Troubleshoot Desktop Analytics
Use the details in this article to help you troubleshoot issues with Desktop Analytics integrated with Configuration Manager.
Many common issues are caused by missing prerequisites. First confirm the following configurations:
How to enable data sharing, which covers the following topics:
Internet endpoints to which clients need to connect
Proxy server authentication
Diagnostic data levels
Monitor connection health
Use the Connection Health dashboard in Configuration Manager to drill down into categories by device health. In the Configuration Manager console, go to the Software Library workspace, expand the Desktop Analytics Servicing node, and select the Connection Health dashboard.
For more information, see Monitor connection health.
The Configuration Manager connection to Desktop Analytics relies upon the service connection point. Any changes to this site system role may impact synchronization with the cloud service. For more information, see About the service connection point.
Starting in version 2002, if the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.
For more information, see Log files for Desktop Analytics
To help troubleshoot Desktop Analytics, use the DesktopAnalyticsLogsCollector.ps1 tool from the Configuration Manager install directory. It runs some basic troubleshooting steps and collects the relevant logs into a single working directory. For more information, see Logs collector.
Enable verbose logging
- On the service connection point, go to the following registry key:
- Set the LoggingLevel value to
Microsoft Entra applications
Desktop Analytics adds the following applications to your Microsoft Entra ID:
Configuration Manager Microservice: Connects Configuration Manager with Desktop Analytics. This app has no access requirements.
MALogAnalyticsReader: Monitors your Azure Log Analytics workspace to ensure the daily snapshot has been copied successfully. For more information, see MALogAnalyticsReader application role.
Desktop Analytics: Enables Configuration Manager retrieval of deployment plan information and device readiness status from Desktop Analytics.
If you need to provision these apps after completing setup, go to the Connected services pane. Select Configure users and apps access, and provision the apps.
Microsoft Entra app for Configuration Manager. If you need to provision or troubleshoot connection issues after completing setup, see Create and import app for Configuration Manager. This app requires Write CM Collection Data and Read CM Collection Data on the Configuration Manager Service API.
Desktop Analytics supports multiple Configuration Manager hierarchies reporting to a single Microsoft Entra tenant. If you have multiple hierarchies in your environment configured with the same commercial ID, to share the Microsoft Entra tenant and Desktop Analytics instance use different apps for each hierarchy.
Create and import app for Configuration Manager
If you can't create the Microsoft Entra app for Configuration Manager from the Configure Azure Services wizard, or if you want to reuse an existing app, you need to manually create and import it. After completing the Initial onboarding on the Desktop Analytics portal, use the following steps:
Create app in Microsoft Entra ID
During this process, you'll need to note several values to use later. Open an app like Windows Notepad to paste in the values that you'll copy from the Azure Portal.
Open the Azure portal as a user with Global Admin permissions, go to Microsoft Entra ID, and select App registrations. Then select New registration.
In the Register an application pane, configure the following settings:
Name: A unique name that identifies the app, for example:
Supported account types: Leave this setting as the default option, Accounts in this organizational directory only
Redirect URI (optional): Leave this optional value blank.
Select Register to create the app.
In the properties of the new app, copy the Application (client) ID and Directory (tenant) ID. The values are GUIDs that are used to configure the Configuration Manager connection.
In the menu of the app properties, select Certificates & secrets, then select New client secret.
- Description: You can use any name for the secret or leave it blank.
- Expires: Specify an expiration duration that meets your business requirements.
Select Add. Immediately copy the client secret string Value and Expires. If you leave this pane, you can't retrieve the same secret again. You'll use these values later to configure the Configuration Manager connection.
Take note of the expiration date and make sure to Renew the secret key before its expiration. Secret key expiration can cause an interruption in access to the service.
In the menu of the app properties, select API permissions.
On the API permissions panel, select Add a permission.
In the Request API permissions panel, switch to APIs my organization uses.
Search for and select the Configuration Manager Microservice API.
Select the Application permissions type. Expand CmCollectionData, and select both of the following permissions: CMCollectionData.read and CMCollectionData.write.
Select Add permissions.
On the API permissions panel, select Grant admin consent for..., and then select Yes.
Import app in Configuration Manager
In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Azure Services node. Select Configure Azure Services in the ribbon.
On the Azure Services page of the Azure Services Wizard, configure the following settings:
Specify a Name for the object in Configuration Manager.
Specify an optional Description to help you identify the service.
Select Desktop Analytics from the list of available services.
On the App page, select the appropriate Azure environment. Then select Import for the web app. Configure the following settings in the Import Apps window:
Microsoft Entra tenant Name: This name is how it's named in Configuration Manager
Microsoft Entra tenant ID: The Directory ID you copied from Microsoft Entra ID
Client ID: The Application ID you copied from the Microsoft Entra app
Secret Key: The key Value you copied from the Microsoft Entra app
Secret Key Expiry: The same expiration date of the key
App ID URI: This setting should automatically populate with the following value:
Select Verify, and then select OK to close the Import Apps window. Select Next on the App page of the Azure Services Wizard.
To continue the rest of the wizard on the Diagnostic Data page, see Connect to the service.
Troubleshoot app in Configuration Manager
If you're having problems creating or importing the app, first check SMSAdminUI.log for the specific error. Then check the following configurations:
You've successfully enrolled the tenant to the Desktop Analytics service. For more information, see How to set up Desktop Analytics.
All required endpoints are accessible. For more information, see Endpoints.
