Quickstart: Enroll Configuration Manager devices into Endpoint analytics
This quickstart outlines prerequisites and instructions for enrolling Configuration Manager managed devices into Endpoint analytics. If your devices are co-managed and meet the Intune device requirements, we recommend using Intune to enroll them into Endpoint analytics instead of following the instructions in this article. You don't need to move any co-management workloads to Intune to enroll a co-managed device to Endpoint analytics via Intune.
Prerequisites
Before you start this tutorial, make sure you have the following prerequisites:
Configuration Manager requirements
- A minimum of Configuration Manager version 2002 with KB4560496 - Update rollup for Microsoft Configuration Manager version 2002 or later
- The Configuration Manager clients upgraded to version 2002 (including KB4560496) or later
- Microsoft Intune tenant attach enabled.
Important
If you have co-management enabled, enrolled devices that meet the Intune requirements will send required functional data directly to Microsoft public cloud. For more information, see requirements for devices managed by Intune.
Licensing Prerequisites
Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Intune. For more information, see Microsoft Intune licensing or Microsoft Configuration Manager licensing. There are some more licensing requirements for Proactive remediations. For more information, see the Endpoint analytics licensing requirements overview.
Endpoint analytics permissions
- The Intune Service Administrator role is required to start gathering data.
- After the admin selects Start for gathering data, other read-only roles can view the data.
- The following permissions are used for Endpoint analytics:
Permissions appropriate to the user's role under the Endpoint Analytics, Organization or School Administrator categories. A read-only user would only need the Read permission under either category. An Intune administrator would typically need all permissions.
Read under the Help Desk Operator, or Endpoint Security Manager Intune roles.
Reports Reader Microsoft Entra role.
Endpoints required for Configuration Manager-managed devices
Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager role and they don't need directly access to the Microsoft public cloud. If your environment uses a proxy server, configure your proxy server to allow the following endpoints:
Endpoint | Function |
---|---|
https://graph.windows.net |
Used to automatically retrieve settings when attaching your hierarchy to Endpoint analytics on Configuration Manager Server role. For more information, see Configure the proxy for a site system server. |
https://*.manage.microsoft.com |
Used to synch device collection and devices with Endpoint analytics on Configuration Manager Server role only. For more information, see Configure the proxy for a site system server. |
Limitations
- Endpoint analytics insights aren't available for devices running Windows Server editions.
- Using multiple Configuration Manager hierarchies with a single Endpoint analytics instance isn't currently supported.
Enroll devices managed by Configuration Manager
Before you enroll Configuration Manager devices, verify the prerequisites including enabling Microsoft Intune tenant attach. Cloud attaching your environment was simplified starting from Configuration Manager 2111. You can use the recommended defaults to enable both Endpoint analytics and tenant attach at the same time. For more information, see Enable cloud attach.
Enable data upload in Configuration Manager
- In the Configuration Manager console, go to Administration > Cloud Services > Cloud Attach.
- For version 2103 and earlier, select the Co-management node.
- Select CoMgmtSettingsProd then select Properties.
- On the Configure upload tab, check the option to Enable Endpoint analytics for devices uploaded to Microsoft Endpoint Manager
Important
When you enable Endpoint analytics data upload, your default client settings will be automatically updated to allow managed endpoints to send relevant data to your Configuration Manager site server. If you use custom client settings, you may need to update and re-deploy them for data collection to occur. For more information on how to configure data collection, such as to limit collection only to a specific set of devices, see Configuring Endpoint analytics data collection.
Onboard in the Endpoint analytics portal
Onboarding from the Endpoint analytics portal is required for both Configuration Manager and Intune managed devices. For more information about common issues, see Troubleshooting device enrollment and startup performance.
- Go to
https://aka.ms/endpointanalytics
- Choose from the following options:
- All cloud-managed devices: Creates an Intune data collection policy assigned to all Windows 10 1903 or later devices which are either Intune managed or co-managed.
- Selected devices: Creates and assigns the policy to devices which you select.
- I'll choose later: Doesn't deploy a policy to devices. Remediations can still be used, but any reports that rely on analytics data will be empty.
- Click Start. This will automatically assign a configuration profile to collect boot performance data from all eligible devices. You can change assigned devices later. It may take up to 24 hours for startup performance data to populate from your Intune enrolled devices after they reboot.
Important
- We anonymize and aggregate the scores from all enrolled organizations to keep the All organizations (median) baseline up-to-date. You can stop gathering data at any time.
- Client devices require a restart to fully enable all analytics.
Configure Endpoint analytics data collection in Configuration Manager
The Enable Endpoint analytics data collection client setting allows your managed endpoints to send data necessary for Endpoint analytics to your site server. This setting doesn't control whether data gets uploaded to the Microsoft Intune admin center.
The Enable Endpoint analytics data collection setting is enabled by default for devices targeted by only the default client settings. If you're upgrading to version 2006 from Configuration Manager version 1910 or prior, the Endpoint analytics data collection policy is enabled in your custom client settings upon upgrade. You can enable or disable data collection by following the instructions:
- In the Configuration Manager console, go to Administration > Client Settings > Default Client Settings.
- Right-click and select Properties then select the Computer Agent settings.
- Set Enable Endpoint analytics data collection to Yes to configure devices for local data collection. Set to No to disable local data collection.
You can also modify the Enable Endpoint analytics data collection policy in custom client settings to configure a specific set of devices for local data collection. Don't forget to deploy or re-deploy your custom client setting after making changes.
Important
If you have an existing custom client agent setting that's been deployed to your devices, you'll need to update the Enable Endpoint analytics data collection option in that custom setting and select Ok for it to take effect.
View the Overview page
You can't see your data immediately. The data needs to be gathered and the results calculated. For startup performance, the device needs to have been restarted at least once. After your data is ready, information is updated on the Overview page, and is explained here in more detail:
The Endpoint analytics score is a weighted average of the Startup performance, Application reliability, and Work from anywhere scores.
You can compare your current score to other scores by setting a baseline.
- There's a built-in baseline for All organizations (median) to see how you compare to a typical enterprise. You can create new baselines based on your current metrics so you can track progress or view regressions over time. For more information, see baseline settings.
- Baseline markers are shown for your overall score and subscores. If any of the scores have regressed by more than the configurable threshold from the selected baseline, the score is displayed in red and the top-level score is flagged as needing attention.
- A status of insufficient data means you don't have enough devices reporting to provide a meaningful score. We currently require at least five devices.
Insights and recommendations is a prioritized list to improve your score. This list is filtered to the subnode's context when you navigate.
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for