Microsoft System Center 2012 Configuration Manager Privacy Statement

 

Updated: June 25, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager SP1

Microsoft is committed to protecting your privacy, while delivering software that brings you the performance, power, and convenience you desire in your personal computing. This privacy statement explains many of the data collection and use practices of Microsoft System Center 2012 Configuration Manager (“System Center 2012 Configuration Manager”). This disclosure focuses on features that communicate with the Internet and is not intended to be an exhaustive list. It does not apply to other online or offline Microsoft sites, products, or services. End users (information workers) should consult their IT administrators for further information about their company’s privacy policies. Microsoft is not responsible for the privacy practices of its customers or other companies.

System Center 2012 Configuration Manager comprehensively assesses, deploys, and updates your servers, clients, and devices—across physical, virtual, distributed, and mobile environments. Optimized for Windows and extensible beyond, it is the best choice for gaining enhanced insight into, and control over, your IT systems

Built on key Microsoft technologies, such as Microsoft Windows Server Update Services (WSUS), Windows Server Active Directory, and the Windows architecture, System Center 2012 Configuration Manager maximizes infrastructure investments and drives greater efficiency. With System Center 2012 Configuration Manager, organizations can ensure that IT systems comply with desired configuration states to improve availability, security, and performance network-wide.

Collection and Use of Your Information

The information we collect from you will be used by Microsoft and its controlled subsidiaries and affiliates to enable the features you are using and provide the service(s) or carry out the transaction(s) you have requested or authorized. It may also be used to analyze and improve Microsoft products and services.

We may send certain mandatory service communications such as welcome letters, billing reminders, information on technical service issues, and security announcements. Some Microsoft services may send periodic member letters that are considered part of the service. We may occasionally request your feedback, invite you to participate in surveys, or send you promotional mailings to inform you of other products or services available from Microsoft and its affiliates.

In order to offer you a more consistent and personalized experience in your interactions with Microsoft, information collected through one Microsoft service may be combined with information obtained through other Microsoft services. We may also supplement the information we collect with information obtained from other companies. For example, we may use services from other companies that enable us to derive a general geographic area based on your IP address in order to customize certain services to your geographic area.

In order to access some System Center 2012 Configuration Manager online services, you will be asked to enter an email address and password, which we refer to as your Windows account. After you create your Windows account, you can use the same credentials to sign in to many different Microsoft sites and services, as well as those of select Microsoft partners that display the Windows account logo. By signing in to one Microsoft site or service, you may be automatically signed in when you visit other Microsoft sites and services. To learn more about how your credential information is used when you sign in to participating sites, please read the Microsoft Online Privacy Statement at https://privacy.microsoft.com/.

Except as described in this statement, personal information you provide will not be transferred to third parties without your consent. We occasionally hire other companies to provide limited services on our behalf, such as packaging, sending and delivering purchases and other mailings, answering customer questions about products or services, processing event registration, or performing statistical analysis of our services. We will only provide those companies the personal information they need to deliver the service, and they are prohibited from using that information for any other purpose.

Microsoft may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public. We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets.

Information that is collected by or sent to Microsoft by System Center 2012 Configuration Manager may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or service providers maintain facilities. Microsoft abides by the safe harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland.

Collection and Use of Information about Your Computer

When you use software with Internet-enabled features, information about your computer ("standard computer information") is sent to the Web sites you visit and online services you use. Microsoft uses standard computer information to provide you Internet-enabled services, to help improve our products and services, and for statistical analysis. Standard computer information typically includes information such as your IP address, operating system version, browser version, and regional and language settings. In some cases, standard computer information may also include hardware ID, which indicates the device manufacturer, device name, and version. If a particular feature or service sends information to Microsoft, standard computer information will be sent as well.

The privacy details for each System Center 2012 Configuration Manager feature, software or service listed in this privacy statement describe what additional information is collected and how it is used.

