How to configure Desktop Analytics and more…

The purpose of this article is not only to do a Step by Step guide on how to setup Desktop analytics but also to add extra information that can be used for troubleshooting. Have a look at the Config Confirmation areas that follow each section.

Configuration Manager Prerequisites

  • Configuration Manager, version 1902 with update rollup (4500571) or later to support integration with Desktop Analytics.
  • Full Administrator role in Configuration Manager
  • Configuration Manager client version 1902 with update rollup (4500571) or later
  • Devices running Windows 7, Windows 8.1, or Windows 10 with latest Compatibility updates and Connected User Experiences and Telemetry service
  • Network connectivity from Configuration Manager Server and devices to the Microsoft public cloud endpoints.

Azure Prerequisites

  • An Active Global Azure Subscription, with Global Admin permissions to configure Desktop Analytics. Microsoft Accounts aren’t supported.
  • To access the Desktop Analytics portal after onboarding, you need:
    • Desktop Analytics Administrator role and Owner, or Contributor permissions on the resource group on the workspace.
  • To Create a Workspace in a new Resource Group
    • Owner, or Contributor and User Access Administrator permissions on the subscription.
  • Create or Use a Workspace in an existing Resource Group
    • Log Analytics Contributor and User Access Administrator permissions on the resource Group.

Licensing and costs

  • An active Global Azure Subscription to deploy resources like LogAnalytics workspace and LogAnalytics Solution for Desktop Analytics.
  • Users of the Devices enrolled in Desktop Analytics need one of the following licenses:
    • Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
    • Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
    • Windows Virtual Desktop Access E3 or E5
  • Devices enrolled in Desktop Analytics need a valid Configuration Manager license 

Desktop Analytics Portal Onboarding

Use this procedure to sign in to Desktop Analytics and configure it in your subscription. This procedure is a one-time process to set up Desktop Analytics for your organization.

You can start with the option in the console or directly start from MEMAC portal  where the console redirects you

Setup Desktop Analytics Page:
On Desktop Analytics blade in Microsoft Endpoint Manager admin center, login as a user with Global Admin permissions. Select Start

Service Agreement Page:
On the Accept service agreement page, review the service agreement, and select Accept.

Licensing and Costs Page:

On the Confirm your subscription page, toggle Yes for the supported subscription after verifying the list of required qualifying licenses are available or enabled. Select Next to continue.

Give users and apps access page:

Allow Desktop Analytics to manage Directory roles on your behalf:

  • Desktop Analytics automatically assigns the Workspace Owners the Desktop Analytics Administrator role. If those groups are already a Global Admin, there’s no change. If you chose not to toggle Yes for this option, Desktop Analytics still adds users as members of the security group. However, a Global Admin needs to manually assign the Desktop Analytics Administrator role for the users later.
  • Desktop Analytics pre-configures the Workspace Owners security group in Azure Active Directory to create and manage workspaces and deployment plans.

To add a user to the group, type their name or e-mail address in the Search by name or email address section. When finished, select Next.


Set up your workspace Page:

  • Select Azure subscription from the drop-down.
  • Existing Log Analytics workspaces are auto-published, If you are planning to use an existing Workspace select it and Skip the Add workspace step below.

Add workspace Step:

  • Enter a Workspace name.
  • Select the drop-down list to Select the Azure subscription name for this workspace, and choose the Azure subscription for this workspace.
  • Create a new Resource group or Use an existing one.
  • Select the Region from the list, and then select Add.

Set up your workspace Page:

Select a new or existing workspace, and then select Set as Desktop Analytics workspace.

Then select Continue in the Confirm and grant access dialog.

In the new browser tab, pick an account to use to sign in. Select the option to Consent on behalf of your organization and select Accept.

Note: This consent is to assign the MALogAnalyticsReader application to publish the Log Analytics Reader role for the workspace. This application role is required by Desktop Analytic

Back on the page to Set up your workspace, select Next.

What’s next page:

Make a note of the Commercial ID because you will need it when connecting MEMCM(SCCM) to Desktop Analytics, select Go to Desktop Analytics.

DA Config Confirmation

Once Desktop Analytics portal onboarding is completed successfully we create some apps and groups in Azure Tenant and deploy resources to Azure Subscription.

Deployments for Azure Tenant

  • Groups
  • Group Members

AAD Applications

  • Configuration Manager Microservice: Connects Configuration Manager with Desktop Analytics. This app has no access requirements.
  • MALogAnalyticsReader: Monitors your Azure Log Analytics workspace to ensure the daily snapshot has been copied successfully.
  • Desktop Analytics: Enables the Configuration Manager console to retrieve information of the deployment plan and device readiness status from Desktop Analytics.

