Last Updated: September 2015
    System Center 2012 R2 Privacy Statement pspSystemCenter2012R2IntroductionModule

    Microsoft System Center is an integrated management platform that helps you to easily and efficiently manage your datacenters, client devices, and hybrid cloud IT environments.

    System Center is the only platform to offer comprehensive management of applications, services, physical resources, hypervisors, software defined networks, configuration, and automation in a single offering.

    Specific Privacy Impacting Features for Configuration Manager Configuration ManagerpspSystemCenter2012R2ConfigurationManagerModule
    Summary

    Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

    System Center 2012 Configuration Manager may be used to collect, store, and manage additional information and devices within your organization including the ability to erase all data from devices. For more information about device management, see the online topic, Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum. Use the Configuration Manager documentation library to learn more about the product features.


    To find the Microsoft subsidiary in your country or region, see http://www.microsoft.com/worldwide/

    The following lists the privacy impacting features of Configuration Manager:

    Customer Experience Improvement Program
    Setup Updates
    Microsoft Update
    Silverlight
    Asset Intelligence
    Endpoint Protection
    Automatic Download of Prerequisites and Language Packs
    Site Hierarchy - Geographical View with Bing Maps
    Cloud-Based Distribution Point
    Location and Security of Distribution Point Content
    Links to the Windows Store
    Email Notification for Alerts
    Microsoft Intune Subscription

     

    Full text

    The remainder of this document covers features that may transmit information to Microsoft and/or its affiliates. System Center 2012 Configuration Manager may be used to collect, store, and manage additional information and devices within your organization including the ability to erase all data from devices. For more information about device management, see the online topic, Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum. Use the Configuration Manager documentation library to learn more about the product features.


    What This Feature Does:
    The Customer Experience Improvement Program ("CEIP") collects basic information from the administration console about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services.  We will not collect your name, address, or other contact information. No CEIP data is collected from client computers.

    For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement.

    We use this information to improve the quality, reliability, and performance of Microsoft software and services.

    You are offered the opportunity to participate in CEIP during setup. If you choose to participate and later change your mind, you can turn off CEIP at any time by:

    1. Open the Configuration Manager console.

    2. Click the Application menu, click Customer Experience Improvement Program, click I don't want to join the program at this time and then click OK.

    Note - this feature is turned on by default for the System Center 2012 R2 Pre-Release and you will not be able to turn it off.

         
    Unless specifically set, all administrative console users inherit the CEIP choice made during initial installation. Changes to the CEIP setting from the Configuration Manager console are specific to the user and computer where they are made.
    At the conclusion of the site server setup, a Windows Update agent scan is automatically initiated. If you have opted in to Windows Update and/or Microsoft Update the agent will scan for any applicable updates for your site server and install them or notify you based on your pre-existing Update Services preferences.

    For details about what information is collected and how it is used, see the Update Services Privacy Statement.

    For details about what information is collected and how it is used, see the Update Services Privacy Statement.

    For details about what information is collected and how it is used, see the Update Services Privacy Statement.


    Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

    For details about what information is collected and how it is used, see the Update Services Privacy Statement.

    For details about what information is collected and how it is used, see the Update Services Privacy Statement.

    The Software Updates feature is not configured by default. When administrators install and configure a software update point on a Windows Update Services (WSUS) server, this action automatically configures WSUS on that server and other WSUS servers in the Configuration Manager hierarchy. Administrators can disable the synchronization of software updates with Microsoft Update.

    1. In the Configuration Manager console, click Administration.

    2. In the Administration workspace, expand Site Configuration, and then click Sites.

    3. In the results pane, click the central administration site or stand-alone primary site.

    4. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point.

    5. In the Software Update Point Component Properties dialog box, on the Sync Settings tab, click Do not synchronize from Microsoft Update or the upstream software update point, and then click OK.

    When you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point, to determine which software updates are required. When these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they try to download the required software updates from an Internet-based distribution point.

    In Configuration Manager SP1, the administrator can configure software deployments so that clients on the intranet can download update content from Microsoft Update if they cannot download the content from a distribution point. In Configuration Manager with no service pack, clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update.


    Silverlight is a prerequisite for the Configuration Manager client and the Application Catalog. Silverlight updates automatically and has additional data processing and transmitting practices. Configuration Manager does not control this functionality.

    For Configuration Manager with no service pack, the Microsoft Silverlight 4.0 Privacy Statement should be read in conjunction with this privacy statement.

    For Configuration Manager SP1, the Microsoft Silverlight 5.0 Privacy Statement should be read in conjunction with this privacy statement.

    For details about what information is collected and how it is used, see the Silverlight Privacy Statement:

    For details about what information is collected and how it is used, see the Silverlight Privacy Statement:

    For details about choice and control for Silverlight, see the Silverlight Privacy Statement:

    Asset Intelligence lets IT administrators define, track, and proactively manage conformity with configuration standards. Metering and reporting on the deployment and use of both physical and virtual applications helps organizations make better business decisions about software licensing and maintain compliance with licensing agreements.

    After collecting usage data from Configuration Manager clients, administrators can use different features to view the data, including collections, queries, and reporting. This data, combined with data from software inventory, can assist in determining:

    • How many copies of a particular software program have been deployed across the organization, and among those computers, how many users actually run the program.

    • How many licenses of a particular software program are needed for purchase when renewing license agreements with a software vendor.

    • Whether any users are still running a particular software program. If the program is not being used, an organization might consider retiring the program.

    • Which times of the day a software program is most frequently used.

    During each synchronization, a catalog of known software will be downloaded from Microsoft. The IT administrator can choose to send Microsoft information about uncategorized software titles discovered within their organization to be researched and added to the catalog. Prior to uploading this information, a dialog box shows exactly what data is going to be uploaded. Uploaded data cannot be recalled. Asset Intelligence does not send information about users and computers or license usage to Microsoft.

    After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all other customers that use this feature and other consumers of the catalog. Any software title uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the catalog, and then can be downloaded to other consumers of the catalog. Before you configure Asset Intelligence data collection and decide whether to submit information to Microsoft, consider the privacy requirements of your organization.

    Asset Intelligence is not enabled in System Center 2012 Configuration Manager by default. If the Configuration Manager administrator wants to send and receive data related to the Asset Intelligence feature then the administrator must create an Asset Intelligence synchronization point role. Without this role, no data related to this feature will be sent to or received from Microsoft. Even after creating the role, the administrator can enable or disable synchronization as well as set schedules to allow synchronization of data from the online catalog into the Configuration Manager database. Synchronization can be configured in the Asset Intelligence synchronization point role properties. Uploading of uncategorized titles never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title.


    Endpoint Protection provides one familiar experience for desktop management and protection that helps protect and remediate endpoints from viruses and malware.

    For details about what information is collected and how it is used, see the Microsoft System Center 2012 Endpoint Protection Privacy Statement.

    For details about what information is collected and how it is used, see the Microsoft System Center 2012 Endpoint Protection Privacy Statement.

    Endpoint Protection is not enabled in System Center 2012 Configuration Manager by default. If the Configuration Manager administrator wants to enable the Endpoint Protection feature then the administrator must create an Endpoint Protection point role and deploy the Endpoint Protection agent to computers.

    1. In the Configuration Manager console, click Administration.

    2. In the Administration workspace, click Servers and Site System Roles.

    3. In the results pane, click the server that hosts the Endpoint Protection point.

    4. In the Site System Roles details pane, select Endpoint Protection point and then, on the Site Role tab, in the Site Role settings group, click Remove Role, and click Yes to confirm.

    1. Set the Manage Endpoint Protection client on client computers client setting to False (Configuration Manager with no service pack) or No (Configuration Manager SP1).

    2. Deploy a package and program to uninstall the Endpoint Protection client.

    What This Feature Does:
    The Configuration Manager Setup, or separately through the Configuration Manager Setup Downloader utility, can contact Microsoft websites to download required prerequisite redistributables, language packs, and the latest updates to setup.

    These files are copied to the site server during installation. Required files for remote role, secondary site, and client installations will be copied to the respective systems as part of those setups. They will be automatically installed only if an identical or a newer version of the component is not already installed on the target system. These files are persisted on the target system to support future repair operations.

    Only standard computer information as described above is used during this process.

    The data is used to complete the necessary downloads.

    Setup cannot complete without these downloads but they can be downloaded separately and a path to them provided to Setup.


    Site Hierarchy - geographical view allows you to view your Configuration Manager physical server topology using maps provided by Microsoft Bing Maps.

    To enable this feature, location information you provide is sent from your server to the Bing Maps Web service.

    Microsoft uses the information to operate and improve Microsoft Bing Maps and other Microsoft sites and services. For more information, see the Microsoft Online Privacy Statement.

    You can choose not to use the Geographical View for the Site Hierarchy. The Hierarchy Diagram view allows you to see the hierarchy and does not use the Bing Maps service.


    The cloud-based distribution point provisions a Configuration Manager distribution point designed to run in Microsoft Azure. Content assigned to a cloud-based distribution point is managed just like any other Configuration Manager distribution point.

    The Microsoft Azure subscription ID, management certificate, and service certificate are stored in the Configuration Manager database when an administrator configures the feature. During configuration, a list of available geographic regions for hosting the cloud-based distribution point will be automatically retrieved from Microsoft Azure. All communications with cloud-based distribution points use HTTPS. Configuration Manager automatically encrypts and uploads packages assigned to a cloud-based distribution point. No information about the content assigned to the distribution point is collected by Microsoft.