Security of your information

Microsoft is committed to helping protect the security of your information. We use a variety of security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. For example, we store the information you provide on computer systems with limited access, which are located in controlled facilities.

Changes to this privacy statement

We will occasionally update this privacy statement to reflect changes in our products, services, and customer feedback. When we post changes, we will revise the "last updated" date at the top of this statement. If there are material changes to this statement or in how Microsoft will use your personal information, we will notify you either by posting a notice of such changes prior to implementing the change or by directly sending you a notification. We encourage you to periodically review this statement to be informed of how Microsoft is protecting your information.

For More Information

Microsoft welcomes your comments regarding this privacy statement. If you have questions about this statement or believe that we have not adhered to it, please contact us at cmprivacy@microsoft.com.

Configuration Manager Privacy Response

Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052 USA

Specific features

The remainder of this document covers features that may transmit information to Microsoft and/or its affiliates. System Center 2012 Configuration Manager may be used to collect, store, and manage additional information and devices within your organization including the ability to erase all data from devices. For more information about device management, see the online topic, Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum. Use the Configuration Manager documentation library to learn more about the product features.

Customer Experience Improvement Program

What This Feature Does:

The Customer Experience Improvement Program (“CEIP”) collects basic information from the administration console about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information. No CEIP data is collected from client computers.

Information Collected, Processed, or Transmitted:

For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement.

Use of Information:

We use this information to improve the quality, reliability, and performance of Microsoft software and services.

Choice/Control:

You are offered the opportunity to participate in CEIP during setup. If you choose to participate and later change your mind, you can turn off CEIP at any time by:

  1. Open the Configuration Manager console.

  2. Click the Application menu, click Customer Experience Improvement Program, click I don’t want to join the program at this time and then click OK.

Note

Unless specifically set, all administrative console users inherit the CEIP choice made during initial installation. Changes to the CEIP setting from the Configuration Manager console are specific to the user and computer where they are made.

Setup Updates

What This Feature Does:

At the conclusion of the site server setup, a Windows Update agent scan is automatically initiated. If you have opted in to Windows Update and/or Microsoft Update the agent will scan for any applicable updates for your site server and install them or notify you based on your pre-existing Update Services preferences.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Use of Information:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Choice/Control:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Microsoft Update

What This Feature Does:

Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Use of Information:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Choice/Control:

The Software Updates feature is not configured by default. When administrators install and configure a software update point on a Windows Update Services (WSUS) server, this action automatically configures WSUS on that server and other WSUS servers in the Configuration Manager hierarchy. Administrators can disable the synchronization of software updates with Microsoft Update.

To disable the synchronization of software updates with Microsoft Update

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Sites.

  3. In the results pane, click the central administration site or stand-alone primary site.

  4. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point.

  5. In the Software Update Point Component Properties dialog box, on the Sync Settings tab, click Do not synchronize from Microsoft Update or the upstream software update point, and then click OK.

When you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point, to determine which software updates are required. When these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they try to download the required software updates from an Internet-based distribution point.

In Configuration Manager SP1, the administrator can configure software deployments so that clients on the intranet can download update content from Microsoft Update if they cannot download the content from a distribution point. In Configuration Manager with no service pack, clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update.

Silverlight

What This Feature Does:

Silverlight is a prerequisite for the Configuration Manager client and the Application Catalog. Silverlight updates automatically and has additional data processing and transmitting practices. Configuration Manager does not control this functionality.

For Configuration Manager with no service pack, the Microsoft Silverlight 4.0 Privacy Statement should be read in conjunction with this privacy statement.

For Configuration Manager SP1, the Microsoft Silverlight 5.0 Privacy Statement should be read in conjunction with this privacy statement.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Silverlight Privacy Statement:

Use of Information:

For details about what information is collected and how it is used, see the Silverlight Privacy Statement:

Choice/Control:

For details about choice and control for Silverlight, see the Silverlight Privacy Statement:

Asset Intelligence

What This Feature Does:

Asset Intelligence lets IT administrators define, track, and proactively manage conformity with configuration standards. Metering and reporting on the deployment and use of both physical and virtual applications helps organizations make better business decisions about software licensing and maintain compliance with licensing agreements.