Make sure the user who signs in has the correct permissions. For more information, see Prerequisites.
Make sure that the user can sign in to Azure in general. This action determines if there are any general Microsoft Entra authentication issues.
Check status messages for the SMS_SERVICE_CONNECTOR component regarding the Desktop Analytics worker.
MALogAnalyticsReader application role
When you set up Desktop Analytics, you consent on behalf of your organization. This consent is to assign the MALogAnalyticsReader application the Log Analytics Reader role for the workspace. This application role is required by Desktop Analytics.
If there's a problem with this process during setup, use the following process to manually add this permission:
Go to the Azure portal, and select All resources. Select the workspace of type Log Analytics.
In the workspace menu, select Access control (IAM), select Add, and then select Add role assignment.
In the Add role assignment panel, configure the following settings:
Assign access to: User, group, or service principal
The portal shows a notification that it added the role assignment.
When you first setup Desktop Analytics, enroll new clients, or configure new deployment plans, the reports in Configuration Manager and the Desktop Analytics portal may not show complete data right away. It can take 2-3 days for the following steps to occur:
- Active devices send diagnostic data to the Desktop Analytics service
- The service processes the data
- The service synchronizes with your Configuration Manager site
When syncing device collections from your Configuration Manager hierarchy to Desktop Analytics, it can take up to one hour for those collections to appear in the Desktop Analytics portal. Similarly, when you create a deployment plan in Desktop Analytics, it can take up to one hour for the new collections associated with the deployment plan to appear in your Configuration Manager hierarchy. The primary sites create the collections, and the central administration site synchronizes with Desktop Analytics. Configuration Manager can take up to 24 hours to evaluate and update collection membership. To speed up this process, manually update the collection membership.
For manual collection updates to reflect changes, the SMS_SERVICE_CONNECTOR_M365ADeploymentPlanWorker component first needs to synchronize. It can take up to one hour for this process to run. For more information, see the M365ADeploymentPlanWorker.log.
Within the Desktop Analytics portal, there are two types of data: Administrator data and diagnostic data:
Administrator data refers to any changes you make to your workspace configuration. For example, when you change an asset's Upgrade Decision or Importance you're changing administrator data. These changes often have a compounding effect, as they can alter the readiness state of a device with the asset in question installed.
Diagnostic data refers to the system metadata uploaded from client devices to Microsoft. This data powers Desktop Analytics. It includes attributes such as device inventory, and feature update status.
By default, all data in the Desktop Analytics portal is automatically refreshed daily. This refresh includes changes in diagnostics data from two days ago and any changes that you make to the configuration (administrator data). It should be visible in your Desktop Analytics portal by 08:00 AM UTC each day.
When you make changes to administrator data, you can trigger an on-demand refresh of the administrator data in your workspace. From any page in the Desktop Analytics portal, open the data currency flyout:
Then select Apply changes:
This process generally takes between 15-60 minutes. The timing depends on the size of your workspace and the scope of the changes that need processes. When you request an on-demand data refresh, it doesn't result in any changes to diagnostic data. This option isn't available during service deployments. For more information, see the Desktop Analytics FAQ.
If you aren't seeing changes updated within the time frames indicated above, wait another 24 hours for the next daily refresh. If you see longer delays, check the service health dashboard. If the service reports as healthy, contact Microsoft support.
The Desktop Analytics portal can display notification banners to administrators. These notifications allow Microsoft to communicate with you about important events and issues. The following sections detail the notifications that you might see.
See what's new this month in Desktop Analytics
This informational notification makes you aware of changes to the service. For more information, see What's new in Desktop Analytics (
There are new prerequisites. To continue using Desktop Analytics, review the new requirements
This informational notification makes you aware of changes to the prerequisites. For example, a new internet endpoint or software update. For more information, see Prerequisites (
We're investigating an issue that impacts Desktop Analytics
This warning notification indicates that Microsoft is aware of an issue that impacts the Desktop Analytics service. The issue is typically with generating snapshots. When you see this notification, Microsoft is investigating the issue to determine the scope and source of impact. You don't need to contact Microsoft Support. For more information, see Data flow.
We're investigating an issue with data latency. If you enrolled new devices or changed any assets in the last 24 hours, they may not appear right away
This warning notification indicates that Microsoft is aware of an issue that impacts the Desktop Analytics service. Microsoft continuously monitors the service to confirm that all components update snapshots at the correct times. During this monitoring, one of these components didn't complete as expected. When you see this notification, Microsoft is investigating the issue. You don't need to contact Microsoft Support. For more information, see Data flow.
We've resolved a temporary issue with data latency. Daily refresh of portal data is delayed
This notification lets you know that there was an issue with data latency. The service is still processing the snapshot, and the refresh of data is delayed. For more information, see Data latency.
We've resolved an issue with data latency. If you enrolled new devices or changed any assets in the last 24 hours, they may not appear right away
This notification lets you know that Microsoft resolved a previously reported issue with data latency. You may see stale data for tomorrow's snapshot. If you enrolled devices or made device configuration changes in the last 24 hours, you won't see them right away in the portal. You can continue to use Desktop Analytics to categorize assets and prepare deployment plans. These actions can use data from the previous snapshot.
We've resolved an issue with Desktop Analytics. Daily refresh of the portal data is on track
This notification lets you know that Microsoft identified a snapshot component that stopped working during processing. Microsoft restarted the component, which will take time to process the snapshot. Microsoft continuously monitors the service to confirm that all components update snapshots at the correct times.