    The Microsoft Azure subscription ID and management certificate are sent to Microsoft Azure to authenticate each communication from the site server.

    Client communications with a cloud-based distribution point use a Configuration Manager access token and do not contain Microsoft Azure subscription information. Clients use the service certificate to authenticate the cloud-based distribution point.

    For details about what information is collected and how it is used by Microsoft Azure, see the Microsoft  Azure Trust Center and the Microsoft Online Services Privacy Statement.

    The Microsoft Azure subscription ID and management certificate are sent to Microsoft Azure to authenticate each communication from the site server. Client communications with a cloud-based distribution point use a separate authentication method internal to Configuration Manager and do not contain Microsoft Azure subscription information.

    For details about what information is collected and how it is used by Microsoft Azure, see the Microsoft Azure Trust Center and the Microsoft Online Services Privacy Statement.

    As part of the configuration step for each cloud-based distribution point, you must specify the geographic region of the Microsoft data centers in which the distribution point content will be stored. The location you chose will apply only to the cloud-based distribution point that is being configured. It will not change your geographic location selection for other Microsoft Azure services that you have in your account. You can configure multiple cloud-based distribution points in different geographies. Content uploaded to cloud-based distribution points is encrypted with a key unique to your organization's installation of Configuration Manager. Some content may be particularly sensitive to your organization or be subject to specific regulatory requirements.

    For details about the location and security of data stored in Microsoft Azure, see the Microsoft Azure Trust Center and the Microsoft Online Services Privacy Statement.

    This role is not installed by default. Configuration Manager administrators have control over what content is transferred to each cloud-based distribution point by using package assignment. Additionally, there is a client setting that must be enabled by the administrator for clients to use cloud-based distribution points. The service can be stopped from the Configuration Manager console and the role can be removed at any time.

    To uninstall a cloud-based distribution point, administrators can select the distribution point in the Configuration Manager console, and select Delete.

    When administrators delete a cloud-based distribution point from a hierarchy, Configuration Manager will attempt to remove the content from the cloud service in Microsoft Azure.


    The Configuration Manager administrator can create a link to a specific application available from the Windows Store. When end users click the link to install an application, the online store is automatically launched directly to the specified application. To access the Windows Store, users must sign in with a Microsoft account. Links to applications in the Windows Store are not supported on operating systems that are earlier than Windows 8.

    A request with the application ID is sent to the Windows Store. For details about what information is sent and collected and how it is used by the Windows Store, see the Windows Store topic in the Features Supplement of the Windows 8 Privacy Statement.

    For details about what information is sent and collected and how it is used by the Windows Store, see the Windows Store topic in the Windows 8 Features Privacy Statement features supplement.

    Configuration Manager administrators can choose not to create applications that link to the Windows Store.

    1. In the Configuration Manager console, click Software Library.

    2. In the Software Library workspace, expand Application Management, click Applications.

    3. Search for the distribution type Windows app package (in the Windows Store).

    For supported alert types, Configuration Manager can be configured to send an email message to recipients you designate when an alert is triggered.

    The following information is stored in the Configuration Manager database when an administrator enables the feature: SMTP server, the email address of the sender, and, if required, the user name and password to connect to the SMTP server. Additionally, you must provide one or more email addresses of recipients for each email alert. None of this information is sent to Microsoft.

    The email notification feature is off by default. Administrators can enable the email alert feature from the Configuration Manager console. For more information about how to configure email alerts, see Configuring Alerts in Configuration Manager.

    1. In the Configuration Manager console, click Administration.

    2. In the Administration workspace, expand Site Configuration, and then click Sites.

    3. On the Home tab, in the Settings group, click Configure Site Components and then click Email Notification.

    4. In the Email Notification Component Properties dialog box, clear the Enable email notification for Endpoint Protection alerts check box, and click OK.

    1. In the Configuration Manager console, click Monitoring.

    2. In the Monitoring workspace, expand Alerts, and then click Subscriptions.

    3. On the Home tab, in the Create group, click Configure Email Notification.

    4. In the Email Notification Component Properties dialog box, clear the Enable email notification for alerts check box, and click OK.

    Customers who have purchased a subscription to Microsoft Intune can use Configuration Manager to manage their mobile devices that connected through Microsoft Intune. The Microsoft Intune Privacy Statement should be read in conjunction with this privacy statement.

    All communications with Microsoft Intune use HTTPS. To configure the Microsoft Intune subscription and to download the Certificate Signing Request (CSR) needed for configuration of iOS support, an administrator must sign in to Microsoft Intune by using their organizational account and password. These credentials are not stored within Configuration Manager. All other communications with Microsoft Intune are authenticated by using PKI certificates that are automatically generated by Microsoft Intune.

    In order to manage devices that are connected to Microsoft Intune, some information is sent to and received from Microsoft Intune. This information includes the User Principal Name (UPN) of all users that are assigned to the service and device inventory information for those devices that are managed by Microsoft Intune. Metadata, such as application name, publisher, and version, for content that is assigned to Manage. Microsoft.com distribution points is sent to Microsoft Intune. The actual binary content assigned to a Manage.Microsoft.com distribution point is encrypted before it is uploaded to Microsoft Intune.

    The information sent to Microsoft Intune is used only to provide and improve the Microsoft Intune services. No information about the content assigned to the distribution point is collected by Microsoft.

    Content selected to be uploaded to the Manage.Microsoft.com distribution point is encrypted with a key that is unique to your organization's installation of Configuration Manager. Some content may be particularly sensitive to your organization or be subject to specific regulatory requirements. For more information, see the Microsoft Intune Privacy Statement.

    This feature is not configured by default. Administrators have control over what content is transferred to the Manage.microsoft.com distribution point and which users are assigned to the service. The feature can be removed at any time.

    For information about how to retire devices that are managed by Microsoft Intune, see the Microsoft Intune Privacy Statement.

    To disable communication between Configuration Manager and Microsoft Intune, you can remove the Microsoft Intune connector.

    1. In the Configuration Manager console, click Administration.

    2. In the Administration workspace, click Servers and Site System Roles.

    3. Select the server that hosts the Microsoft Intune connector.

    4. In the Site System Roles details pane, select MicrosoftIntune connector and then, on the Site Role tab, in the Site Role settings group, click Remove Role, and click Yes to confirm.

    Specific Privacy Features for Operations Manager Operations ManagerpspSystemCenter2012R2OperationsManagerModule
    Summary

    The following lists the privacy impacting features of Operations Manager:

    Customer Experience Improvement Program
    Operational Data Reporting
    Operations Manager Error Reporting
    Agentless Exception Monitoring (AEM) Error Forwarding
    Agentless Exception Monitoring CEIP Forwarding
    Microsoft Update
    Application Performance Monitoring (APM)
    Integration with Team Foundation Server (TFS)
    Global Service Monitor (GSM)


    Full text

    Customer Experience Improvement Program

    What This Feature Does:

    If you choose to participate, the Customer Experience Improvement Program (CEIP) feature will collect information about how all users of the Operations Console use Operations Manager so that we can identify trends and usage patterns. This information helps improve the quality, reliability, and performance of Microsoft software and services.

    Information Collected, Processed, or Transmitted:

    The information CEIP collects includes software and hardware performance, as well as basic software and hardware configuration such as RAM, processor type, and screen resolution. We do not collect names, addresses or other contact information. For more information about CEIP, see the Microsoft Customer Experience Improvement Program.

    Use of Information:

    The information collected is used to help improve Microsoft's products and services. Microsoft employees, contractors and vendors who have a business need to use the data are provided access as necessary.

    Choice/Control:

    The first time you install the Operations Manager Database server, during setup you'll be asked whether you would like to participate in CEIP.

    To turn CEIP on or off later:

    1. Start the Operations console, and in the navigation pane, select Administration.

    2. In the Administration workspace under Device Management, select Settings.

    3. In the Settings view, under Type: General, double-click Privacy to launch the Global Management Group Setting-Privacy property page.

    4. Select the CEIP tab.

    5. To turn CEIP off, select I don’t want to join this program at this time.

      To turn CEIP on, select Join the Customer Experience Improvement Program (Recommended).

    6. Click OK.

    Important Information:

    The Operations Manager administrator or other administrator with sufficient privileges may construct Group Policy to opt in or out of CEIP by setting a registry-based policy. The relevant registry key and settings are as follows:

    Key = HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\SCOM

    RegEntry name = CEIPEnable

    Entry type REG_DWORD (Hexadecimal):

    0 is off

    1 is on

    Operational Data Reporting

    What This Feature Does:

    Operational Data Reports summarize how Operations Manager is being used in your management group. If you consent to sending operational data reports to Microsoft, each week, SQL Server 2005 Reporting Services reports will be generated from the operational data in your Operations Manager Data Warehouse and sent to Microsoft.

    Information Collected, Processed, or Transmitted:

    Operational Data Reports are XML files with data about your system configuration and the Microsoft-authored management packs that you are using. The reports include information about the operational environment of a management group, such as the number of agents controlled by Operations Manager, the most common alerts, and which management packs you are running.

    Sample Operational Data Reports can be viewed at the Operations Manager web site along with descriptions of the data collected. If you have consented to sending these reports, you may view the reports that will be sent to Microsoft by navigating to the %windir%\temp\OpsMgr 2012 Operational Data Reports folder on the management server running the ODR workflows. Note: You can determine this by running the Show Running Workflows task against each of the management servers in the management group.