After collecting usage data from Configuration Manager clients, administrators can use different features to view the data, including collections, queries, and reporting. This data, combined with data from software inventory, can assist in determining:

  • How many copies of a particular software program have been deployed across the organization, and among those computers, how many users actually run the program.

  • How many licenses of a particular software program are needed for purchase when renewing license agreements with a software vendor.

  • Whether any users are still running a particular software program. If the program is not being used, an organization might consider retiring the program.

  • Which times of the day a software program is most frequently used.

Information Collected, Processed, or Transmitted:

During each synchronization, a catalog of known software will be downloaded from Microsoft. The IT administrator can choose to send Microsoft information about uncategorized software titles discovered within their organization to be researched and added to the catalog. Prior to uploading this information, a dialog box shows exactly what data is going to be uploaded. Uploaded data cannot be recalled. Asset Intelligence does not send information about users and computers or license usage to Microsoft.

Use of Information:

After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all other customers that use this feature and other consumers of the catalog. Any software title uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the catalog, and then can be downloaded to other consumers of the catalog. Before you configure Asset Intelligence data collection and decide whether to submit information to Microsoft, consider the privacy requirements of your organization.

Choice/Control:

Asset Intelligence is not enabled in System Center 2012 Configuration Manager by default. If the Configuration Manager administrator wants to send and receive data related to the Asset Intelligence feature then the administrator must create an Asset Intelligence synchronization point role. Without this role, no data related to this feature will be sent to or received from Microsoft. Even after creating the role, the administrator can enable or disable synchronization as well as set schedules to allow synchronization of data from the online catalog into the Configuration Manager database. Synchronization can be configured in the Asset Intelligence synchronization point role properties. Uploading of uncategorized titles never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title.

Endpoint Protection

What This Feature Does:

Endpoint Protection provides one familiar experience for desktop management and protection that helps protect and remediate endpoints from viruses and malware.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Microsoft System Center 2012 Endpoint Protection Privacy Statement.

Use of Information:

For details about what information is collected and how it is used, see the Microsoft System Center 2012 Endpoint Protection Privacy Statement.

Choice/Control:

Endpoint Protection is not enabled in System Center 2012 Configuration Manager by default. If the Configuration Manager administrator wants to enable the Endpoint Protection feature then the administrator must create an Endpoint Protection point role and deploy the Endpoint Protection agent to computers.

To remove the Endpoint Protection point

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Servers and Site System Roles.

  3. In the results pane, click the server that hosts the Endpoint Protection point.

  4. In the Site System Roles details pane, select Endpoint Protection point and then, on the Site Role tab, in the Site Role settings group, click Remove Role, and click Yes to confirm.

To remove the Endpoint Protection client

  1. Set the Manage Endpoint Protection client on client computers client setting to False (Configuration Manager with no service pack) or No (Configuration Manager SP1).

  2. Deploy a package and program to uninstall the Endpoint Protection client.

Automatic Download of Prerequisites and Language Packs

What This Feature Does:

The Configuration Manager Setup, or separately through the Configuration Manager Setup Downloader utility, can contact Microsoft websites to download required prerequisite redistributables, language packs, and the latest updates to setup.

These files are copied to the site server during installation. Required files for remote role, secondary site, and client installations will be copied to the respective systems as part of those setups. They will be automatically installed only if an identical or a newer version of the component is not already installed on the target system. These files are persisted on the target system to support future repair operations.

Information Collected, Processed, or Transmitted:

Only standard computer information as described above is used during this process.

Use of Information:

The data is used to complete the necessary downloads.

Choice/Control:

Setup cannot complete without these downloads but they can be downloaded separately and a path to them provided to Setup.

