What is Endpoint analytics?

Endpoint analytics is part of the Microsoft Adoption Score. These analytics give you insights for measuring how your organization is working and the quality of the experience you're delivering to your users. Endpoint analytics can help identify policies or hardware issues that might be slowing down devices and help you proactively make improvements before end-users generate a help desk ticket. For more information on the Microsoft Adoption Score and other new tools, see New tools to help IT empower employees securely in a remote work world​.

Endpoint analytics overview

It's not uncommon for end users to experience long boot times or other disruptions. These disruptions can be due to a combination of:

  • Legacy hardware
  • Software configurations that aren't optimized for the end-user experience
  • Issues caused by configuration changes and updates

These issues and other end-user experience problems persist because IT doesn't have much visibility into the end-user experience. Generally, the only visibility into these issues comes from a slow costly support channel that doesn't usually provide clear information about what needs to be optimized. It's not only IT support bearing the cost of these problems. The time information workers spend dealing with issues is also costly. Performance, reliability, and support issues that reduce user productivity can affect an organization's bottom line as well.

Endpoint analytics aims to improve user productivity and reduce IT support costs by providing insights into the user experience. The insights enable IT to optimize the end-user experience with proactive support and to detect regressions to the user experience by assessing the effect of configuration changes on users.

Important

Endpoint analytics is now available to tenants in Government cloud.

Prerequisites

You can enroll devices via Configuration Manager or Microsoft Intune.

How to enroll devices via Intune

  • Intune enrolled or co-managed devices running the following:
    • Windows 10 version 1903 or later
    • July 2021 cumulative update or later
    • Pro, Pro Education, Enterprise, or Education. Home and long-term servicing channel (LTSC) aren't supported.
  • Windows devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workplace joined or Microsoft Entra registered devices aren't supported.
  • Network connectivity from devices to the Microsoft public cloud. For more information, see endpoints.
  • The Intune Service Administrator role is required to start gathering data.
    • After the administrator selects Start for gathering data, other read-only roles can view the data.

How to enroll devices via Configuration Manager

Licensing Prerequisites

Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Intune. For more information, see Microsoft Intune licensing or Microsoft Configuration Manager licensing.

Permissions

Endpoint analytics permissions

  • The following permissions are used for Endpoint analytics:
    • Permissions appropriate to the user's role under the Endpoint Analytics, Organization or School Administrator categories. A read-only user would only need the Read permission under either category. An Intune administrator would typically need all permissions.

    • Read under the Help Desk Operator, or Endpoint Security Manager Intune roles.

    • Reports Reader Microsoft Entra role.

Built-in role permissions

Use the following chart to see which built-in roles already have access to endpoint analytics. For more information about roles, see Administrator role permissions in Microsoft Entra ID and Role-based access control (RBAC) with Microsoft Intune.

Role name Microsoft Entra role Intune role Endpoint analytics permissions
Global Administrator Yes Read/write
Intune Service Administrator Yes Read/write
School Administrator Yes Read/write
Endpoint Security Manager Yes Read only
Help Desk Operator Yes Read only
Read Only Operator Yes Read only
Reports Reader Yes Read only

Endpoints

If your environment uses a proxy server, configure your proxy server to allow the following endpoints:

Endpoints required for Configuration Manager-managed devices

Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager role and they don't need directly access to the Microsoft public cloud.

Endpoint Function
https://graph.windows.net Used to automatically retrieve settings when attaching your hierarchy to Endpoint analytics on Configuration Manager Server role. For more information, see Configure the proxy for a site system server.
https://*.manage.microsoft.com Used to synch device collection and devices with Endpoint analytics on Configuration Manager Server role only. For more information, see Configure the proxy for a site system server.

Endpoints required for Intune-managed devices

To enroll devices to Endpoint analytics, they need to send required functional data to Microsoft public cloud. Endpoint Analytics uses the Windows Connected User Experiences and Telemetry component (DiagTrack) to collect the data from Intune-managed devices. Make sure that the Connected User Experiences and Telemetry service on the device is running.

Endpoint Function
https://*.events.data.microsoft.com Used by Intune-managed devices to send required functional data to the Intune data collection endpoint.

Important

For privacy and data integrity, Windows checks for a Microsoft SSL certificate (certificate pinning) when communicating with the required functional data sharing endpoints. SSL interception and inspection aren't possible. To use Endpoint analytics, exclude these endpoints from SSL inspection.

Next steps