    You can also view your Management Group, Management Pack, and Most Common Alerts Operational Data Reports by going to the Operations Console and in the Reporting View running these reports in the Microsoft ODR Report Library folder.

    Use of Information:

    Microsoft uses the data in Operational Data Reports to better understand how the Operations Manager product works as deployed in customers' environments. These reports will help improve future software and services.

    Choice/Control:

    The first time you install the Operations Manager Data Warehouse server, you'll be asked whether you would like to send Operations Data Reports to Microsoft.

    To turn Operational Data Reporting on or off after install:

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Device Management, select Settings.

    3. In the Settings View, under Type: General, right-click Privacy and choose Properties from the context menu.

    4. Select the Operational Data Reports tab.

    5. To turn Operational Data Reports off, select No, don’t send operational data reports to Microsoft.

      To turn Operational Data Reports on, select Yes, send operational data reports to Microsoft (recommended).

    6. Click OK.

    Important Information:

    Operational Data Reporting cannot be configured using Group Policy.

    Operations Manager Error Reporting

    What This Feature Does:

    Operations Manager Error Reporting asks users to send error report data to Microsoft via the Internet. This feature allows you to report problems you may be having with Operations Manager Management Servers, Gateway Servers, and Agents components. Please note that this feature does not control error reporting for other Operations Manager components such as Operations Console, Web Console, and Reporting Server. The Operations Manager Database and Data Warehouse error reporting behavior is defined by what settings SQL Server 2005 is using.

    Choice/Control:

    The first time you install the Operations Manager Database server, you'll be asked whether you would like to send Operations Manager Error Reports to Microsoft. You can choose automatic reporting in which case reports will be sent without prompting you. Alternatively, you can choose to be prompted for approval each time an error report is generated, which lets you review the information in a report before it is sent.

    To turn Operations Manager Error Reporting on or off for the agents:

    1. Start the Operations console, in the navigation pane select "Administration".

    2. In the Administration workspace, under Device Management, select Settings.

    3. In the Settings view, under General, right-click Privacy and choose Properties from the context menu.

    4. Select the Error Reporting tab.

    5. To turn Operations Manager Error Reporting off, click Don’t generate error reports.

      To turn Operations Manager Error Reporting on and automatically send error reports, click Automatically send error reports about this product to Microsoft without prompting the user (recommended).

      To turn Operations Manager Error Reporting on and queue error reports, click Prompt the user for approval before sending error reports to Microsoft.

    6. Click OK.

    7. In the navigation pane, under Device Management, click Agent Managed.

    8. Select one or more agents in the middle result pane.

    9. Right-click the agent and choose Repair in the context menu.

    10. If your Management Servers Action Account does not have the right permissions on the agents, in the Repair Agents dialog box, choose the Other user account option, and type in the credentials of an account that has access to the agents.

    11. Click Repair.

    12. Click Close when completed.

    To turn Operations Manager Error Reporting on or off for the management servers and gateway servers:

    1. Log on to a server where the management server or gateway server is installed.

    2. Click Start, and then click Run.

    3. In the Run box, type regedit and click OK.

    4. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\.

    5. Double-click the Error Reports Enabled DWORD value and set the value data 1 to turn on Error Reporting or 0 to turn off Error Reporting.

      Optionally, if you have enabled Error Reporting but would like to queue error reports before sending to Microsoft, you can edit the Queue Error Reports DWORD value and set the value data to 1 which will queue error reports to prompt for approval or 0 to directly send error reports to Microsoft.

    6. Click OK when completed and the change will take effect

    Important Information:

    Error Reporting for Operations Manager Management Servers, Gateway Servers, and Agents cannot be configured using Group Policy.

    Agentless Exception Monitoring (AEM) Error Forwarding

    What This Feature Does:

    Operations Manager can be configured to collect error reports generated due to application and operating system problems from all the computers in an enterprise running Windows operating systems and managed by Operations Manager. Additionally, Operations Manager can also be configured to forward the error reports to the Microsoft Error Reporting service.

    Information Collected, Processed, or Transmitted:

    The forwarded error reports to Microsoft can be either in Basic or Detailed format. In Basic format, the error report forwarded contains only the signature of the error used to uniquely identify an error without specific information about the environment in which it was generated. In Detailed format, the error report can consist of a detailed memory dump, registry settings, results of a Windows Management Instrumentation (WMI) query, and additional files along with the error signature from the computer on which the error report was generated.

    Reports might unintentionally contain personal information, but this information is not used to identify or contact you or your organization. For example, a report that contains a snapshot of memory might include a name, part of a document the user was working on, or data the user recently submitted to a website.

    Choice/Control:

    This feature is off by default. During the process of configuring client monitoring, you can specify the policy for Error Forwarding to Microsoft.

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Device Management, select Management Servers.

    3. In the Management Servers view, select any management server that has Client Monitoring Mode disabled, and right-click the management server.

    4. Click Configure Client Monitoring to open the Configure Client Monitoring wizard.

    5. On the Error Forwarding page, select Forward all collected errors to Microsoft (Recommended) to enable Error Forwarding to Microsoft.

      If you do not want to enable Error Forwarding to Microsoft, leave the option unselected.

    6. After completing the wizard successfully, if you chose to enable Error Forwarding, a group policy template is created that can be used by an administrator with sufficient privileges to configure the managed computers in the enterprise to send error reports to the Management Server. Until the policy is active on the managed computers, these computers will not send error reports to the management server.

    To enable or disable Error Forwarding after a management server has Client Monitoring Mode enabled:

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Device Management, select Management Servers.

    3. In the Management Servers view, select any management server that has Client Monitoring Mode enabled, and right-click the management server.

    4. Click Properties.

    5. In Properties, click the Error Forwarding tab.

    6. On the Error Forwarding page, select Forward all collected errors to Microsoft (Recommended) to enable Error Forwarding to Microsoft.

      If you do not want to enable Error Forwarding to Microsoft, leave the option unselected.

    7. After clicking OK, Error Forwarding will be enabled if the option was selected in the previous step.

    To selectively control the error reports forwarded to Microsoft after Client Monitoring mode has been enabled:

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Settings, double-click Privacy.

    3. In Properties, select the Error Transmission tab.

    4. On the Error Transmission tab, you can set the filter(s) to exclude error reports forwarded to Microsoft based on user name, computer name, application name, module, and application error type. Click Filter to set the exclusion filter criteria.

    5. If you want to include additional diagnostic data requested by Microsoft from the managed computers in the error reports forwarded to Microsoft, you can select Upload the diagnostic data collection requests. If this diagnostic data should include files, registry settings, WMI queries and memory dumps, select the corresponding boxes on the tab.

    6. After you click OK or Apply, the selected inclusion and exclusion policies defined in the steps above will be applied to all management servers that have Error Forwarding enabled.

    To disable Error Forwarding and Client Monitoring mode:

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Device Management, select Management Servers.

    3. In the Management Servers view, select any management server that has Client Monitoring Mode enabled, right-click the management server, and click Disable Client Monitoring.

    4. Select Yes in the Confirm Disable Client Monitoring dialog box.

    Please note that by disabling Error Forwarding in this manner, the management server will also stop forwarding centrally collected CEIP data to Microsoft. Managed computers may individually continue to send error reports and CEIP data if so configured.

    In order to disable error forwarding from the managed computers, an administrator with sufficient privileges will have to undo the group policy that was applied during the process of configuring client monitoring.

    For more information on how to further configure AEM, please review Client Monitoring Using Agentless Exception Monitoring in Operations Manager in the Operations Manager Operations Guide on TechNet.

    Agentless Exception Monitoring CEIP Forwarding

    What This Feature Does:

    Operations Manager can be set up to forward Customer Experience Improvement Program reports collected from the computers managed by Operations Manager to Microsoft. These CEIP reports are forwarded as is without any modifications or filtering. For more information about CEIP, see the Microsoft Customer Experience Improvement Program.

    Choice/Control:

    This feature is off by default. When users run the Configure Client Monitoring Wizard they can configure whether they would like to collect CEIP reports and create a Group Policy template used to configure the managed computers.

    During the process of configuring client monitoring, you can specify the policy for CEIP Forwarding:

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Device Management, select Management Servers.

    3. In the Management Servers view, select any management server that has Client Monitoring Mode disabled, and right-click the management server.

    4. Click Configure Client Monitoring to open the Configure Client Monitoring wizard.

    5. On the CEIP Forwarding page, if you want to enable CEIP forwarding, for Do you want to centrally collect CEIP data and forward to Microsoft?, select Yes, use the selected Management Server to collect and forward CEIP data to Microsoft.

      If you do not want to enable CEIP forwarding to Microsoft, select No, please continue to send data directly to Microsoft.

    6. After completing the wizard successfully, if you chose to enable CEIP Forwarding, a group policy template is created that can be used by an administrator with sufficient privileges to configure the managed computers in the enterprise to send CEIP data to the management server. Until the policy is active on the managed computers, these computers will not send CEIP data to the management server.

    To disable CEIP Forwarding:

    1. Start the Operations console, in the navigation pane select Administration.

    2. In the Administration workspace, under Device Management, select Management Servers.

    3. In the Management Servers view, select any management server that has Client Monitoring Mode enabled, right-click the management server, and click Disable Client Monitoring.

