Enable data sharing for Desktop Analytics
To enroll devices to Desktop Analytics, they need to send diagnostic data to Microsoft. If your environment uses a proxy server, use this information to help configure the proxy.
Diagnostic data levels
When you integrate Configuration Manager with Desktop Analytics, you also use it to manage the diagnostic data level on devices. For the best experience, use Configuration Manager.
In most circumstances, only use Configuration Manager to configure these settings. Don't also apply these settings in domain group policy objects. For more information, see Conflict resolution.
The basic functionality of Desktop Analytics works at the Basic diagnostic data level. If you don't configure the Enhanced (Limited) level in Configuration Manager, you won't get the following features of Desktop Analytics:
- App usage
- Additional app insights
- Deployment status data
- Health monitoring data
Microsoft recommends that you enable the Enhanced (Limited) diagnostic data level with Desktop Analytics to maximize the benefits you get from it.
The Enhanced (Limited) setting in Configuration Manager is the same setting as Limit Enhanced diagnostic data to the minimum required by Windows Analytics policy available on devices running Windows 10, version 1709 and later.
Devices running Windows 10, version 1703 and earlier, Windows 8.1, or Windows 7 don't have this policy setting. When you configure the Enhanced (Limited) setting in Configuration Manager, these devices fall back to the Basic level.
Devices running Windows 10, version 1709 have this policy setting. However, when you configure the Enhanced (Limited) setting in Configuration Manager, these devices also fall back to the Basic level.
For more information about diagnostic data shared with Microsoft with Enhanced (Limited), see Windows 10 enhanced diagnostic data events and fields.
Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, while Desktop Analytics supports Windows 8.1 devices, Microsoft doesn't collect Windows diagnostic data from Windows 8.1 devices located in European countries (EEA and Switzerland).
For more information, see Desktop Analytics privacy.
The following articles are also good resources for better understanding Windows diagnostic data levels:
Clients configured to Limit Enhanced diagnostic data will send approximately 2 MB of data to the Microsoft cloud on the initial full scan. The daily delta varies between 250-400 KB per day.
The daily delta scan happens at 3:00 AM (device local time). Some events are sent at the first available time throughout the day. These times aren't configurable.
For more information, see Configure Windows diagnostic data in your organization.
To enable data sharing, configure your proxy server to allow the following endpoints:
For privacy and data integrity, Windows checks for a Microsoft SSL certificate (certificate pinning) when communicating with the diagnostic data endpoints. SSL interception and inspection aren't possible. To use Desktop Analytics, exclude these endpoints from SSL inspection.
||Used to locate the service|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1809 or later, or version 1803 with the 2018-09 cumulative update or later installed.|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1803 without the 2018-09 cumulative update installed.|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1709 or earlier.|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 7 and Windows 8.1|
||Enables the compatibility update to send data to Microsoft.|
||Allows the compatibility update to receive the latest compatibility data from Microsoft.|
||Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1803 or earlier.|
||Windows Error Reporting (WER). Required for device health reports in Windows 10, version 1809 or later.|
||Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.|
||Online Crash Analysis (OCA). Required for device health reports in Windows 10, version 1809 or later.|
||Online Crash Analysis (OCA). Required to monitor deployment health in Windows 10, version 1803 or earlier.|
||Required to provide a more reliable device identity for Desktop Analytics.
To disable end-user Microsoft account access, use policy settings instead of blocking this endpoint. For more information, see The Microsoft account in the enterprise.
||Used to automatically retrieve settings like CommercialId when attaching your hierarchy to Desktop Analytics (on Configuration Manager Server role). For more information, see Configure the proxy for a site system server.|
||Used to synch device collection memberships, deployment plans, and device readiness status with Desktop Analytics (on Configuration Manager Server role only). For more information, see Configure the proxy for a site system server.|
Proxy server authentication
Make sure that a proxy doesn't block the diagnostic data because of authentication. If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches:
Configure your proxy servers to not require proxy authentication for traffic to the diagnostic data endpoints. This option is the most comprehensive solution. It works for all versions of Windows 10.
User proxy authentication
Configure devices to use the signed-in user's context for proxy authentication. This method requires the following configurations:
- Devices have the current quality update for Windows 7, Windows 8.1, or Windows 10, version 1703 or later
- Configure user-level proxy (WinINET proxy) in Proxy settings in the Network & Internet group of Windows Settings. You can also use the legacy Internet Options control panel.
- Make sure that the users have proxy permission to reach the diagnostic data endpoints. This option requires that the devices have console users with proxy permissions, so you can't use this method with headless devices.
The user proxy authentication approach is incompatible with the use of Microsoft Defender Advanced Threat Protection. This behavior is because this authentication relies on the DisableEnterpriseAuthProxy registry key set to
0, while Microsoft Defender ATP requires it to be set to
1. For more information, see Configure machine proxy and Internet connectivity settings.
Device proxy authentication
This approach is the most complex because it requires the following configurations:
Make sure devices can reach the proxy server through WinHTTP in local system context. Use one of the following options to configure this behavior:
- The command line 'netsh winhttp set proxy'
- Web Proxy Auto-discovery Protocol (WPAD)
- Transparent proxy
- Routed connection, or that uses network address translation (NAT)
Configure proxy servers to allow the computer accounts in Active Directory to access the diagnostic data endpoints. This configuration requires proxy servers to support Windows Integrated Authentication.