Privacy

Windows Autopatch is a cloud service for enterprise customers designed to keep Windows devices updated. This article provides details about data platform and privacy compliance for Windows Autopatch.

Windows Autopatch data sources and purpose

Autopatch collects and stores data according to the Microsoft Privacy Statement.

Business Premium and A3+

Data provided by the customer or generated by the service during normal operation is stored. For example, when a device is targeted with a policy, information is stored enabling the service to deliver content to targeted devices.

Business Premium and A3+ licenses require the use of Windows Diagnostic data. For more information, see Diagnostic data in Windows Autopatch.

Windows Enterprise E3+ and F3

When you've activated Windows Autopatch features, data from various sources is used to properly administer enrolled devices and monitor that the service is working properly.

The sources include Microsoft Entra ID, Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.

Data source	Purpose
Microsoft Windows 10/11 Enterprise	Management of device setup experience, managing connections to other services, and operational support for IT pros.
Windows Update for Business	Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update.
Microsoft Intune	Device management and to keep your data secure. The following endpoint management data sources are used: Microsoft Entra ID: Authentication and identification of all user accounts. Microsoft Intune: Distributing device configurations, device management and application management.
Windows Autopatch	Data provided by the customer or generated by the service during running of the service.
Microsoft 365 Apps for enterprise	Management of Microsoft 365 Apps.

Windows Autopatch data process and storage

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

Windows Autopatch relies on data from multiple Microsoft products and services to provide its service to enterprise customers. To protect and maintain enrolled devices, we process and copy data from these services to Windows Autopatch. When we process data, we follow the documented directions you provide as referenced in the Online Services Terms and Microsoft Privacy Statement.

Processor duties of Windows Autopatch include ensuring appropriate confidentiality, security, and resilience. Windows Autopatch employs additional privacy and security measures to ensure proper handling of personal identifiable data.

Windows Autopatch data storage and staff location

Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see Data retention, deletion, and destruction in Microsoft 365.

Business Premium and A3+

Data stored in this part of the service is stored only in two regions, either Azure’s north American data centers or its European ones.

Windows Enterprise E3+ and F3

Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see Microsoft 365 data center locations.

The Windows Autopatch Service Engineering Team is in the United States, India, and Romania.

Microsoft Windows 10/11 diagnostic data

Windows Autopatch uses Windows diagnostic data to keep Windows secure, up to date, fix problems, and make product improvements. Learn more about configuring diagnostic data for your organization in Intune.

Business Premium and A3+

To take advantage of the unique deployment scheduling controls and protections tailored to your population and to deploy driver updates, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send diagnostic data at the Required level for these features.

Windows Enterprise E3+ and F3

When you've activated Windows Autopatch features, Windows Autopatch creates the “Windows Autopatch – Data Collection Policy” and assigns it to enrolled devices. This policy configures the following settings:

Setting	Value	Description
Allow telemetry	Optional. This value was previously named “Full” for Windows 10 devices. For more information, see Changes to Windows diagnostic data collection.	Allow the device to send diagnostic and usage telemetry data, such as Watson. For more information about diagnostic data, including what is and what isn't collected by Windows, see diagnostic data settings.
Limit Diagnostic Log Collection	Enabled	This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem.
Limit Dump Collection	Enabled	This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data. By enabling this policy setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only.
Limit Enhanced Diagnostic Data Windows Analytics	Enabled	This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
Allow Windows Autopatch Processing	Allowed	Allows diagnostic data from this device to be processed by Windows Autopatch.

Windows Autopatch only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.

For more information about the diagnostic data collection of Microsoft Windows 10/11, see the Where we store and process data section of the Microsoft Privacy Statement.

For more information about how Windows diagnostic data is used, see:

• Windows diagnostic data in your organization
• Features that require Windows diagnostic data

Tenant access

Business Premium and A3+

Important

To activate all Windows Autopatch features, you must have Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses. Feature activation is optional and at no additional cost to you when you have Windows 10/11 Enterprise E3+ or F3 licenses. For more information, see Licenses and entitlements.

Windows Enterprise E3+ and F3 licenses

For more information about tenant access and changes made to your tenant upon activating Windows Autopatch features, see Changes made at feature activation.

Microsoft Windows Update for Business Reports

Business Premium and A3+

If you have Business Premium and A3+ licenses, when you use Windows Update for Business reports, using diagnostic data at the following levels allows device names to appear in reporting:

• Optional level (previously Full) for Windows 11 devices
• Enhanced level for Windows 10 devices

Windows Enterprise E3+ and F3

Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. When you activate Windows Autopatch features, this data is used to deliver reports and confirm that registered devices are up to date.

Microsoft Entra ID

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

Identifying data used by Windows Autopatch is stored by Microsoft Entra ID in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Microsoft Entra data is located, see Microsoft Entra ID - Where is your data located?

Microsoft Intune

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

Microsoft Intune collects, processes, and shares data to Windows Autopatch to support business operations and services. For more information about the data collected in Intune, see Data collection in Intune.

For more information on Microsoft Intune data locations, see Where your Microsoft 365 customer data is stored. Intune respects the storage location selections made by the administrator for customer data.

Microsoft 365 Apps for enterprise

Business Premium and A3+

Microsoft 365 Apps for enterprise only collects and shares data with Windows Autopatch when you activate Windows Autopatch features. Windows Autopatch ensure those apps are up to date with the latest version.

To use Windows Autopatch features, you must have the correct Enterprise license(s) and activate Windows Autopatch features. For more information about Enterprise licenses and the prerequisites, see Windows Autopatch prerequisites. For more information about features and capabilities, see Features and capabilities.

Windows Enterprise E3+ and F3

Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatch to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Windows Autopatch. For more information on Microsoft 365 Apps's data collection and storage locations, see Microsoft Defender for Endpoint data storage and privacy.

Major data change notification

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center about security incidents and major changes to the service.

Changes to the types of data gathered and storage are considered a material change. We provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.

Data subject requests

Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their data.

These rights include:

• Obtaining copies of data
• Requesting corrections to it
• Restricting the processing of it
• Deleting it
• Receiving it in an electronic format so it can be moved to another controller

For more general information about Data Subject Requests (DSRs), see Data Subject Requests and the GDPR and CCPA.

Business Premium and A3+

For Data Subject Requests from other products related to the service, see the following articles:

• Windows diagnostic data
• Microsoft Intune data
• Microsoft Entra data

Windows Enterprise E3+ and F3

To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests:

Data subject requests	Description
Data from Windows Autopatch support requests	Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request in the admin center. Provide the following information: Request type: Change request Category: Security Subcategory: Other Description: Provide the relevant device names or usernames

Legal

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

The following is Microsoft's privacy notice to end users of products provided by organizational customers.

The Microsoft Privacy Statement notifies end users that when they sign into Microsoft products with a work account:

1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data.
2. Microsoft might collect and process the data to provide the service to the organization and end users.