    4. Select Yes in the Confirm Disable Client Monitoring dialog box.

    Please note that by disabling CEIP Forwarding in this manner, the management server will also stop forwarding centrally collected error reports to Microsoft. Managed computers may individually continue to send CEIP data if so configured.

    In order to disable CEIP Forwarding from the managed computers, an administrator with sufficient privileges will have to undo the group policy that was applied during the process of configuring Client Monitoring.

    Microsoft Update

    What This Feature Does:

    Microsoft update is a service that provides Windows updates as well as updates for other Microsoft software, including Operations Manager. For details about what information is collected, how it is used, and how to change your settings, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?linkid=50142.

    Choice/Control:

    If you are running any Operations Manager feature on a Windows server operating system, this feature is controlled by your Windows server settings. You can turn this feature on or off in Windows Update by clicking Change settings.

    If you are running the Operations console or an Operations Manager agent on a Windows client operating system, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=115475 for details about controlling this feature.

    Application Performance Monitoring (APM)

    What This Feature Does:

    Allows monitoring of applications, Windows Communications Foundation web services from server- and client-side perspectives, and Windows Services to get details about application availability and performance that can help pinpoint solutions. Allows administrators to specify settings, the types of events to collect, the performance goals to measure, and which servers to monitor. Operations Manager Application Performance Monitoring provides insight into how applications are running.  Administrators can see how frequently a problem is occurring, how a server was performing when a problem occurred, and the chain of events related to the slow request or method that is unreliable. This is the information needed to partner with software developers and database administrators to help ensure that application availability and performance are at optimal levels.  Application Performance Monitoring for server- and client-side perspectives might collect sensitive data and retain it in your database.

    Sensitive data collection and retention:

    • Application Performance Monitoring for server- and client-side perspectives might collect sensitive data and retain it in your database. Review your compliance policies before enabling application monitoring.

    • Client-side monitoring might additionally collect, transmit, and retain information from Internet browsers. This information for public-facing Internet applications might be collected from countries and regions other than where your database is located.

    • Enabling exception stack and global variables data collection sends page data to the monitored server. You should not collect exception stack and global variables for data-sensitive applications unless all pages are secured with https protocol.

    • Application Monitoring Operators, system administrators, and potentially others with elevated permissions will have access to this data.

    • No data is sent outside of the enterprise.

    Choice/Control:

    Client-side monitoring is disabled by default. Administrators should review their compliance policies before enabling application monitoring. For instructions on enabling client-side monitoring, see “Enabling Client-Side Monitoring” and “Client-Side Modifying Settings” in .NET Application Performance Monitoring Template

    Integration with Team Foundation Server (TFS)

    What This Feature Does:

    This feature is implemented in the form of a management pack and synchronizes System Center 2012 - Operations Manager alerts and Team Foundation Server (TFS) work items. After importing this management pack, operators can assign alerts to the engineering team. Assigning an alert to engineering creates a new work item in TFS. The management pack workflow tracks and synchronizes changes made to TFS work items and changes made to associated Operations Manager alerts.

    Sensitive data collection and retention:

    • Although the feature does not retain data, it does make Operations Manager data visible throughout TFS and Visual Studio software. This data might include the sensitive data collected by Application Performance Monitoring (APM) and other data available in Operations Manager alerts. Review your compliance policies before enabling application monitoring.

    • Similarly, data (such as work item assignment history and comments) in TFS work items is made visible to Operations Manager users.

    • No data is sent outside of the enterprise.

    Choice/Control:

    The Team Foundation Server Work Item Synchronization management pack is optional to install. When the management pack is installed, you can configure whether to send all or only selected alerts to TFS manually or automatically.

    Global Service Monitor (GSM)

    What This Feature Does:

    Allows monitoring of end-points of public-facing applications to get details about application availability, reliability and performance. Externally facing end-points can be, for example, web sites, web services, or ports. Monitoring can be performed from multiple geo-locations. GSM allows administrators to specify alert settings, the performance goals to measure, and which end-points to monitor. Global Service Monitor provides insights into how public-facing applications are running from the geo-distributed point of view. Administrators can see performance characteristics of each end-point (such as response time), whether response received is valid, and whether the end point is available externally. If there is a problem, administrators can see how frequently a problem is occurring, and from which geographical location the problem was observed. This is the information needed to partner with software developers and database administrators to help ensure that application availability and performance are at optimal levels. Global Service Monitor might collect sensitive data and retain it in your database.

    Sensitive data collection and retention:

    • Global Service Monitor might collect sensitive data and retain it in your database. Review your compliance policies before enabling application monitoring.

    • Performance, reliability and availability information for public-facing Internet applications might be collected from countries and regions other than where your database is located.

    • Enabling Global Service Monitor will collect the data about your application performance, availability and reliability. This data is stored temporarily on the servers in Microsoft datacenters, and eventually it is sent to the management servers in the enterprise.

    • The data can contain sensitive information, such as web response, if your public-facing application is password protected and you choose to use authentication while running Global Service Monitor tests.

    • Application Monitoring Operators, system administrators, and potentially others with elevated permissions will have access to this data.

    Choice/Control:

    Global Service Monitor is not installed by default. Administrators should review their compliance policies before installing Global Service Monitor and configuring the monitoring tests.

    System Center Advisor

    What This Feature Does:

    System Center Advisor is an online service that analyzes installations of Microsoft SQL Server 2008 (and later versions), and Windows Server 2008 and 2008 R2, and Lync Server 2010. Advisor collects data from your installations, analyzes it, and generates Alerts that identify potential issues (such as missing security patches) or deviations from identified best practices with regard to configuration and usage. Advisor also provides both current and historical views of the configuration of servers in your environment.

    Information Use and Collection

    For details about what information is collected, how it is used, see the System Center Advisor Privacy Statement at http://onlinehelp.microsoft.com/en-us/advisor/gg288262.aspx.

    Specific Privacy Features for Orchestrator OrchestratorpspSystemCenter2012R2OrchestratorModule
    Summary

    The following lists the privacy impacting features of Orchestrator:

    Workflow Data Logging
    Workflow Exports
    Interaction with Third Party Systems
    Customer Experience Improvement Program
    Microsoft Error Reporting
    Microsoft Update
    Integration Packs from third parties (non-Microsoft authored)

    Full text

    Workflow Data Logging

    What this feature does:

    Workflow activities that interact with systems can be configured to collect data that would be considered private.

    Information collected, processed, or transmitted:

    Examples of such systems would be Active Directory, BMC Remedy, and so on. By default, this data (referred to as "Object Specific Published Data" in the product) is not logged; however, the Enterprise can select an option to "Log Object Specific Published Data" in which case this data will be logged to the database and visible in the Operations Console/Designer/etc.

    Use of information:

    This information is not sent outside of the Enterprise.

    Choice/Control:

    To enable or disable this feature:

    1. In the Runbook Designer, in the Connections pane, click the Runbooks folder.

    2. If the runbook is stored in a folder, select the appropriate folder under Runbooks.

    3. In the Design workspace of Runbook Designer, right-click the tab of a runbook to select Properties.

    4. On the Logging tab of the Runbook Properties dialog box:

      1. Select the Store Activity-Specific Published Data check box to enable this feature. Clear the check box to disable the feature.

      2. Select the Store Common Published Data check box to enable this feature. Clear the check box to disable the feature.

    5. To close the Runbook Properties dialog box, click Finish.

    Important information

    Workflows have a revision history associated with them. This history is stored in the database along with the Active Directory SID of the user that created the changes. This feature cannot be disabled.

    Workflow Exports

    What this Feature Does:

    The Enterprise can export policies and other Orchestrator configuration information into an XML-formatted file intended to be used as a policy export/import mechanism.

    Information collected, processed, or transmitted:

    These exports will contain information about the workflows as required to import them at a subsequent date. Any information stored in an Orchestrator workflow would be present in the export. This would include form-field data configured into workflow objects (“Activities”) as well as workflow owner information such as SIDs from Active Directory.

    Use of information:

    This information is not sent outside of the Enterprise.

    Choice/Control

    The export/import feature is only present in the Orchestrator Run Book Designer (the “Designer”) and you may opt not to use this feature.

    Interaction with Third Party Systems

    What this feature does:

    Orchestrator Integration Packs allow the Enterprise to interact with third party systems as part of an overall workflow.

    Information collected, processed, or transmitted:

    Orchestrator does not collect or send any such data, however third party systems might. Orchestrator may interact with third party systems such as to cause them to send information outside the Enterprise.

    Use of information:

    Orchestrator does not send any information outside the enterprise. Such information would be sent by a third party system in response to activity driven by Orchestrator.

    Choice/Control:

    Review the privacy features and policies of the third party systems that are interacting with Orchestrator. If a third party system does in fact transmit this sort of information as part of interacting with Orchestrator, consult the privacy statement as well as other documentation provided by the third party system vendor for instructions on how to disable such transmission.

    Customer Experience Improvement Program

    What this feature does:

    The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services.  We will not collect your name, address, or other contact information.

    Information collected, processed, or transmitted:

    For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at http://www.microsoft.com/products/ceip/EN-US/privacypolicy.mspx.

    Use of information:

    We use this information to improve the quality, reliability, and performance of Microsoft software and services.

    Choice/Control:

    You are offered the opportunity to participate in CEIP during setup. You can change this setting after install through the Runbook Designer Help/About where an opt-in/opt-out is available.

    Microsoft Error Reporting

    What this feature does:

    Microsoft Error Reporting provides a service that allows you to report problems you may be having with Orchestrator to Microsoft and to receive information that may help you avoid or solve such problems.

