Privacy

Microsoft Managed Desktop is an IT-as-a-Service (ITaaS) service for enterprise cloud customers designed to keep employees' Windows devices deployed and updated.

It also provides IT service management and operations, monitors security and incident response, and user support. This article provides more details on data platform and privacy compliance for Microsoft Managed Desktop.

Microsoft Managed Desktop data sources and purpose

Microsoft Managed Desktop provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.

These sources include Microsoft Entra ID, Microsoft Intune, Microsoft Windows 10/11, and Microsoft Defender for Endpoint. They provide a comprehensive view of the devices that Microsoft Managed Desktop manages. The service also uses these Microsoft services to enable Microsoft Managed Desktop to provide ITaaS capabilities:

Data source Purpose
Microsoft Windows 10/11 Enterprise Management of device setup experience, managing connections to other services, and operational support for IT pros.
Windows Update for Business Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update.
Microsoft Intune family of products Device management and to keep your data secure. The following data sources fall under Microsoft Intune family of products:
Microsoft Managed Desktop Data provided by the customer or generated by the service during running of the service.
Microsoft 365 apps for enterprise Management of Microsoft 365 Apps.

Microsoft Managed Desktop data process and storage

Microsoft Managed Desktop relies on data from multiple Microsoft products and services to provide its service to enterprise customers.

To protect and maintain enrolled devices, we process and copy data from these services to Microsoft Managed Desktop. When we process data, we follow the documented directions you provide, as referenced in the Online Services Terms and Microsoft Privacy Statement.

Microsoft Managed Desktop's processor duties include ensuring appropriate confidentiality, security, and resilience. Microsoft Managed Desktop employs additional privacy and security measures to ensure proper handling of personal identifiable data.

Microsoft Managed Desktop data storage and staff location

Microsoft Managed Desktop stores its data in the Azure data centers based on your data residency. For more information, see Microsoft 365 data center locations.

Important

  • As of November 8, 2022, only new Microsoft Managed Desktop customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.
  • Existing European Union (EU) Microsoft Managed Desktop customers will move from the North American data centers to the European data centers by the end of 2022.
  • If you're an existing Microsoft Managed Desktop customer, but not part of the European Union, data migration from North America to your respective data residency will occur next year.

Data obtained by Microsoft Managed Desktop and other services are required to keep the service operational. If a device is removed from Microsoft Managed Desktop, we keep data for a maximum of 30 days. However, alert data, collected by Microsoft Defender for Endpoint, is stored for 180 days for security purposes. For more information on data retention, see Data retention, deletion, and destruction in Microsoft 365.

Microsoft Managed Desktop Engineering Operations and Security Operations teams are located in the United States, India and Romania.

Microsoft Windows 10/11 diagnostic data

Microsoft Managed Desktop uses Windows 10/11 Enhanced diagnostic data to keep Windows secure, up to date, fix problems, and make product improvements.

The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Microsoft Managed Desktop and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see Changes to Windows diagnostic data collection about the Windows 10/11 diagnostic data setting and data collection.

The diagnostic data terminology will change in future versions of Windows. Microsoft Managed Desktop is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to Optional, Microsoft Managed Desktop will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see Changes to Windows diagnostic data collection.

Microsoft Managed Desktop only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Microsoft Managed Desktop doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.

For more information about the diagnostic data collection of Microsoft Windows 10/11, see the Where we store and process data section of the Microsoft Privacy Statement.

For more information about how Windows diagnostic data is used, see:

Tenant access

Microsoft Managed Desktop creates an enterprise application in your tenant. This enterprise application is used to run the Microsoft Managed Desktop service.

Enterprise application name Usage Permissions
Modern Workplace Management The Modern Workplace Management application:
  • Manages the service
  • Publishes baseline configuration updates
  • Maintains overall service health
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.ReadWrite.All

Microsoft Windows Update for Business

Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Microsoft Managed Desktop uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.

Microsoft Entra ID

Identifying data used by Microsoft Managed Desktop is stored by Microsoft Entra ID in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Microsoft Entra data is located, see Microsoft Entra ID - Where is your data located?

Microsoft Intune

Microsoft Intune collects, processes, and shares data to Microsoft Managed Desktop to support business operations and services. For more information about the data collected in Intune, see Data collection in Intune

For more information on Microsoft Intune data locations, see Where your Microsoft 365 customer data is stored. Intune respects the storage location selections made by the administrator for customer data.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint collects and stores information for devices enrolled in Microsoft Managed Desktop for administration, tracking, and reporting purposes. Information collected includes:

  • File data (such as file names, size, and hashes)
  • Process data (running processes, hashes)
  • Registry data
  • Network connection data
  • Device details (such as device identifiers, device names, and the operating system version)

For more information on Microsoft Defender for Endpoint's data collection and storage locations, see Microsoft Defender for Endpoint data storage and privacy.

Microsoft 365 Apps for Enterprise

Microsoft 365 Apps for Enterprise collects and shares data with Microsoft Managed Desktop to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Microsoft Managed Desktop. For more information on Microsoft 365 Apps's data collection and storage locations, see Microsoft Defender for Endpoint data storage and privacy.

Major data change notification

Microsoft Managed Desktop follows a change control process as outlined in our service communication framework.

We notify customers through the Microsoft 365 Message Center, and Microsoft Intune admin center of both security incidents and major changes to the service.

Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days of advanced notification of this change as is standard practice for Microsoft 365 products and services. For more information, see Service changes and communication.

Compliance

Microsoft Managed Desktop has undergone external audits and obtained a comprehensive set of compliance offerings. You can find more information in Compliance. Audit reports are available for download at the Microsoft Service Trust Portal, which serves as a central repository for Microsoft Enterprise Online Services. Microsoft Managed Desktop is listed within these documents under the "Monitoring and Management" category.

Data subject requests

Microsoft Managed Desktop follows GDPR and CCPA privacy regulations, which give data subjects specific rights to their data.

These rights include:

  • Obtaining copies of data
  • Requesting corrections to it
  • Restricting the processing of it
  • Deleting it
  • Receiving it in an electronic format so it can be moved to another controller.

For more general information about Data Subject Requests (DSRs), see Data Subject Requests and the GDPR and CCPA.

To exercise data subject requests on data collected by the Microsoft Managed Desktop case management system, see the following data subject requests:

Data subject requests Description
Data from Microsoft Defender for Endpoint alerts Your security administrator can request deletion, or extraction of data related to Microsoft Defender for Endpoint alerts by submitting a report request.

Provide the following information:
  • Request type: Change request
  • Category: Security
  • Subcategory: Other
  • Description: Provide the relevant device names.
Data from Microsoft Managed Desktop support requests Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request.

Provide the following information:
  • Request type: Change request
  • Category: Security
  • Subcategory: Other
  • Description: Provide the relevant device names or user names.

For DSRs from other products related to the service, see the following articles:

Microsoft's privacy notice to end users of products provided by organizational customers:

The Microsoft Privacy Statement notifies end users that when they sign in to Microsoft products with a work account:

  1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data.
  2. Microsoft may collect and process the data to provide the service to the organization and end users.