Note: Office 365 client admin app in Azure AD is now the Desktop Analytics app and has the same function. For DA configuration is done after June 2020, you might not see this app at all in your Tenant and should not affect DA working and onboarding.

  • These apps are published or provisioned during the MEM portal onboarding of Desktop Analytics. If you need to provision these apps after completing setup, go to the Connected services pane. Select Configure users and apps access, and provision the apps from the drop-down.

Deployments for Azure Subscription

  • On Azure Portal, you can see the Log Analytics WorkSpace for Desktop Analytics and M365Analytics Solution created.
    • Microsoft365Analytics is a monitoring solution leveraged by Desktop Analytics services to typically collect log data in views. Desktop Analytics uses this solution to read and analyze collected data from the LogAnalytics workspace set for Desktop Analytics.
    • Log Analytics WorkSpace is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary for Desktop Analytics.

The following Permission should be set on Workspace

Configuration Manager Onboarding

In the Configuration Manager console, go to the \Administration\Overview\Cloud Services\Azure Services. Select Configure Azure Services in the ribbon

On the Azure Services page of the Azure Services Wizard, configure the following settings:

  • Specify a Name for the object in Configuration Manager
  • Select Desktop Analytics from the list of available services
  • Select Next.

On the App page, select the appropriate Azure environment. Then select Browse for the web app.

Select Create to easily add an Azure AD app for the Desktop Analytics connection

Configure the following settings in the Create Server Application window:

  • Application Name: A friendly name for the app in Azure AD.
  • Home Page URL: This value isn’t used by Configuration Manager, but required by Azure AD. By default this value is: https://ConfigMgrService, this value should be unique so for the purpose of this article I have used https://ConfigMgrServiceDA
  • App ID URI: This value needs to be unique in your Azure AD tenant. It’s in the access token used by the Configuration Manager client to request access to the service. By default, this value is: https://ConfigMgrService, this value should be unique so for the purpose of this article I have used: https://ConfigMgrServiceDA
  • Secret Key validity period: Choose either 1 year or 2 years from the drop-down list. One year is the default value.

Select Sign in. After successfully authenticating to Azure, the page shows the Azure AD Tenant Name for reference.

Note: Complete this step as a Global Admin. These credentials aren’t saved by Configuration Manager. This person doesn’t require permissions in Configuration Manager.

Select OK to create the web app in Azure AD and close the Create Server Application dialog.

On the Server App dialog, Select WebApp with a Single click, select OK.

Then select Next on the App page of the Azure Services Wizard.

On the Diagnostic Data page, configure the following settings:

  • Commercial ID: This value should automatically populate with your organization’s ID
  • Windows 10 diagnostic data level: Select at least Optional
  • Allow Device Name in diagnostic data: Select Enable
  • Select Next.

The Available functionality page shows the Desktop Analytics functionality that’s available with the diagnostic data settings from the previous page in reference to the various Windows OS versions. Select Next.

On the Collections page, configure the following settings:

  • Display name: The Desktop Analytics portal displays this Configuration Manager connection using this name. For example, MEMCM Desktop Analytics.
  • Target collection: This collection includes all devices that Configuration Manager configures with your commercial ID and diagnostic data settings. It’s the full set of devices that Configuration Manager connects to the Desktop Analytics service.
  • Select specific collections to synchronize with Desktop Analytics: Select Add to include additional collections. These collections are available in the Desktop Analytics portal for grouping with deployment plans. Make sure to include pilot and pilot exclusion collections.
  • Devices in the target collection use a user-authenticated proxy for outbound communication: By default, this value is No. If needed in your environment, set to Yes.

These collections continue to sync as their membership changes. For example, your deployment plan uses a collection with a Windows 7 membership rule. As those devices upgrade to Windows 10, and Configuration Manager evaluates the collection membership, those devices drop out of the collection and deployment plan.

Click next and complete the wizard

CM Config Confirmation

  • Monitor the configuration of your devices for Desktop Analytics. In the Configuration Manager console, go to the Software Library workspace, expand the Desktop Analytics Servicing node, and select the Connection Health dashboard.

Web App Created during Configuration Manager Onboarding and it’s related permissions

Configuration Manager synchronizes your collections within 60 minutes of creating the connection. In the Desktop Analytics portal, go to Global Pilot, and see your Configuration Manager device collections. For manual collection updates to reflect changes, the SMS_SERVICE_CONNECTOR_M365AUploadWorker component first needs to synchronize.

Tenant Onboarding for Desktop Analytics in Configuration Manager can be tracked in M365ATenantUpdateInfoCloudSettingsWorker.log where M365ATenantUpdateInfoCloudSettingsWorker connects with Gateway Service endpoint location URL AccountOnboardingInfo and verifies Tenant ID and HierarchyId.

Authors