    Information collected, processed, or transmitted:

    For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement athttp://oca.microsoft.com/en/dcp20.asp.

    Use of information:

    We use the error reporting data to solve customer problems and improve our software and services.

    Choice/Control:

    You will be offered the opportunity to participate in Microsoft Error Reporting during install only. We also offer you the ability to queue reports prior to sending.  You can change this setting after install through the Runbook Designer Help/About where an opt-in/opt-out is available.

    When you choose to enable it, Microsoft Error Reporting will automatically report problems you encounter to Microsoft. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it.

    Important information:

    Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their computers. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available at http://go.microsoft.com/fwlink/?LinkID=228751.

    Microsoft Update

    What this feature does:

    Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

    Information collected, processed, or transmitted:

    For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=228752 .

    Use of information:

    For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=228752.

    Choice/Control:

    Microsoft Update is not turned on as a default. It is controlled by a choice you make during the setup. You may later change it by accessing the Microsoft Update client under your Control Panel to turn updates on or off.

    Integration Packs from third parties (non-Microsoft authored)

    What This Feature Does:

    Integration Packs from third parties extend the core Orchestrator 2012 platform to include new runbook activities not available from Microsoft integration packs.

    Information Collected, Processed, or Transmitted:

    For details about what information is collected and how it is used, refer to the privacy statement of the third party who provided the integration pack.

    Use of Information:

    For details about what information is collected and how it is used, refer to the privacy statement of the third party who provided the integration pack.

    Choice/Control:

    For details about what information is collected and how it is used, refer to the privacy statement of the third party who provided the integration pack.

    Specific Privacy Impacting Features for App Controller App ControllerpspSystemCenter2012R2AppControllerModule
    Summary

    The following lists the privacy impacting features of App Controller:

    Windows Azure Management
    Windows Azure Certificate Management
    App Controller User Account Management
    App Controller User Account Caching
    App Controller Administrator Auditing
    Customer Experience Improvement Program
    Microsoft Error Reporting
    Microsoft Update

    Full text

    Windows Azure Management

    What This Feature Does:

    App Controller enables customers to upload Windows Azure configuration files, package files, and virtual hard drives from an on-premises deployment of Windows Server to Windows Azure. Any content you upload to Windows Azure using App Controller is governed by the use terms and privacy statement for the Windows Azure service at http://go.microsoft.com/fwlink/?linkid=236391.

    Information Collected, Processed, or Transmitted:

    App Controller does not separately collect any information from the user.

    Use of Information:

    Not applicable.

    Choice/Control:

    If you do not wish to upload content to Windows Azure, do not use this feature.

    Windows Azure Certificate Management

    What This Feature Does:

    App Controller uses Windows Azure Management Certificates to authenticate requests to Windows Azure Service Management REST APIs. App Controller encrypts the certificates (.pfx certificate files) and their passwords, and stores them in the App Controller database.

    Information Collected, Processed, or Transmitted:

    App Controller does not separately collect any information from the user. None of this information is sent to Microsoft.

    Use of Information:

    Not applicable.

    Choice/Control:

    If you do not wish to authenticate or store certificates and passwords in this way, do not use this feature.

    App Controller User Account Management

    What This Feature Does:

    App Controller manages users’ roles for access to your Windows Azure account(s). You can add domain users to an App Controller role to access certain Windows Azure subscription accounts set up by your administrator.

    Information Collected, Processed, or Transmitted:

    The security ID associated with the domain account is saved in the App Controller database on a user’s computer. App Controller retrieves user names and validates passwords with Active Directory. App Controller does not store user names or passwords. None of this information is sent to Microsoft.

    Use of Information:

    None.

    Choice/Control:

    If you do not wish to store this information on your computer, do not use App Controller.

    App Controller User Account Caching

    What This Feature Does:

    App Controller encrypts the credentials of users who are currently logged on and stores the credentials in browser session cookies. This is so that you can refresh your browser session without re-entering a user name and password. Those cookies are temporary and deleted when the user logs off or closes the browser.

    Information Collected, Processed, or Transmitted:

    App Controller does not separately collect any information from the user. None of this information is sent to Microsoft.

    Use of Information:

    None.

    Choice/Control:

    If you do not wish to store this information in your cookies, do not use App Controller.

    App Controller Administrator Auditing

    What This Feature Does:

    App Controller allows App Controller administrators to view objects owned by all users and tasks performed by all users.

    Information Collected, Processed, or Transmitted:

    None of this information is sent to Microsoft.

    Use of Information:

    None.

    Choice/Control:

    If users do not wish to share this information with your administrator(s), do not use App Controller.

    Customer Experience Improvement Program

    What This Feature Does:

    The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services.  We will not collect your name, address, or other contact information.

    Information Collected, Processed, or Transmitted:

    For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at http://go.microsoft.com/fwlink/?linkid=236393.

    Use of Information:

    We use this information to improve the quality, reliability, and performance of Microsoft software and services, including App Controller.

    Choice/Control:

    You are offered the opportunity to participate in CEIP during setup. If you choose to participate and later change your mind, you can turn off CEIP at any time by:

    1. Open a Windows PowerShell window.

    2. Run the following command: Set-AdminSetting CEIPEnabled 0.

    Microsoft Error Reporting

    What This Feature Does:

    Microsoft Error Reporting provides a service that allows you to report problems that you may be having with App Controller to Microsoft and to receive information that may help you avoid or solve such problems.

    Information Collected, Processed, or Transmitted:

    For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at http://go.microsoft.com/fwlink/?linkid=236394.

    Use of Information:

    We use the error reporting data to solve customer problems and improve our software and services, including App Controller.

    Choice/Control:

    Error reporting is configured by the operating system. You can disable error reporting at any time by use the command line reg add "HKLM\Software\Policies\Microsoft\ Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f or use the registry to create or set HKLM\Software\Policies\Microsoft\ Windows\Windows Error Reporting\Disabled (DWORD) to a value of "1".

    Important Information

    Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their computers. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, you can do so by using a Group Policy Object. Go to Administrative Templates, Internet Communication Management, and then to Internet communication settings, and enable Turn off Windows Customer Experience Improvement Program.

    Microsoft Update

    What This Feature Does:

    Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

    Information Collected, Processed, or Transmitted:

    For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=236392.

    Use of Information:

    For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=236392.

    Choice/Control:

    You are offered the opportunity to turn off Microsoft Update during setup. If you have turned this feature on for another Microsoft product or service installed on Windows Server, it will be turned on by default for App Controller. You will not be presented with an opportunity to turn it off when App Controller is initially activated. However, you can turn this feature on or off at any time by following these steps:

    1. Open Control Panel, open System and Security, open Windows Update, and then select Change Settings.

    2. Clear the Microsoft Update check box.
    Specific Privacy Impacting Features for Data Protection Manager Data Protection ManagerpspSystemCenter2012R2DataProtectionManagerModule
    Summary

    The following lists the privacy impacting features of Data Protection Manager:

    Customer Experience Improvement Program
    Windows Azure Online Backup
    Microsoft Error Reporting
    Help
    Microsoft Update

    Full text

    Customer Experience Improvement Program

    What This Feature Does:

    The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services.  We will not collect your name, address, or other contact information.

    Information Collected, Processed, or Transmitted: 

    For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at http://www.microsoft.com/products/ceip/EN-US/privacypolicy.mspx.

    Use of Information:

    We use this information to improve the quality, reliability, and performance of Microsoft software and services.

    To turn CEIP on or off in the DPM user interface select the “Action” menu item, then click “Options…”. Go to the “Customer Feedback” tab and select “Yes” or “No” to turn on or off.

    Windows Azure Online Backup

    What This Feature Does:

    This feature enables you to backup data from your DPM server onto Windows Azure by using the Windows Azure Online Backup service.

    Information Collected, Processed, or Transmitted:

    For more information about the information collected, processed, or transmitted to Windows Azure Online Backup, see the Windows Azure Online Backup privacy statement at http://go.microsoft.com/fwlink/p/?LinkID=221308.

    Use of Information:

    The information collected by this service is used to provide you with online backup for DPM data. If you do not wish to use this feature, do not sign up for this service.

    Microsoft Error Reporting

    What This Feature Does:

    Microsoft Error Reporting provides a service that allows you to report problems you may be having with DPM to Microsoft and to receive information that may help you avoid or solve such problems.

     Information Collected, Processed, or Transmitted:

    For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at http://oca.microsoft.com/en/dcp20.asp.

    Use of Information:

    We use the error reporting data to solve customer problems and improve our software and services.

    Choice/Control:

    Microsoft Error Reporting for DPM is a per instance choice. With each error report instance, the user is given a choice to send or not send the information collected to

    ImportantImportant
    Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their computers. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available at http://technet.microsoft.com/en-us/library/cc754364.aspx.

    Help

    What This Feature Does:

    DPM does not include an online help function. Help files are shipped with the product, but it does have some links to KB articles.

    Microsoft Update

    What This Feature Does:

    Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

    Information Collected, Processed, or Transmitted:

    For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://update.microsoft.com/microsoftupdate/v6/privacy.aspx?ln=en-us.

    Use of Information:

    For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://update.microsoft.com/microsoftupdate/v6/privacy.aspx?ln=en-us.

    Choice/Control:

    For details about controlling this feature, see the Update Services Privacy Statement at http://update.microsoft.com/microsoftupdate/v6/privacy.aspx?ln=en-us.

