Enable data sharing for Desktop Analytics
This information relates to a preview service which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
To enroll devices to Desktop Analytics, they need to send diagnostic data to Microsoft. If your environment uses a proxy server, use this information to help configure the proxy.
Diagnostic data levels
When you integrate Configuration Manager with Desktop Analytics, you also use it to manage the diagnostic data level on devices. For the best experience, use Configuration Manager.
The basic functionality of Desktop Analytics works at the Basic diagnostic data level. You won't get usage or health data for your updated devices without enabling the Enhanced (Limited) level. Microsoft recommends that you enable the Enhanced (Limited) diagnostic data level. For more information, see Windows 10 enhanced diagnostic data events and fields used by Windows Analytics).
Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland):
- Windows diagnostic data from Windows 8.1 devices
- App usage data for Windows 7
For more information, see Desktop Analytics privacy.
The following articles are also good resources for better understanding Windows diagnostic data levels:
At the Enhanced (Limited) level, when each client does the initial full scan, it sends approximately 2 MB of data to the Microsoft cloud. The daily delta varies between 250-400 KB per day.
The daily delta scan happens at 3:00 AM (device local time). Some events are sent at the first available time throughout the day. These times aren't configurable.
For more information, see Configure Windows diagnostic data in your organization.
To enable data sharing, configure your proxy server to allow the following endpoints:
For privacy and data integrity, Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. SSL interception and inspection aren't possible. To use Desktop Analytics, exclude these endpoints from SSL inspection.
||Used to locate the service|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1703 or later, with the 2018-09 cumulative update or later installed.|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1803, or later, without the 2018-09 cumulative update installed.|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1709 or earlier.|
||Connected user experience and diagnostic component endpoint. Used by devices running Windows 7 and Windows 8.1|
||Enables the compatibility update to send data to Microsoft.|
||Allows the compatibility update to receive the latest compatibility data from Microsoft.|
||Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1803 or earlier.|
||Windows Error Reporting (WER). Required for device health reports in Windows 10, version 1809 or later.|
||Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.|
||Online Crash Analysis. Required for device health reports in Windows 10, version 1809 or later.|
||Online Crash Analysis (OCA). Required to monitor deployment health in Windows 10, version 1803 or earlier.|
||Required to provide a more reliable device identity for Desktop Analytics.
To disable end-user Microsoft account access, use policy settings instead of blocking this endpoint. For more information, see The Microsoft account in the enterprise.
||Used to automatically retrieve settings like CommercialId when attaching your hierarchy to Desktop Analytics (on Configuration Manager Server role only).|
||Used to synch device collection memberships, deployment plans, and device readiness status with Desktop Analytics (on Configuration Manager Server role only).|
Proxy server authentication
Make sure that a proxy doesn't block the diagnostic data because of authentication. If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches:
Bypass (recommended): Configure your proxy servers to not require proxy authentication for traffic to the diagnostic data endpoints. This option is the most comprehensive solution. It works for all versions of Windows 10.
User proxy authentication: Configure devices to use the signed-in user's context for proxy authentication. This method requires the devices to run Windows 10, version 1703 or later. Make sure that the users have proxy permission to reach the diagnostic data endpoints. This option requires that the devices have console users with proxy permissions, so you can't use this method with headless devices.
Device proxy authentication:
- Configure a system-level proxy server on the devices.
- Configure these devices to use device-based outbound proxy authentication.
- Configure proxy servers to allow the machine accounts to access the diagnostic data endpoints.