Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Windows 10 Enterprise, Pro, and Education edition version 1809 with July 2021 update and later
- Windows 11 Enterprise, Pro, and Education edition
This guide discusses how to use Microsoft products, services, and administrative tools to help controller customers find and act on personal data to respond to DSRs. Specifically, this guide includes how to find, access, and act on personal data in the Windows diagnostic data collected by Microsoft when the Windows diagnostic data processor configuration is enabled.
For GDPR terminology definitions, see General Data Protection Regulation. For information about Microsoft's role as a data processor, see Microsoft as data processor.
For general DSR process information including the DSR lifecycle steps, how to use the product-specific guides, and how DSRs apply within Microsoft Entra ID tenants, see Data Subject Requests and the GDPR and CCPA. Here's a quick overview of the processes outlined in this guide:
- Access: Retrieve Windows diagnostic data associated with a data subject and if requested, make a copy of it that can be available to the data subject.
- Delete: Permanently remove Windows diagnostic data associated with a data subject.
- Export: Provide an electronic copy (in a machine-readable format) of Windows diagnostic data to the data subject.
Each section in this guide outlines the technical procedures that a data controller organization can take to respond to a DSR for Windows diagnostic data collected by Microsoft when the Windows diagnostic data processor configuration is enabled.
Additional terminology
- Windows diagnostic data—Technical data from Windows devices about the device and how Windows and related software are performing. Microsoft uses this data to keep Windows up to date, secure, reliable, performant, and to make product improvements. Some examples of Windows diagnostic data are the type of hardware you're using, applications installed with their respective usage, and reliability information on device drivers. Some Windows components and apps connect to Microsoft services directly, but the data they exchange isn't Windows diagnostic data. For example, exchanging a user's location for local weather or news isn't an example of Windows diagnostic data.
How to use this guide
When you enable the Windows diagnostic data processor configuration, you become the controller of the Windows diagnostic data collected from devices. For more information on this configuration, see Configure Windows diagnostic data in your organization.
Windows diagnostic data
Microsoft provides you with the ability to access, delete, and export Windows diagnostic data associated with a user's use of the devices enabled by the Windows diagnostic data processor configuration.
Important
Some Windows diagnostic data is only associated with a device identifier and isn't associated with a specific user. This type of device-level data isn't exported and is deleted from our systems within 30 days.
The ability to rectify Windows diagnostic data isn't supported. Windows diagnostic data constitutes factual actions conducted within Windows, and modifications to such data would compromise the historical record of actions, increasing security risks and harming reliability.
The next section provides steps on how to execute a data subject request for Windows diagnostic data that is associated with a Microsoft Entra user ID. For more information, see Windows 10 & Windows 11 Privacy Compliance: A Guide for IT and Compliance Professionals.
Execute DSRs against Windows diagnostic data
Microsoft provides the ability to access, delete, and export certain Windows diagnostic data through the Azure portal and directly via preexisting application programming interfaces (APIs).
Step 1: Access
Microsoft provides a way for the tenant administrator within your organization to access Windows diagnostic data associated with a particular user's use of a device enabled with the Windows diagnostic data processor configuration. The data retrieved for an access request comes in a machine-readable format and comes in files that let the user know which devices and services the data is associated with. As noted previously, the data retrieved doesn't include data that might compromise the security or stability of the Windows device.
The Azure portal provides the enterprise customer's tenant administrator the capability to manage DSR access requests. Azure DSR, Part 2, Step 3: Export describes how to execute a DSR access request for Windows diagnostic data, via export, through the Azure portal.
Step 2: Delete
Microsoft provides a way to execute user-based DSR delete requests based on a particular user's Microsoft Entra object.
For user-based delete requests, Microsoft offers two solutions. There's a portal experience providing the enterprise customer's tenant administrator the capability to manage DSR delete requests. Azure DSR, Part 1, Step 5: Delete, describes how to execute a DSR delete request for Windows diagnostic data through the Azure portal by deleting a user and associated data.
Microsoft also provides the ability to delete users, which in turn deletes Windows diagnostic data, directly via a preexisting application programming interface (API). Details are described in the API reference documentation.
Important
Deleting collected data doesn't stop further collection from the device. To turn off data collection, follow the procedure described in the respective service's reference documentation.
Step 3: Export
Only the tenant administrator within your organization can access Windows diagnostic data associated with a particular user's use of a device enabled with the Windows diagnostic data processor configuration. The data retrieved for an export request comes in a machine-readable format and comes in files that let the user know which devices and services the data is associated with. As noted previously, the data retrieved doesn't include data that could compromise the security or stability of the Windows device. Azure DSR, Part 2, Step 3: Export describes how to execute a DSR export request for Windows diagnostic data through the Azure portal.
Microsoft also provides the ability to export Windows diagnostic data directly via a preexisting application programming interface (API). Details are described in the API reference documentation. Tenant administrators can use script automation to iterate through user IDs in their tenancy and initiate export requests for each user. This method supports full tenancy exports and works with processor-configured devices. Rate limits might be imposed by Azure Data Store; reference the current guidance on scalability and rate limits. Storage fees and egress fees might apply depending on the volume of data exported. For small and medium enterprises and non-profit research organizations, see data transfer fees.
Notify us about exporting or deleting issues
If you encounter issues while exporting or deleting Windows diagnostic data from the Azure portal, go to the Azure portal Help + Support blade. Create a new ticket under Subscription Management > Privacy and compliance requests for Subscriptions > Privacy Blade and GDPR Requests.
Note
A Windows diagnostic data export request can take up to five days to complete. If you experience issues, wait at least seven days before opening a support ticket.