    Microsoft Update is not enabled by default by DPM but can be enabled during the installation process by setting a checkmark by “Use Microsoft Update when I check for updates (recommended)” during the “Microsoft Update Opt-in” stage of the Setup Wizard. To disable Microsoft Update, the user will have to go to the Control Panel in Windows and disable it from there.

    Specific Privacy Impacting Features for Endpoint Protection Endpoint ProtectionpspSystemCenter2012R2EndpointProtectionModule
    Summary

    Note: Applies to the use of System Center 2012 Endpoint Protection for versions of Windows up to and including Windows 8.1. Starting with Windows 10, System Center 2012 Endpoint Protection SP2 and System Center 2012 R2 Endpoint Protection SP1 will manage Windows Defender.
    This privacy statement does not cover Windows Defender. Refer to the Windows Defender privacy statement at http://go.microsoft.com/fwlink/?LinkId=532658 for further information regarding endpoint protection in Windows 10 and later versions.

    Endpoint Protection helps protect your PC from malicious software (malware) such as viruses, spyware, and other potentially harmful software.

    It offers three ways to help protect your PC from malware and other potentially unwanted software:

    • Real-time protection. Endpoint Protection alerts you when malware, spyware, or potentially unwanted software attempts to install or run on your PC. It also alerts you when programs attempt to change important Windows settings.

    • Scanning options. You can use Endpoint Protection to scan for threats, viruses, spyware, and other potentially unwanted software that might be installed on your PC, to schedule scans on a regular basis, and to automatically remove any malicious software that is detected during a scan.

    • Detection. Should malicious software be detected on your computer, certain actions will automatically be taken to remove the malicious software and protect your computer from potential further infection. Once the malicious software is removed, Endpoint Protection may also reset some Windows settings (such as your home page and search provider).


    The following lists the privacy impacting features of Endpoint Protection:

    History
    Automatic Scanning for Malware
    Real-Time Protection
    Shell Extension
    Customer Experience Improvement Program
    Microsoft Error Reporting
    Microsoft Update
    Definition Updates
    Microsoft Active Protection Service (MAPS)
    Automatic Sample Submission
    Support Tool
    Antimalware-related data collected for MAPS with a Basic or Advanced membership

    Full text

    History

    What This Feature Does:

    This feature provides a list of all malware or suspected malware that Endpoint Protection detected on your PC and the actions that were taken when these programs were detected. The information displayed in the History tab is for items detected for all users - not per user.

    Information Collected, Processed, or Transmitted:

    A list of all malware or suspected malware that Endpoint Protection detected on your computer and the actions taken on these items are stored on your computer. These lists include Endpoint Protection activity for all the local users on the computer. The lists are sent to Microsoft as part of in Microsoft Active Protection Service (MAPS).

    Choice/Control:

    • Using Configuration Manager:

      In System Center 2012 Endpoint Protection antimalware policy, administrators can choose to enable or disable the History view for end-users, which includes the ability to delete that history, or in quarantined file history, to restore those files. Users that are local administrators can view, delete, and restore from history independent of the policy setting for this.
    • For client computers:

      History lists may be deleted by the local computer administrator. By default, this setting is not enabled for all users. To allow only the local computer administrator to view all items, in the Settings tab, select the Advanced tab and clear the option Allow all users to view the full History results.

    Automatic Scanning for Malware

    What This Feature Does:

    Endpoint Protection includes an automatic scanning feature, which scans your computer and alerts you if it detects malware. You can turn automatic scanning on or off and change the frequency and type of scans using the Endpoint Protection Settings tab. You can also choose which actions are automatically applied to software that Endpoint Protection detects during a scheduled scan. For severe/high threats, certain actions will automatically be taken by default to remove the malicious software and protect your computer from potential further infection. Once the malicious software is removed, Endpoint Protection may also reset some Windows settings (such as your home page and search provider). For low/medium threats, we will prompt you to take an action. To modify the actions taken in response to these threats, see the Choice/Control section below.

    Information Collected, Processed, or Transmitted:

    A list of all malware or suspected malware that Endpoint Protection detected on your computer and the actions taken on these items are stored on your computer. These lists include Endpoint Protection activity for all the local users on the computer. The lists are sent to Microsoft as part of MAPS.

    Choice/Control:

    While not recommended, you can turn off automatic scanning:

    • Using Configuration Manager:

      IT Administrators can configure automatic scanning settings with System Center 2012 Endpoint Protection antimalware policies. Administrators can also configure the actions taken for each level of threats in the antimalware policies.
    • For client computers:

      You can turn off automatic scanning using the Endpoint Protection Settings tab. You can also configure the actions taken for each level of threats.

    Real-Time Protection

    What This Feature Does:

    Endpoint Protection's real-time protection feature alerts you when viruses, spyware and other potentially unwanted software attempts to install itself or run on your PC. For severe/high threats, certain actions will automatically be taken by default to remove the malicious software and protect your computer from potential further infection. Once the malicious software is removed, Endpoint Protection may also reset some Windows settings (such as your home page and search provider). For low/medium threats, we will prompt you to take an action. To modify the actions taken in response to these threats, see the Choice/Control section below.

    Information Collected, Processed, or Transmitted:

    A list of all malware or suspected malware that Endpoint Protection detected on your computer and the actions taken on these items are stored on your computer. These lists include Endpoint Protection activity for all the local users on the computer. The lists are sent to Microsoft as part of MAPS.

    Choice/Control:

    While not recommended, you can turn off real-time protection.

    • Using Configuration Manager:

      Administrators can configure real-time protection settings with System Center 2012 Endpoint Protection antimalware policies. Administrators can also configure the actions taken for each threat level in the antimalware policies.
    •  For client computers:

      End users can turn off automatic scanning using the Endpoint Protection Settings tab for the unmanaged Endpoint Protection client. End users can also configure the actions taken for each threat level.

      Administrators can configure the setting to prohibit end user from turning off automatic scanning for the managed Endpoint Protection client.

         

    Shell Extension

    What This Feature Does:

    Shell extension is a scanning tool, which lets you select specific files and/or folders and scan them using Endpoint Protection.

    Information Collected, Processed, or Transmitted:

    A list of all malware or suspected malware that Endpoint Protection detected on your computer and the actions taken on these items are stored on your computer. These lists include Endpoint Protection activity for all the local users on the computer. These lists are sent to Microsoft as part of MAPS.

    Choice/Control:

    The shell extension feature is a manual tool that you can choose to use or not.

    Customer Experience Improvement Program

    Applicable products: This feature is not implemented for System Center 2012 Endpoint Protection for Linux or System Center 2012 Endpoint Protection for the Mac.

    What This Feature Does:

    The Customer Experience Improvement Program (CEIP) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information.

    Information Collected, Processed, or Transmitted:

    For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at http://go.microsoft.com/fwlink/?LinkID=212772.

    Use of Information:

    We use this information to improve the quality, reliability, and performance of Microsoft software and services.

    Choice/Control:

    System Center Endpoint Protection clients deployed through Configuration Manager will have CEIP disabled by default. If you manually install the client you will be prompted whether you want to participate.

    If you choose to participate and later change your mind, you can modify the CEIP setting at any time using one of the following procedures.

    • From the System Center Endpoint Protection client UI:

      To change the CEIP settings on the client, from the Help menu, click the link Customer experience improvement program and select I don't want to join the Customer Experience Improvement program or I want to join the Customer Experience Improvement program

    • Registry setting:

      To configure the CEIP setting, create the following registry DWORD value on the Endpoint Protection client computer:

      HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft AntiMalware\Miscellaneous Configuration\SqmConsentApprove

      • Setting this value to 1 will join the CEIP.

      • Setting this value to 0 will not join the CEIP.

      Restart your computer for this change to take effect.

      After the registry value has been created the user can no longer change this setting from the Endpoint Protection client Help menu.

    Microsoft Error Reporting

    Applicable products: This feature is deprecated on clients with antimalware client version 4.7 or greater (see http://support.microsoft.com/kb/3036437). This feature is not implemented for System Center 2012 Endpoint Protection for Linux or System Center 2012 Endpoint Protection for the Mac.

    What This Feature Does:

    Microsoft Error Reporting provides a service that allows you to report problems you may be having with Endpoint Protection to Microsoft and to receive information that may help you avoid or solve such problems.

    Information collected, processed, or transmitted:

    Error reports might unintentionally contain personal information. For example, reports might contain the names of folders on your computer that could include the name of your Windows user account. Microsoft does not use this information to identify you or contact you. To learn more about error reports, see http://go.microsoft.com/fwlink/p/?LinkID=224952.

    Use of Information:

    We use the error reporting data to solve customer problems and improve our software and services.

    Choice/Control:

    Error reports will only be sent to Microsoft if you have opted-in to error reporting in your operating system settings.

    For antimalware client versions less than 4.0:

    You can additionally control whether the reports from Endpoint Protection clients contain the names of folders on your system by creating:

    1. A registry value named "DisableGenericReports" with any type or value under "HKLM\Software\Microsoft\Microsoft Security Essentials"

    2. A registry REG_DWORD value named "DisableGenericReports" with value ‘1' under "HKLM\Software\Microsoft\Microsoft Antimalware\Reporting"

    <th align="left">CautionCaution </th>
    Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

    For antimalware client versioned 4.0 through 4.6:

    Folder names will only be included in error reports if you have selected an advanced membership for MAPS.

