Privacy

Windows Autopatch is a cloud service for enterprise customers designed to keep employees' Windows devices updated. This article provides details about data platform and privacy compliance for Windows Autopatch.

Windows Autopatch data sources and purpose

Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.

The sources include Microsoft Entra ID, Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.

Data source Purpose
Microsoft Windows 10/11 Enterprise Management of device setup experience, managing connections to other services, and operational support for IT pros.
Windows Update for Business Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update.
Microsoft Intune Device management and to keep your data secure. The following endpoint management data sources are used:
  • Microsoft Entra ID: Authentication and identification of all user accounts.
  • Microsoft Intune: Distributing device configurations, device management and application management.
Windows Autopatch Data provided by the customer or generated by the service during running of the service.
Microsoft 365 Apps for enterprise Management of Microsoft 365 Apps.

Windows Autopatch data process and storage

Windows Autopatch relies on data from multiple Microsoft products and services to provide its service to enterprise customers.

To protect and maintain enrolled devices, we process and copy data from these services to Windows Autopatch. When we process data, we follow the documented directions you provide as referenced in the Online Services Terms and Microsoft Privacy Statement.

Processor duties of Windows Autopatch include ensuring appropriate confidentiality, security, and resilience. Windows Autopatch employs additional privacy and security measures to ensure proper handling of personal identifiable data.

Windows Autopatch data storage and staff location

Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see Microsoft 365 data center locations.

Important

  • As of November 8, 2022, only new Windows Autopatch customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.
  • Existing European Union (EU) Windows Autopatch customers will move from the North American data centers to the European data centers by the end of 2022.
  • If you're an existing Windows Autopatch customer, but not part of the European Union, data migration from North America to your respective data residency will occur next year.

Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see Data retention, deletion, and destruction in Microsoft 365.

Windows Autopatch Service Engineering Team is in the United States, India and Romania.

Microsoft Windows 10/11 diagnostic data

Windows Autopatch uses Windows 10/11 Enhanced diagnostic data to keep Windows secure, up to date, fix problems, and make product improvements.

The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see Changes to Windows diagnostic data collection about the Windows 10/11 diagnostic data setting and data collection.

The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to Optional, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see Changes to Windows diagnostic data collection.

Windows Autopatch only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.

For more information about the diagnostic data collection of Microsoft Windows 10/11, see the Where we store and process data section of the Microsoft Privacy Statement.

For more information about how Windows diagnostic data is used, see:

Tenant access

For more information about tenant access and changes made to your tenant upon enrolling into Windows Autopatch, see Changes made at tenant enrollment.

Service accounts

Important

Starting October 12, 2022, Windows Autopatch will manage your tenant with our enterprise application. If your tenant is still using the Windows Autopatch service accounts, you must take action. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.

Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.

Account name Usage Mitigating controls
MsAdmin@tenantDomain.onmicrosoft.com
  • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.
  • This account doesn't have interactive sign-in permissions. The account performs operations only through the service.
Audited sign-ins
MsAdminInt@tenantDomain.onmicrosoft.com
  • This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
  • This account is used for interactive login to the customer's tenant.
  • The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.
  • Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
  • Audited sign-ins
MsTest@tenantDomain.onmicrosoft.com This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. Audited sign-ins

Microsoft Windows Update for Business

Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.

Microsoft Entra ID

Identifying data used by Windows Autopatch is stored by Microsoft Entra ID in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Microsoft Entra data is located, see Microsoft Entra ID - Where is your data located?

Microsoft Intune

Microsoft Intune collects, processes, and shares data to Windows Autopatch to support business operations and services. For more information about the data collected in Intune, see Data collection in Intune

For more information on Microsoft Intune data locations, see Where your Microsoft 365 customer data is stored. Intune respects the storage location selections made by the administrator for customer data.

Microsoft 365 Apps for enterprise

Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatch to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Windows Autopatch. For more information on Microsoft 365 Apps's data collection and storage locations, see Microsoft Defender for Endpoint data storage and privacy.

Major data change notification

Windows Autopatch follows a change control process as outlined in our service communication framework.

We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center about security incidents and major changes to the service.

Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.

Data subject requests

Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their data.

These rights include:

  • Obtaining copies of data
  • Requesting corrections to it
  • Restricting the processing of it
  • Deleting it
  • Receiving it in an electronic format so it can be moved to another controller

For more general information about Data Subject Requests (DSRs), see Data Subject Requests and the GDPR and CCPA.

To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests:

Data subject requests Description
Data from Windows Autopatch support requests Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request at the admin center.

Provide the following information:
  • Request type: Change request
  • Category: Security
  • Subcategory: Other
  • Description: Provide the relevant device names or user names.

For DSRs from other products related to the service, see the following articles:

The following is Microsoft's privacy notice to end users of products provided by organizational customers.

The Microsoft Privacy Statement notifies end users that when they sign into Microsoft products with a work account:

  1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data.
  2. Microsoft may collect and process the data to provide the service to the organization and end users.