Data sent to and from Windows Intune and System Center 2012 R2 Configuration Manager

First published on CloudBlogs on Sep, 11 2014
Author: Craig Morris, Principal Program Manager, Enterprise Client and Mobility. As a Windows Intune customer, you have entrusted Microsoft to help protect your data. Microsoft values this trust, and the privacy and security of your data is one of our top concerns. The information presented below is intended to provide additional details about the shared data that is transmitted between and stored in Configuration Manager and Windows Intune when using the Windows Intune connector. The Windows Intune connector lets you use Configuration Manager to manage mobile devices with Windows Intune. The connector extends Configuration Manager by establishing a connection to the cloud-based Windows Intune service that manages mobile devices over the Internet. With this connection the IT Administrator is able to manage and provide services (such as application distribution) to the devices employees love to use. In order to accomplish this, the Windows Intune service needs a certain amount of information about the users, enrolled devices, security settings configured, and applications published through Windows Intune. The goal from the outset of this integration was to minimize the data needed to provide Windows Intune services to users and devices, without compromising on the quality of those services. The information below refers to the January 2014 releases of Windows Intune and System Center 2012 R2 Configuration Manager. You should read the System Center 2012 R2 Privacy Statement and the Windows Intune Privacy statement in conjunction with this article.

Customer Data from Configuration Manager stored in Windows Intune

Configuration Manager connects to the Windows Intune service and the following customer data is sent to and stored in Windows Intune.

Customer Data stored in Windows Intune	Examples
Compliance settings, app information, and profile information	Compliance settings and values, such as requiring a minimum password length of 4 characters. E-mail profile information, such as email server name and time of day preferences. Information to generate certificates for VPN profiles (but not the certificate itself). Name, description, encrypted content, and icon for apps. Any setting needed to onboard devices.
Settings and application assignments for users and devices.	Software applications deployed to a user Settings applied to devices
Basic information about enrolled users that is used for single sign-on	User Principal Name (UPN) User Name Email (if Email profiles are enabled and deployed)
User application request information (for display in company portal)	Software applications requested Installation state Request history
Basic information about enrolled devices for use in the company portal.	Device name Device friendly name Device Type Device OS Device Acton (Wipe/Retire/Connect) state Certificate expiry date Primary user Last connection time
Information used to distribute certs for Wi-Fi and VPN profiles	NDES server information System Center Endpoint Protection challenge encryption certificate (public-key only) Certificate provisioning information Certificate assignment and status
Windows Intune Extension Installation status	Windows Phone 8.1 extension (V1) is installed
Configuration Manager Version Information	Connector Build Version 5.0.7958.1000
Encrypted Side-loading key and assignment information	N/A (this is encrypted data)
Remote Connection Profile information for licensed Windows Intune users	RD Gateway Server Settings Machine names and Windows Intune users for which this feature is enabled

Customer Data retrieved from Windows Intune and stored in Configuration Manager

The below table reflects the customer data that is retrieved from Windows Intune and stored in the Configuration Manager database. This data is deleted from Windows Intune after it has been successfully downloaded by Configuration Manager.

Type of Customer Data	Information
Customer Data that Windows Intune relays from mobile devices	Software and Hardware Inventory Compliance setting Requested Application Installation Status Device Status (enrollment, registration status, wipe/retire state) Side-loading key assignment
End-user initiated commands	Device Wipe/Retire action information Application Request information User-generated device commands (rename, wipe, retire, connect now)
Tenant, User, and Device error messages	Apple APNS Certificate Expired Side-loading key could not be applied
Windows Intune Extension Packages	N/A (this is binary data)
License status for Windows Intune Users	GUID (generated per user)
Application distribution status	“Application content could not be uploaded to Windows Intune.”

NOTE: For Windows Phone and Android devices, we maintain a cache of inventory data between device sessions to reduce bandwidth costs. It will be removed (within the 90-day data retention period described below under Data Retention ) when the device is un-enrolled or the account is deleted.

Customer Data temporarily stored in Windows Intune

Commands sent to and received from mobile devices are temporarily stored in the Windows Intune service while the device is actively connected to the service. This data is subsequently deleted within an hour of the device’s active session expiring.

Microsoft’s commitment to customer data security and privacy

More information on Microsoft’s commitment can be found here: Windows Intune Trust Center Windows Intune’s privacy/security whitepaper

Data Security Area	Microsoft’s commitment
Data Location	Microsoft has a regionalized data center strategy. The customer’s country or region, which the customer’s administrator inputs during initial setup of the online services account, determines the primary storage location for customer data.
Data Retention	Microsoft believes that customers own their own data. When customers do not renew their Windows Intune subscriptions (i.e., they terminate or allow their subscriptions to expire), there is a 90-day data retention period with limited customer access. Thirty days after the end of the data retention period, customer data stored in the Windows Intune service is deleted.   Customers who actively cancel their subscription may choose to disable their accounts and request deletion of their subscriber data.

--Craig Morris Configuration Manager Resources Documentation Library for System Center 2012 Configuration Manager Configuration Manager 2012 Forums System Center 2012 Configuration Manager Survival Guide System Center Configuration Manager Support This posting is provided "AS IS" with no warranties and confers no rights.