Introduction

Welcome, since I’ve been working with a number of clients using Windows Analytics I thought I would share some tips on getting up and running plus make sense of all the ways it can be configured. This blog series reviews the strategy and steps I have used to configure device telemetry for Windows Analytics with various organizations. And to add a twist I’ve decided to break with my tradition of making mega blog articles and break this one up into the following posts.

Before we get into the technical weeds I’d like to take a moment to say that I have been busy helping organizations implement and assess their environment using this toolset for a variety of initiatives. This tool has been great in getting insights for organizations making the journey to Windows 10 but it also lives on as a tool to help you navigate the world of Windows as a Service.

No tool I have found for assessing application compatibility, software inventory and hardware inventory is perfect but considering that the base product is included with your Windows license you get a fair bit of information about your environment for using a free solution. I find once I get the solution deployed across the organization there is something of value for every customer so try to approach this with an open mind.

To sum it up Windows Analytics is a collection of Azure Log Analytics solutions that process telemetry from Windows clients for different solutions to analyze the data. The high-level architecture can be envisioned as follows:

  1. Client computers with the correct compatibility KB are configured to report data to Windows Analytics
  2. The Microsoft Data Management Service runs in secure data centers and collects the telemetry data sent to this service
  3. The Upgrade Readiness service processes the telemetry data
  4. On a nightly basis, the Azure Log Analytics workspace receives data from the Upgrade Readiness Service
  5. Using solutions provisioned to the Azure Log Analytics workspace the administrators can view various aspects of the telemetry to help with activities such as Windows Servicing

Prerequisites

Azure Log Analytics

Usually, I avoid using an existing Azure Log Analytics workspace for Windows Analytics. What I find is that most workspaces are being used for server management, DevOps or application specific logging. I find that is it worthwhile to give this some thought to how you envisioning the usage of Azure Log Analytics in your organization. I could go down a rabbit hole with this one because you can add other data sources to the workspace but I suggest keeping it simple and only having one workspace for Windows Analytics in your tenant.

I’ll illustrate what is needed to deploy Azure Log Analytics in the next blog article and I would suggest reading that to help visualize the overall implementation before you start making design decisions.

Group Policy

In some environments, I’ve had conflicts with Group Policy settings so before going down the path of implementing anything I highly recommend that you check for and aware of what has been set in your environment. Under Computer Configuration open the Administrative
Templates, Windows Components then Data Collection and Preview Builds.

Note anything that is enabled especially the following settings:

  • Allow device name to be sent in diagnostic data
  • Allow Telemetry
  • Configure the Commercial ID
  • Configure collection of browsing data for Microsoft 365 Analytics
  • Configure Microsoft 365 Update Readiness upload endpoint
  • Configure Authenticated Proxy usage for Connected User Experience and Telemetry Service
  • Configure collection of browsing data for Microsoft 365 Analytics

SCCM Policy

Next if using SCCM check to see if a client policy is configuring Windows Analytics.

Outbound Firewall/Proxy Configuration

Use the following guide to determine which endpoints need to be whitelisted in your organization.

Purpose: Windows Analytics

Endpoint Function
https://v10c.events.data.microsoft.com Connected User Experience and Diagnostic component endpoint for use with devices running Windows 10, version 1803 or later that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed
https://v10.events.data.microsoft.com Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 without the 2018-09 Cumulative Update installed
https://v10.vortex-win.data.microsoft.com Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier
https://vortex-win.data.microsoft.com Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10
https://settings-win.data.microsoft.com Enables the compatibility update to send data to Microsoft.
http://adl.windows.com Allows the compatibility update to receive the latest compatibility data from Microsoft.

Purpose: Device Health

Endpoint Function
https://oca.telemetry.microsoft.com Online Crash Analysis; required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports.
https://login.live.com This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate policy instead of blocking this endpoint.

Purpose: Device Health and Windows Error Reporting

Endpoint Function
https://www.msftncsi.com Windows Error Reporting (WER); required for Device Health to check connectivity
https://www.msftconnecttest.com Windows Error Reporting (WER); required for Device Health to check connectivity
https://watson.telemetry.microsoft.com Windows Error Reporting (WER); required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports.
https://ceuswatcab01.blob.core.windows.net Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports.
https://ceuswatcab02.blob.core.windows.net Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports.
https://eaus2watcab01.blob.core.windows.net Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports.
https://eaus2watcab02.blob.core.windows.net Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports.
https://weus2watcab01.blob.core.windows.net Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports.
https://weus2watcab02.blob.core.windows.net Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports.

 Windows Client Requirements

Each endpoint will need to me the following requirements in order to support the collection and transmission of telemetry data for Windows Analytics.

OS Requirements
Windows 10 No action needed, Windows 10 comes with the necessary sensors to deliver the required telemetry data.
Windows 8.1 The following KB must be deployed. Compatibility update for keeping Windows up-to-date in Windows 8.1 https://support.microsoft.com/kb/2976978.
Windows 7 SP1 The following KB must be deployed. Compatibility update for keeping Windows up-to-date in Windows 7 https://support.microsoft.com/kb/2952664.

 Licensing

For Upgrade Readiness the solution is covered under your standard Windows license however not everything I am about to configure is covered by this license.

Device Health

  • Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
  • Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
  • Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
  • Windows VDA E3 or E5 per-device or per-user subscription

Update Compliance

  • Windows Defender
    • Windows E3 license
    • Cloud protection must be enabled

Organizations with a Windows E5 license should have Windows Defender ATP deployed and be looking for similar data in the Windows Defender ATP portal.

Part 1 Conclusion

As you can see there is a fair bit of work to do before you begin but I recommend going through the motions before proceeding to any of the implementation steps. Next, I’ll go into Azure Log Analytics in more detail and show you the steps necessary to get the backend up and running.