Site Hierarchy – Geographical View with Bing Maps

What This Feature Does:

Site Hierarchy – geographical view allows you to view your Configuration Manager physical server topology using maps provided by Microsoft Bing Maps.

Information Collected, Processed, or Transmitted:

To enable this feature, location information you provide is sent from your server to the Bing Maps Web service.

Use of Information:

Microsoft uses the information to operate and improve Microsoft Bing Maps and other Microsoft sites and services. For more information, see the Microsoft Online Privacy Statement.

Choice/Control:

You can choose not to use the Geographical View for the Site Hierarchy. The Hierarchy Diagram view allows you to see the hierarchy and does not use the Bing Maps service.

Cloud-Based Distribution Point

What This Feature Does:

The cloud-based distribution point provisions a Configuration Manager distribution point designed to run in Windows Azure. Content assigned to a cloud-based distribution point is managed just like any other Configuration Manager distribution point.

Information Collected, Processed, or Transmitted:

The Windows Azure subscription ID, management certificate, and service certificate are stored in the Configuration Manager database when an administrator configures the feature. During configuration, a list of available geographic regions for hosting the cloud-based distribution point will be automatically retrieved from Windows Azure. All communications with cloud-based distribution points use HTTPS. Configuration Manager automatically encrypts and uploads packages assigned to a cloud-based distribution point. No information about the content assigned to the distribution point is collected by Microsoft.

The Windows Azure subscription ID and management certificate are sent to Windows Azure to authenticate each communication from the site server.

Client communications with a cloud-based distribution point use a Configuration Manager access token and do not contain Windows Azure subscription information. Clients use the service certificate to authenticate the cloud-based distribution point.

For details about what information is collected and how it is used by Windows Azure, see the Windows Azure Trust Center and the Windows Azure Privacy Statement.

Use of Information:

The Windows Azure subscription ID and management certificate are sent to Windows Azure to authenticate each communication from the site server. Client communications with a cloud-based distribution point use a separate authentication method internal to Configuration Manager and do not contain Windows Azure subscription information.

For details about what information is collected and how it is used by Windows Azure, see the Windows Azure Trust Center and the Windows Azure Privacy Statement.

Location and Security of Distribution Point Content

As part of the configuration step for each cloud-based distribution point, you must specify the geographic region of the Microsoft data centers in which the distribution point content will be stored. The location you chose will apply only to the cloud-based distribution point that is being configured. It will not change your geographic location selection for other Windows Azure services that you have in your account. You can configure multiple cloud-based distribution points in different geographies. Content uploaded to cloud-based distribution points is encrypted with a key unique to your organization’s installation of Configuration Manager. Some content may be particularly sensitive to your organization or be subject to specific regulatory requirements.

For details about the location and security of data stored in Windows Azure, see the Windows Azure Trust Center and the Windows Azure Privacy Statement.

Choice/Control:

This role is not installed by default. Configuration Manager administrators have control over what content is transferred to each cloud-based distribution point by using package assignment. Additionally, there is a client setting that must be enabled by the administrator for clients to use cloud-based distribution points. The service can be stopped from the Configuration Manager console and the role can be removed at any time.

To uninstall a cloud-based distribution point, administrators can select the distribution point in the Configuration Manager console, and select Delete.

When administrators delete a cloud-based distribution point from a hierarchy, Configuration Manager will attempt to remove the content from the cloud service in Windows Azure.

What This Feature Does:

The Configuration Manager administrator can create a link to a specific application available from the Windows Store. When end users click the link to install an application, the online store is automatically launched directly to the specified application. To access the Windows Store, users must sign in with a Microsoft account. Links to applications in the Windows Store are not supported on operating systems that are earlier than Windows 8.

Information Collected, Processed, or Transmitted:

A request with the application ID is sent to the Windows Store. For details about what information is sent and collected and how it is used by the Windows Store, see the Windows Store topic in the Features Supplement of the Windows 8 Privacy Statement.

