience (OOBE) and the Diagnostics & feedback privacy settings page. These changes are explained in the section named Taxonomy changes.

Additionally, starting in Windows 11 and Windows Server 2022, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: Diagnostic data off, Required, and Optional. Were also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to Diagnostic data off. All these changes are explained in the section named Behavioral changes.

Taxonomy changes

Starting in Windows 10, version 1903 and later, both the Out-of-Box-Experience (OOBE) and the Diagnostics & feedback privacy setting pages will reflect the following changes:

  • The Basic diagnostic data level is being labeled as Required.
  • The Full diagnostic data level is being labeled as Optional.

Important

No action is required for the taxonomy changes, and your existing settings will be maintained as part of this update.

Behavioral changes

Starting in Windows 11 and Windows Server 2022, were simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: Diagnostic data off, Required, and Optional. If your devices are set to Enhanced when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of Required diagnostic data, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see Services that rely on Enhanced diagnostic data. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.

Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):

Policy type Current policy Renamed policy
Group Policy Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry
  • 0 - Security
  • 1 - Basic
  • 2 - Enhanced
  • 3 - Full
 Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Diagnostic Data
  • Diagnostic data off (not recommended)
  • Send required diagnostic data
  • Send optional diagnostic data
Group Policy Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure telemetry opt-in settings user interface Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure diagnostic data opt-in settings user interface
Group Policy Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure telemetry opt-in change notifications Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure diagnostic data opt-in change notifications

A final set of changes includes two new policies that can help you fine-tune diagnostic data collection within your organization. These policies let you limit the amount of optional diagnostic data thats sent back to Microsoft.

  • The Limit dump collection policy is a new policy that can be used to limit the types of crash dumps that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
    • Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Limit Dump Collection
    • MDM policy: System/LimitDumpCollection
  • The Limit diagnostic log collection policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs aren't sent back to Microsoft.
    • Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Limit Diagnostic Log Collection
    • MDM policy: System/LimitDiagnosticLogCollection

For more info, see Configure Windows diagnostic data in your organization.

Services that rely on Enhanced diagnostic data

Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.

The following provides information on the current configurations:

Significant changes coming to the Windows diagnostic data processor configuration

Currently, to enroll devices in the Window diagnostic data processor configuration option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.

To enable efficiencies and help us implement our plan to store and process EU Data for European enterprise customers in the EU, we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.

Well stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, well be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsofts role in data processing.

Were making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.

Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)

For Windows devices with diagnostic data turned on and that are joined to an Azure AD tenant with billing address in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.

From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users data subject requests.

Devices in Azure AD tenants with a billing address outside of the EU and EFTA

For Windows devices with diagnostic data turned on and that are joined to an Azure AD tenant with billing address outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:

(Additional licensing requirements may apply to use these services.)

If you dont sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.

Note

In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the Microsoft Privacy Statement and the Data Protection Addendum terms won't apply.

Rollout plan for this change

This change will rollout in phases, starting with Windows devices enrolled in the Dev Channel of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.

During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:

  • Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
  • The processor configuration will be disabled in any devices that were previously enabled.
  • Microsoft will act as the controller for Windows diagnostic data in accordance with the Microsoft Privacy Statement and the Data Protection Addendum terms won't apply.

It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.

For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the Microsoft Privacy Statement and the Data Protection Addendum terms won't apply.

For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.

To prepare for this change, ensure that you meet the prerequisites for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.

As part of this change, the following policies will no longer be supported to configure the processor option:

  • Allow commercial data pipeline
  • Allow Desktop Analytics Processing
  • Allow Update Compliance Processing
  • Allow WUfB Cloud Processing
  • Configure the Commercial ID