    Microsoft Update

    Applicable products: This feature applies to all Endpoint Protection client platforms.

    What This Feature Does:

    Microsoft update is a service that provides Windows updates as well as updates for other Microsoft software, including Endpoint Protection.

    Information collected, processed, or transmitted:

    For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/p/?LinkId=212775.

    Use of Information:

    For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/p/?LinkId=212775.

    Choice/Control:

    When the System Center 2012 Endpoint Protection client is installed on a client by enabling installation of the client in Configuration Manager, it will set the source order for definition updates as configured by the administrator in the antimalware policy. Available sources that can be prioritized in any order or removed from the source list are Microsoft Update, Windows Server Update Services, UNC Path, Microsoft Malware Protection Center, and Configuration Manager software updates.

    When the System Center 2012 Endpoint Protection client is installed manually or standalone, it will be configured to use the following sources for definition updates in order: Windows Server Update Services, Microsoft Update, and Microsoft Malware Protection Center.

    Installing the System Center 2012 Endpoint Protection client manually or through Configuration Manager client settings will configure sources for definition updates, but does not alter Windows Update settings configured by the user or through policy.
    It is important to keep this software up to date. Microsoft recommends that you choose to update the software automatically. However, if you choose not to automatically update the software or withdrawal your consent to accept automatic updates, Microsoft recommends that you implement an alternative method of updating the software on a regular basis, or uninstall the software.

    Definition Updates

    Applicable products: This feature applies to all Endpoint Protection client platforms.

    What This Feature Does:

    The System Center Endpoint Protection agent will periodically, including just prior to each scheduled scan, check online for updated virus and spyware definitions. If updated definitions are available they will be downloaded and installed automatically.

    The Windows agent will first attempt to use Microsoft Update to check for updated definitions. If Microsoft Update is disabled or not reachable the client will automatically attempt to download definitions from the Microsoft Download Center.

    The Mac and Linux agents will attempt to download updates from a Microsoft Partner site.

    Information collected, processed, or transmitted:

    Standard computer information as well as the current definition version is sent in order to determine if newer definitions are available.

    Microsoft Active Protection Service (MAPS)

    Applicable products: This feature is not implemented for System Center 2012 Endpoint Protection for Linux or System Center 2012 Endpoint Protection for the Mac.

    What This Feature Does:

    The Microsoft Active Protection Service (MAPS), antimalware community is a voluntary worldwide online community that includes System Center Endpoint Protection users. By joining MAPS, System Center Endpoint Protection will automatically send information to Microsoft to help Microsoft determine which software to investigate for potential threats and to help improve System Center Endpoint Protection's effectiveness. This community helps stop the spread of new malicious software infections. If a MAPS report includes details about malware or potentially unwanted software that the Endpoint Protection client may be able to remove, MAPS will download the latest signature to address it. MAPS can also find "false positives" (where something originally identified as malware turns out not to be) and fix them.

    Information collected, processed, or transmitted:

    MAPS reports include information about potential malware files, such as file names, cryptographic hash, vendor, size, and date stamps. In addition, MAPS might collect full URLs to indicate the origin of the file. These URLs might occasionally contain personal information such as search terms or data entered in forms. Reports might also include the actions you took when Endpoint Protection notified you about unwanted software. MAPS reports include this information to help Microsoft gauge how effectively Endpoint Protection can detect and remove malware and potentially unwanted software and to attempt to identify new malware.

    Reports are automatically sent to Microsoft when:

    • Endpoint Protection detects software or changes to a computer by software that have not yet been analyzed for risks.
    • Endpoint Protection (antimalware client version 4.7 or greater) takes action on malware upon detection (as part of its automatic remediation). 
    • You or your administrator apply actions to software that Endpoint Protection has detected.
         
    • Endpoint Protection completes a scheduled scan and automatically applies actions to software that it detects, according to the configured settings.
         
    • Encounters an error or other problem.

    If MAPS reports new malware to Microsoft that Endpoint Protection can remove, new signatures will be automatically downloaded to your computer, helping to protect your machine more rapidly from potential threats.

    MAPS can be joined with a basic or an advanced membership. Basic member reports contain the information described above. Advanced member reports are more comprehensive and may include additional details about the software Endpoint Protection detects, including the location of such software, file names, how the software operates, and how it has impacted your computer. These reports, along with reports from other Endpoint Protection users who are participating in MAPS, help Microsoft researchers discover new threats more rapidly. Malware definitions are then created for programs that meet the analysis criteria, and the updated definitions are made available to all users through Microsoft Update.

    Additional details regarding data collected can be found in a table at the end of this document.

    To help protect your privacy, reports are sent to Microsoft over an encrypted connection.

    To help detect and fix certain kinds of malware infections, the product regularly sends MAPS some information about the security state of your PC. This information includes information about your PC's security settings and log files describing the drivers and other software that load while your PC boots.

    For Endpoint Protection client version 4.3 and above - A number that uniquely identifies your PC is also sent. Also, MAPS may collect the IP addresses that the potential malware files connect to.

    Use of Information:

    MAPS reports are used to improve Microsoft software and services. The reports might also be used for statistical or other testing or analytical purposes, and for generating definitions. Only Microsoft employees, contractors, partners, and vendors who have a business need to use the reports are provided access to them.

    MAPS does not intentionally collect personal information. To the extent that MAPS collects any personal information, Microsoft does not use the information to identify you or contact you.

    Choice/Control:

    • Using Configuration Manager:

      During Endpoint Protection point role enablement in Configuration Manager the default MAPS membership level can be changed. The default setting will be used when new antimalware policies are created. By default the membership level is set to Basic. The Configuration Manager administrator can decide not to have clients become members of MAPS or to extend client memberships to be advanced memberships. If Advanced Membership is chosen, users will be asked if they want to permit or deny changes made by software that has not yet been classified for risks. Basic members will not be asked to review changes by this software and the changes will be permitted.

      This setting can be changed later on the property page for each antimalware policy in Configuration Manager.    
         
    • For client machines when installing Windows: If you choose express settings, you turn on MAPS. Or if you choose to customize settings, you can control MAPS by selecting Help Microsoft respond to malicious apps and malware by joining Microsoft Active Protection Service under Send Microsoft info to help make Windows and apps better.
    •    
    • For client machines after Windows is installed:  You may change your MAPS membership-basic or advanced-at any time by using the product settings. Please note that MAPS only operates if the product has been enabled on your computer.

         

    To change your membership level:

    1. In the Settings tab of the Endpoint Protection client, click the entry for MAPS

    2. Select the membership level that you want:

      • To opt-out, select I don't want to join MAPS

      • To opt-in, select either Basic membership or Advanced membership

      When Endpoint Protection is upgraded, Microsoft will honor your settings until you make a change.



      Automatic Sample Submission

      For antimalware client versions up to and including 4.6. For antimalware client versions 4.7 and later this feature is controlled through the MAPS setting.

      What This Feature Does:

      The product contains functionality that may identify certain files as potentially unwanted and may request further information to make an assessment. If end users turn on automatic sample submission, the product will automatically send such files without prompting you each time such an action is recommended.
      If you do not opt-in to automatic sample submission, you will be prompted to review each file requested.

      Information collected, processed, or transmitted:

      This feature sends specific files from your PC that the product suspects might be potentially unwanted software. The report is used for further analysis. These reports may include information about the files or applications in question, such as file names, cryptographic hash, vendor, size, and date stamps. Reports might also include the actions that you applied when the product notified you that software was detected.

      Sample submission reports may be automatically sent to Microsoft when the product detects software or changes to your PC by software that hasn't been analyzed for risks yet when the following are enabled:

      • Automatic sample submission

      • MAPS

      Microsoft uses sample submission reports to help the product operate as intended-to help protect your computer against potential threats.
      If a requested file is determined to potentially contain personally identifiable information it will not be sent automatically. Instead, you will be prompted to review the file and decide if you wish to send it to Microsoft for analysis.

      To help protect your privacy, reports that are sent to Microsoft are encrypted.

      Use of Information:

      Sample submission reports are used to improve Microsoft software and services. The reports might also be used for statistical or other testing or analytical purposes, and for generating definitions. Only Microsoft employees, contractors, partners, and vendors who have a business need to use the reports are provided access to them. Sample submission reports do not intentionally collect personal information. To the extent that sample submission reports collect any personal information, Microsoft does not use the information to identify you or contact you.

      Choice/Control:

      • Using Configuration Manager:

        The Configuration Manager administrator cannot configure this setting for each antimalware policy in Configuration Manager.
      • For client machines:

        When you install the product for the first time, you will be automatically enrolled in this feature by default during setup. To opt-out you can uncheck the box next to Turn on automatic sample submission during setup or you can opt-out later via the product settings as described below.
        Use the options provided in the Settings tab of the Endpoint Protection client to change auto sample submission configuration.

      To change your auto sample submission configuration:

      1. In the Settings tab, click the entry for Advanced
      2. To opt-in, select the box next to "Send file samples automatically when further analysis is required"

        When Endpoint Protection is upgraded, Microsoft will honor your settings until you make a change.

      Automatic sample submissions operates when Endpoint Protection client has been enabled on your computer and you are enrolled in MAPS at a Basic or Advanced level.

      Support Tool

      Applicable products: This feature is not implemented for System Center 2012 Endpoint Protection for Linux or System Center 2012 Endpoint Protection for the Mac.

