Changes to Windows diagnostic data collection

Applies to

• Windows 10, version 1903 and newer
• The next version of Windows Server

Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either Required or Optional. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.

This topic is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:

You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later.

Summary of changes

In Windows 10, version 1903 and newer, you will see taxonomy updates in both the Out-of-box-experience (OOBE) and the Diagnostics & feedback privacy settings page. These changes are explained in the section named Taxonomy changes.

Additionally, in an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: Diagnostic data off, Required, and Optional. We’re also clarifying the Security diagnostic data level to more accurately reflect its behavior by changing it to Diagnostic data off. All of these changes are explained in the section named Behavioral changes.

Taxonomy changes

Starting in Windows 10, version 1903 and newer, both the Out-of-Box-Experience (OOBE) and the Diagnostics & feedback privacy setting pages will reflect the following changes:

• The Basic diagnostic data level is being labeled as Required.
• The Full diagnostic data level is being labeled as Optional.

No action is required for the taxonomy changes, and your existing settings will be maintained as part of this update.

Behaviorial changes

In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: Diagnostic data off, Required, and Optional. If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, Services that rely on Enhanced diagnostic data, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named Configure a Windows 10 device to limit crash dumps and logs. For more information on services that rely on Enhanced diagnostic data, see Services that rely on Enhanced diagnostic data.

Additionally, you will see the following policy changes in an upcoming release of Windows 10:

Policy type	Current policy	Renamed policy
Group Policy	Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Allow Telemetry 0 — Security 1 — Basic 2 — Enhanced 3 — Full	Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Allow Diagnostic Data Diagnostic data off (not recommended) Send required diagnostic data Send optional diagnostic data
Group Policy	Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Configure telemetry opt-in settings user interface	Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Configure diagnostic data opt-in settings user interface
Group Policy	Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Configure telemetry opt-in change notifications	Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Configure diagnostic data opt-in change notifications

A final set of changes includes two new policies that can help you fine-tune diagnostic data collection within your organization. These policies let you limit the amount of optional diagnostic data that’s sent back to Microsoft.

• The Limit dump collection policy is a new policy that can be used to limit the types of crash dumps that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
  • Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Limit Dump Collection
  • MDM policy: System/LimitDumpCollection
• The Limit diagnostic log collection policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
  • Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Limit Diagnostic Log Collection
  • MDM policy: System/LimitDiagnosticLogCollection

All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.

Configure a Windows 10 device to limit crash dumps and logs

With the Enhanced diagnostic data level being split out into new policies, we’re providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them:

1. Choose to send optional diagnostic data by setting one of the following policies:
   • Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Allow Diagnostic Data. Set the policy value to Send optional diagnostic data.
   • MDM: System/AllowTelemetry. Set the policy value to 3.
2. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Limit Dump Collection
3. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Limit Diagnostic Log Collection

Services that rely on Enhanced diagnostic data

Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.

The following provides information on the current configurations:

Endpoint analytics data collection

This article explains the data flow, data collection, and how to stop gathering data for Endpoint analytics. Our data handling policies are described in the Microsoft Trust Center.

Data flow

Endpoint analytics is available in all Intune locations in global Azure. The following illustration shows how required functional data flows from individual devices through our data services, transient storage, and to your tenant.

For Intune-managed devices, this step configures the Intune data collection policy. By default, this policy is assigned to «All Devices». You can change the assignment at any time to a subset of devices or no devices at all.

Devices send required functional data.

For Intune and co-managed devices with the assigned policy, devices send require functional data directly to the Microsoft Endpoint Management Service in the Microsoft public cloud where is processed in near real time. For more information, see Endpoints required for Intune-managed devices.

For Configuration Manager-managed devices, data flows to Microsoft Endpoint Management through the ConfigMgr connector. Devices don’t need direct access to the Microsoft public cloud, but the ConfigMgr connector is cloud attached and requires connection to an Intune tenant. Devices send data to the Configuration Manager Server role every 24 hours, and the Configuration Manager connector sends data to the Gateway Service every hour.

The Microsoft Endpoint Management service processes data for each device and publishes the results for both individual devices and organizational aggregates in the admin console using MS Graph APIs. The maximum latency end to end is 25 hours and is gated by the time it takes to do the daily processing of insights and recommendations.

When you first setup Endpoint analytics, add new clients to the Intune data collection policy, or enable device upload for a new collection, the reports in endpoint analytics portal may not show complete data right away. The data required to compute the startup score for a device is generated during boot time. Depending on power settings and user behavior, it may take weeks after a device has been enrolled to show the startup score on the admin console.

Data collection

Currently, the basic functionality of Endpoint analytics collects information associated with boot performance records that falls into the required and optional categories. As we add additional functionality over time, the data collected will vary as needed. The main data points currently being collected are:

Required data

• Hardware inventory information
  • make: Device manufacturer
  • model: Device model
  • deviceClass: The device classification. For example, Desktop, Server, or Mobile.
  • Country: The device region setting
• Application inventory, like
  • name: Windows
  • ver: The version of the current OS.
• Diagnostic, performance, and usage data tied to a user and/or device
  • logOnId
  • bootId: The system boot ID
  • coreBootTimeInMilliseconds: Time for core boot
  • totalBootTimeInMilliseconds: Total boot time
  • updateTimeInMilliseconds: Time for OS updates to complete
  • gpLogonDurationInMilliseconds: Time for Group policies to process
  • desktopShownDurationInMilliseconds: Time for desktop (explorer.exe) to be loaded
  • desktopUsableDurationInMilliseconds: Time for desktop (explorer.exe) to be usable
  • topProcesses: List of processes loaded during boot with name, with cpu usage stats and app details (Name, publisher, version). For example
• Device data not tied to a device or user (if this data is tied to a device or user, Intune treats it as identified data)
  • ID: Unique device ID used by Windows Update
  • localId: A locally defined unique ID for the device. This ID isn’t the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId.
  • aaddeviceid: Azure Active Directory device ID
  • orgId: Unique GUID representing the Microsoft 365 Tenant

Our data handling policies are described in the Microsoft Trust Center. We only use your customer data to provide you the services you signed up for. As described during the onboarding process, we anonymize and aggregate the scores from all enrolled organizations to keep the All organizations (median) baseline up-to-date.

Stop gathering data

If you’re enrolling Intune managed devices only, unselect the Boot performance scope from the Intune data collection policy created during sign-up. Optionally, revoke consent to share anonymized and aggregate metrics for seeing updated Endpoint analytics scores and insights.

If you’re enrolling devices that are managed by Configuration Manager, you’ll need to do the following steps to disable data upload in Configuration Manager:

1. In the Configuration Manager console, go to Administration >Cloud Services >Co-management.
2. Select CoMgmtSettingsProd then click Properties.
3. On the Configure upload tab, uncheck the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager.
4. Optionally, revoke consent to share anonymized and aggregate metrics for seeing updated Endpoint analytics scores and insights.

Disable Endpoint analytics data collection in Configuration Manager (optional):

1. In the Configuration Manager console, go to Administration >Client Settings >Default Client Settings.
2. Right-click and select Properties then select the Computer Agent settings.
3. Set Enable Endpoint analytics data collection to No.

If you have an existing custom client agent setting that’s been deployed to your devices, you’ll need to update the Enable Endpoint analytics data collection option in that custom setting then redeploy it to your machines for it to take effect.

Resources

For more information about related privacy aspects, see the following articles: