What is Endpoint analytics?
Endpoint analytics is part of the Microsoft Productivity Score. These analytics give you insights for measuring how your organization is working and the quality of the experience you're delivering to your users. Endpoint analytics can help identify policies or hardware issues that may be slowing down devices and help you proactively make improvements before end-users generate a help desk ticket. For more information on the Microsoft Productivity Score and other new tools, see New tools to help IT empower employees securely in a remote work world.
Endpoint analytics overview
It's not uncommon for end users to experience long boot times or other disruptions. These disruptions can be due to a combination of:
- Legacy hardware
- Software configurations that aren't optimized for the end-user experience
- Issues caused by configuration changes and updates
These issues and other end-user experience problems persist because IT doesn't have much visibility into the end-user experience. Generally, the only visibility into these issues comes from a slow costly support channel that doesn't usually provide clear information about what needs to be optimized. It's not only IT support bearing the cost of these problems. The time information workers spend dealing with issues is also costly. Performance, reliability, and support issues that reduce user productivity can have a large impact on an organization's bottom line as well.
Endpoint analytics aims to improve user productivity and reduce IT support costs by providing insights into the user experience. The insights enable IT to optimize the end-user experience with proactive support and to detect regressions to the user experience by assessing user impact of configuration changes.
This initial release, focuses on three things:
- Recommended software: Recommendations for providing the best user experience
- Proactive remediation scripting: Fix common support issues before end-users notice issues
- Start up performance: Help IT get users from power-on to productivity quickly without lengthy boot and sign in delays
You can enroll devices via Configuration Manager or Microsoft Intune.
To enroll devices via Intune requires:
- Intune enrolled or co-managed devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Enterprise, or Windows 10 Education. Windows 10 Home isn't supported.
- Startup performance insights are only available for devices running version 1903 or later of Windows 10 Enterprise, Education, or Pro. Windows 10 long-term servicing channel (LTSC) and isn't supported.
- Windows 10 devices must be Azure AD joined or hybrid Azure AD joined. Workplace joined or Azure AD registered devices aren't supported.
- Network connectivity from devices to the Microsoft public cloud. For more information, see endpoints.
- The Intune Service Administrator role is required to start gathering data.
- After clicking Start for gathering data, other read-only roles can view the data.
To enroll devices via Configuration Manager requires:
- A minimum of Configuration Manager version 2002 with KB4560496 - Update rollup for Microsoft Endpoint Configuration Manager version 2002 or later
- The Configuration Manager clients upgraded to version 2002 (including KB4560496) or later
- Microsoft Endpoint Manager tenant attach enabled.
- Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager.
Proactive remediation scripting requires:
Whether enrolling devices via Intune or Configuration Manager, Proactive remediation scripting has the following requirements:
- Devices must be Azure AD joined or hybrid Azure AD joined and meet one of the following conditions:
Proactive remediations also require one of the following licenses for the managed devices:
- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
Endpoint analytics permissions
- The following permissions are used for Endpoint analytics:
Permissions appropriate to the user's role under the Endpoint Analytics, Organization or School Administrator categories. A read-only user would only need the Read permission under either category. An Intune administrator would typically need all permissions.
Read under the Help Desk Operator, or Endpoint Security Manager Intune roles.
Reports Reader Azure AD role.
Built-in role permissions
Use the following chart to see which built-in roles already have access to endpoint analytics. For more information about roles, see Administrator role permissions in Azure Active Directory and Role-based access control (RBAC) with Microsoft Intune.
|Role name||Azure Active Directory role||Intune role||Endpoint analytics permissions|
|Intune Service Administrator||Yes||Read/write|
|Endpoint Security Manager||Yes||Read only|
|Help Desk Operator||Yes||Read only|
|Read Only Operator||Yes||Read only|
|Reports Reader||Yes||Read only|
Proactive remediations permissions
For Proactive remediations, the user needs permissions appropriate to their role under the Device configurations category. Permissions in the Endpoint Analytics category aren't needed if the user only uses Proactive remediations.
An Intune Service Administrator is required to confirm licensing requirements before using proactive remediations for the first time.
If your environment uses a proxy server, configure your proxy server to allow the following endpoints:
Endpoints required for Configuration Manager-managed devices
Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager role and they don't need directly access to the Microsoft public cloud.
||Used to automatically retrieve settings when attaching your hierarchy to Endpoint analytics on Configuration Manager Server role. For more information, see Configure the proxy for a site system server.|
||Used to synch device collection and devices with Endpoint analytics on Configuration Manager Server role only. For more information, see Configure the proxy for a site system server.|
Endpoints required for Intune-managed devices
To enroll devices to Endpoint analytics, they need to send required functional data to Microsoft public cloud. Endpoint Analytics uses the Windows 10 and Windows Server Connected User Experiences and Telemetry component (DiagTrack) to collect the data from Intune-managed devices. Make sure that the Connected User Experiences and Telemetry service on the device is running.
||Used by Intune-managed devices to send required functional data to the Intune data collection endpoint.|
For privacy and data integrity, Windows checks for a Microsoft SSL certificate (certificate pinning) when communicating with the required functional data sharing endpoints. SSL interception and inspection aren't possible. To use Endpoint analytics, exclude these endpoints from SSL inspection.