      What This Feature Does:

      When you call Customer Support with a technical issue, a support technician may ask you to run a support tool, MpCmdRun.exe -getfiles. The tool collects technical information required for the support staff to better understand and resolve the issue. You send the information collected by the tool to the support technician by email. The information is not sent automatically.

      Information collected, processed, or transmitted:

      The tool collects:

      • Product-specific log files, System Center Configuration Manager logs (if applicable) and recent event log entries of your computer and Windows Update.

      • Product Registry settings

      • System Data (OS and drivers data, computer data, applications and processes)

      Files sent to the support technician will be automatically deleted 90 days after the Service Request has closed.

      Choice/Control:

      The user fully controls the collection of the information and its transmission to Microsoft by manually running the tool and manually sending the collected information by email to the support technician.

      Antimalware-related data collected for MAPS with a Basic or Advanced membership

      Endpoint Protection collects antimalware-related data from your computer to help protect it. The following table explains about the types of data collected and how we use this data.

       

      <th>Frequency </th> <th>Information Collected, Processed, or Transmitted </th> <th>Use of Information </th>

      Whenever Endpoint Protection updates your virus and spyware protection or definition files

      • Version of virus and spyware definitions

      • Virus and spyware protection version

      Endpoint Protection uses this information to ensure that the latest virus and spyware updates are present on your computer. If the latest updates are not present, Endpoint Protection will update itself automatically so that your computer's protection stays up-to-date.

      If Endpoint Protection finds potentially harmful or unwanted software on your computer

      • Name of potentially harmful or unwanted software

      • How the software was found

      • Any actions that Endpoint Protection has taken to deal with the software

      • Files affected by the software

      • Information about your computer from the manufacturer (Sysconfig, SysModel, SysMarker)

      Endpoint Protection uses this information to determine the type and severity level of potentially unwanted software on your computer, and to determine the best action to take. We also use this information to help improve the accuracy of Endpoint Protection virus and spyware protection.

      Note that we collect only the names of affected files, not the contents of the files themselves.

      This information helps determine what systems are especially vulnerable to specific threats.

      Once a month

      • Virus and spyware definition update status

      • Status of real-time virus and spyware monitoring (on or off)

      Endpoint Protection uses this information to verify that your computer has the latest Endpoint Protection virus and spyware protection version, and has the most recent virus and spyware definitions. We also want to make sure that real-time virus and spyware monitoring is turned on, which is a critical part of helping protect your computer from potentially harmful or unwanted software.

      During installation, or whenever you manually perform a virus and spyware scan of your computer

      • List of running processes in your computer's memory

      To identify any processes that might have been compromised by potentially harmful software.

      Specific Privacy Impacting Features for Service Manager Service ManagerpspSystemCenter2012R2ServiceManagerModule
      Summary

      The following lists the privacy impacting features of Service Manager:

      Data Integration and Automation
      Microsoft Update
      Customer Experience Improvement Program

      Full text

      Data Integration and Automation

      What This Feature Does:

      Administrators and analysts can use Service Manager as a central hub to gather data from other System Center components such as Operations Manager and Configuration Manager, and leverage the gathered data to facilitate business processes. The Connector facility enables the collection and configuration of source data to integrate into Service Manager. For example, the connector can gather information regarding the computers managed by Configurations Manager as well as the alerts gathered by Operations Manager. The service desk functions offered in Service Manager can then be configured to correlate the computers which generated the alerts with the affected user and automatically issue a service ticket for assigned personnel to remediate.

      Information Collected, Processed, or Transmitted:

      Service Manager’s connector technology is user configurable. The IT administrator or analyst determines which data sources to integrate with, including from data sources such as users from Active Directory, computers from Configurations Manager, and alerts from Operations Manager. These sources can include domain registered information such as user name, computer name, or IP address. Administrators can access this data from the Service Manager Console application and authorize other users to access the entire set or subset of this data. None of this information is sent to Microsoft.

      Use of Information:

      Data integrated into Service Manager are used to carry out business processes such as service desk functions. This could include ticketing service where specific support personnel are assigned to resolve computer incidents. Service Manager includes the most often used service desk functions such as incident management, change management, and release management.

      Choice and control:

      By default setup Service Manager does not enable any connector. Users designated as administrators or analysts must explicitly configure data integration. At any time, the connectors can be disabled and re-enabled. These can be achieved through the Service Manager console.

      1. Start Service Manager console, in navigation pane, select Administration

      2. In the Administration workspace, select Connectors

      3. A list of configured connectors can be seen in the central panel

      4. To create a new connector from the Task panel, select Create connector

      5. Select a configured connector and choose Enable, Disable, or Delete the connector

      Microsoft Update

      What This Feature Does:

      Microsoft update is a service that provides Windows updates as well as updates for other Microsoft software.

      Information Collected, Processed, or Transmitted:

      For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?linkid=50142.

      Use of Information:

      For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?linkid=50142.

      Choice/Control:

      Microsoft Update is not turned on as a default. It is controlled by a choice you make during the setup. You may later change it by accessing the Microsoft Update client under your Control Panel to turn updates on or off.

      For details about controlling this feature, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?linkid=50142.

      Customer Experience Improvement Program

      What This Feature Does:

      The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information.

      Information Collected, Processed, or Transmitted:

      For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at http://go.microsoft.com/fwlink/?LinkID=231317.

      Use of Information:

      We use this information to improve the quality, reliability, and performance of Microsoft Software and services.

      Choice/Control:

      You are offered the opportunity to participate in CEIP during setup of Service Manager. If you choose to participate and later change your mind, you can turn off CEIP at any time by:

      1. Open the Service Manager Console.

      2. Click the Help menu, and check or clear the Join the Customer Experience Improvement Program check box.
      Specific Privacy Impacting Features for Virtual Machine Manager Virtual Machine ManagerpspSystemCenter2012R2VirtualMachineManagerModule
      Summary

      The following lists the privacy impacting featues of Virtual Machine Manager:

      Microsoft Update
      Customer Experience Improvement Program
      Error Reporting

      Full text

      Microsoft Update

      What This Feature Does:

      Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

      Information Collected, Processed, or Transmitted:

      For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=115475.

      Use of Information:

      For details about what information is collected and how it is used, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=115475.

      Choice/Control:

      If you are running a VMM management server, the VMM Console, or the Self-Service Portal on a Windows server, this feature is controlled by your Windows server settings. You can turn this feature on or off in Windows Update by clicking Change settings.

      If you are running the VMM Console on a Windows client, see the Update Services Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=115475 for details about controlling this feature.

      Customer Experience Improvement Program

      What This Feature Does:

      The anonymous information CEIP collects includes the type and number of errors console users encounter, software and hardware performance, and the speed of services. We do not collect names, addresses or other contact information.

      This feature generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID is a randomly generated number; it does not contain any personal information and will not be used to identify console users. CEIP uses the GUID to distinguish how widespread the feedback we receive is and how to prioritize it. For example, this number allows Microsoft to distinguish between one customer having an error 100 times and 100 customers having the same error once. The GUID is persistent.

      Use of Information:

      We use this information to improve the quality, reliability, and performance of Microsoft software and services.

      Choice/Control:

      During VMM management server install, the wizard will let you choose to opt-in or opt-out of the CEIP.

      The VMM Console will use the same settings that have been chosen during VMM server installation. For example, if a user utilizes the VMM Console to connect to a VMM management server that is participating in the CEIP, the VMM Console will be automatically involved in CEIP.

      To turn CEIP on or off later:

      1. Start Virtual Machine Manager Console.

      2. Navigate to the Settings workspace.

      3. Select General.

      4. Select Customer Experience Improvement Program Settings.

      5. To turn CEIP on:

        1. Select “Yes, I am willing to participate in CEIP

      6. To turn CEIP off:

        1. Select “No, I prefer not to participate in CEIP

      7. Click OK

      For additional privacy information about CEIP, see http://go.microsoft.com/fwlink/?linkid=52097.

      Error Reporting

      What This Feature Does:

      The Error Reporting feature provides a service which allows you to report problems you may be having with VMM to Microsoft and to receive information that may help you get around or solve such problems.

      Information Collected, Processed, or Transmitted:

      The Error Reporting feature collects Internet Protocol (IP) addresses, which are not used to identify users. It does not intentionally collect anyone's name, address, email address, computer name, or any information that will be used to identify you or contact you. It is possible that such information may be captured in memory or in the data collected from open files, but Microsoft does not use it to identify or contact you.

      In rare cases, such as problems that are especially difficult to solve, Microsoft may request additional data, including sections of memory (which may include memory shared by any or all applications running at the time the problem occurred), some registry settings, and one or more files from your computer. Your current documents may also be included. For more details on what information is collected and how it is used, see the Error Reporting privacy information at http://go.microsoft.com/fwlink/?linkid=31490.

      Use of Information:

      We use the error reporting data to solve customer problems and improve our software and services.

      Choice/Control:

      On Windows Server 2008 family operating systems, error reporting is enabled by default but you can configure or disable error reporting any time through Enable automatic updating and feedback in the Initial Configuration Tasks window, or through Windows Error Reporting in the Resources and Support area of Server Manager.

      Enterprise customers can use Group Policy to configure how Error Reporting behaves on their computers. Configuration options include the ability to completely turn off Error Reporting. If you are an administrator and wish to configure Group Policy for Error Reporting, technical details are available at http://go.microsoft.com/fwlink/?LinkId=120553 for Windows Server 2008.