Use of Information:

For details about what information is sent and collected and how it is used by the Windows Store, see the Windows Store topic in the Windows 8 Features Privacy Statement features supplement.

Choice/Control:

Configuration Manager administrators can choose not to create applications that link to the Windows Store.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, click Applications.

  3. Search for the distribution type Windows app package (in the Windows Store).

Email Notification for Alerts

What This Feature Does:

For supported alert types, Configuration Manager can be configured to send an email message to recipients you designate when an alert is triggered.

Information Collected, Processed, or Transmitted:

The following information is stored in the Configuration Manager database when an administrator enables the feature: SMTP server, the email address of the sender, and, if required, the user name and password to connect to the SMTP server. Additionally, you must provide one or more email addresses of recipients for each email alert. None of this information is sent to Microsoft.

Choice/Control:

The email notification feature is off by default. Administrators can enable the email alert feature from the Configuration Manager console. For more information about how to configure email alerts, see Configuring Alerts in Configuration Manager.

To disable email notification in Configuration Manager with no service pack

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Sites.

  3. On the Home tab, in the Settings group, click Configure Site Components and then click Email Notification.

  4. In the Email Notification Component Properties dialog box, clear the Enable email notification for Endpoint Protection alerts check box, and click OK.

To disable email notification in Configuration Manager SP1

  1. In the Configuration Manager console, click Monitoring.

  2. In the Monitoring workspace, expand Alerts, and then click Subscriptions.

  3. On the Home tab, in the Create group, click Configure Email Notification.

  4. In the Email Notification Component Properties dialog box, clear the Enable email notification for alerts check box, and click OK.

Microsoft Intune Subscription

What This Feature Does:

Customers who have purchased a subscription to Microsoft Intune can use Configuration Manager to manage their mobile devices that connected through Microsoft Intune.The Microsoft Intune Privacy Statement should be read in conjunction with this privacy statement.

Information Collected, Processed, or Transmitted:

All communications with Microsoft Intune use HTTPS. To configure the Microsoft Intune subscription and to download the Certificate Signing Request (CSR) needed for configuration of iOS support, an administrator must sign in to Microsoft Intune by using their work or school account and password. These credentials are not stored within Configuration Manager. All other communications with Microsoft Intune are authenticated by using PKI certificates that are automatically generated by Microsoft Intune.

In order to manage devices that are connected to Microsoft Intune, some information is sent to and received from Microsoft Intune. This information includes the User Principal Name (UPN) of all users that are assigned to the service and device inventory information for those devices that are managed by Microsoft Intune. Metadata, such as application name, publisher, and version, for content that is assigned to Manage.Microsoft.com distribution points is sent to Microsoft Intune. The actual binary content assigned to a Manage.Microsoft.com distribution point is encrypted before it is uploaded to Microsoft Intune.

Use of Information:

The information sent to Microsoft Intune is used only to provide and improve the Microsoft Intune services. No information about the content assigned to the distribution point is collected by Microsoft.

Content selected to be uploaded to the Manage.Microsoft.com distribution point is encrypted with a key that is unique to your organization’s installation of Configuration Manager. Some content may be particularly sensitive to your organization or be subject to specific regulatory requirements. For more information, see the Microsoft Intune Privacy Statement.

Choice/Control:

This feature is not configured by default. Administrators have control over what content is transferred to the Manage.microsoft.com distribution point and which users are assigned to the service. The feature can be removed at any time.

For information about how to retire devices that are managed by Microsoft Intune, see the Microsoft Intune Privacy Statement.

To disable communication between Configuration Manager and Intune, you can remove the Windows Intune connector.

To remove the Windows Intune connector

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Servers and Site System Roles.

  3. Select the server that hosts the Windows Intune connector.

  4. In the Site System Roles details pane, select Windows Intune connector and then, on the Site Role tab, in the Site Role settings group, click Remove Role, and click Yes to confirm.