Wie können wir helfen?
New options to control Windows 10 and when is who the data controller?
The discussion about diagnostic data for Windows 10 already began with the first version and continues as Microsoft connects the product with more and more cloud services such as OneDrive, voice recognition or even Cortana and Microsoft Search. In the most diverse appraisals of state data protection agencies and expert opinions of the Dutch Ministry of Justice, the sending of telemetry/diagnostic data is being criticized. In January 2020 Microsoft reacted with new GPOs and possibilities in the Enterprise and EDU area to reduce the sending of telemetry/diagnostic data and to have more control over it.
Diagnostic and telemetry data and data protection
The Windows 10 diagnostic data is processed under Privacy Shield. This is now no longer possible, as the ECJ decision of 16 July 2020 has prohibited this type of processing of personal data. The storage location for diagnostic data in Windows 10 is always a data center in the USA. From my experience with the usual sniffers it is the US West region.
(https://docs.microsoft.com/en-us/windows/privacy/deploy-data-processor-service-windows)
Comment
If we look a bit more into the license agreement, then we have to decide by configuration whether we send data and how it should be sent. Currently without EU Modelclauses we have to stop sending or use this now third version, which makes us as a customer a processor. However, this is not recommended from my point of view, because even in this version data is transferred and this is not done under EU Modelclauses and I as a user am responsible for it.
Further Information
https://docs.microsoft.com/de-de/windows/deployment/windows-10-subscription-activation
https://docs.microsoft.com/de-de/windows/deployment/deploy-enterprise-licenses
New configuration options for corporate customers
Requirements: Windows 10 Pro, Windows 10 Enterprise, Windows 10 EDU
“Windows diagnostic data is used to help Microsoft keep the operating system secure and up-to-date, troubleshoot problems and make product improvements. More information about Windows diagnostic data can be found here.”
Until now, there were two ways to manage Windows 10 diagnostic data:
1) Allow Microsoft to be the controller of this data and determine the purposes and means of processing Windows diagnostic data to enhance the Windows 10 operating system and provide analytical services
-> Microsoft is responsible for data processing
2) to switch off the diagnostic data flow completely.
The new third option
3) “The customer is the controller for their Windows 10 diagnostic data and can at the same time benefit from the purposes for which this data serves, such as the quality of updates and device drivers. In this approach, Microsoft will act as the data processor and process Windows diagnostic data on behalf of the controller”.
Contract data processing
-> Customer/user is responsible and client for the Windows 10 diagnostic data
-> Microsoft is a data processor, i.e. order data processor for Windows 10 diagnostic data
“This new option will allow customers to use familiar tools to manage, export or delete data to help them meet their compliance obligations. For example, the Microsoft Azure Portal will allow customers to respond to requests from their own users, such as deleting and exporting diagnostic data. Admins can easily add – or remove – Windows devices to the service via Group Policy or Mobile Device Management (MDM)”.
“User control and transparency are among our most important privacy principles and are at the heart of Microsoft’s mission to empower every person and organization on the planet to do more. For those customers interested, this option makes it even easier for them to enable the core Microsoft 365 experience and get the most out of it, while keeping their compliance efforts in mind.”
Preview Program
You want to test all three options, then enter the tenant ID. I recommend you use a testtenant, because Desktop Analytics and Update Compliance will not work anymore.
https://aka.ms/WindowsEnterprisePublicPreview
In use
What do you need? Group Policy or an MDM solution
Intune
Name: System/AllowCommercialDataPipeline
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
Data type: Integer
Under Value, use 1 to enable the service.
GPOs
You find the setting as follows and you have to set it to enable.
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds and switch the Allow commercial data pipeline setting to enabled.
Diagnostic Data Viewer
Here you can download this one from the Windows 10 App Store:
https://www.microsoft.com/store/productId/9N8WTRRSQ8F7
Update 3.11.2020
The preview is now started and allows Microsoft to become the data processor for the diagnostic data in Windows 10. For this purpose, the data is redirected to a data center and processed there. Unfortunately, this is currently not possible in Europe, so I think this option is out of the question for the time being.
“Diagnostic data collected with the data processing service for Windows Enterprise is hosted in our data center in the USA.
Requirements
- Windows 10 Enterprise / EDU
- from version 1809
- Windows Server 2019 and higher
- Network end points
- login.live.com
- cy2.vortex.data.microsoft.com.akadns.net
- v10.events.data.microsoft.com
- v10.vortex-win.data.microsoft.com/collect/v1
- Endpoints
- Windows 10, version 1809 endpoints
- Windows 10, Version1903 endpoints
Preview: https://aka.ms/WindowsEnterprisePublicPreview
To enable data collection by the Windows Enterprise Data Collection Service, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Pre-release in Group Policy, and change the Allow Commercial Data Piping setting to Enabled.
If you want to disable them, you can always change the same setting to Disabled. The default state of the previous setting is Disabled.
To use an MDM solution such as Microsoft Intune to deploy the Windows Enterprise Data Processing Service on your supported devices, use the following custom configuration of the OMA URI setting:
Name: System/AllowCommercialDataPipeline
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
Data type: Integer
Use under value 1 to activate the service.
If you want to disable it, you can always change the same setting to 0 to disable. The default value is 0.
Information: https://docs.microsoft.com/de-de/windows/privacy/deploy-data-processor-service-windows
Comment
What I miss with the new option is the joint control between Microsoft and the customer, which is usually present with these shared services (Facebook fan pages, Google Maps). Microsoft is deliberately putting itself in the position of a contract data processor. Furthermore, I would like to have an option to turn off the diagnostic data completely for all versions. On the other hand, I also understand that certain data must be transferred for the security and protection of the users, then this should be set under EU Modelclauses and it should be set up in a more transparent way, what happens with the data.
I like to refer gernell to my MVP colleagues for a complete removal of sending diagnostic data through Windows: https://www.gruppenrichtlinien.de/artikel/windows-10-telemetrie-und-diagnosedaten-richtig-abschalten/ (Germany)
LINKS
https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr?view=o365-worldwide#terminology
Windows 10 Baseline Security für Windows 10 2004 (July 2020)
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-draft-windows-10-and-windows-server-version/ba-p/141921
BSI study on hardening of Windows 10
https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Empfehlungen/SiSyPHuS_Win10/SiSyPHuS_node.html
Links to the Preview Programm
