âď¸đŞđťCP - Reporting & Updates - Diagnostic Data
What this policy is about đâ
Sets the diagnostic data floor. The minimum telemetry level Microsoft needs to feed the rest of the update / reporting / driver story.
Not about "letting Microsoft collect more data". About making sure the things you've already chosen to use (Update Ring rollout signals, Driver Update profiles, WUfB Reports, Endpoint Analytics) actually function. Each of those requires at least Required diagnostic data. Configure this once, correctly, and stop fighting the floor. đŞ
Why this matters đâ
Microsoft has slowly moved every interesting Intune update / reporting feature behind the diagnostic data wall. As of late 2025 the gate is:
- Off / Security: WUfB Reports won't onboard. Driver Update profiles won't show inventory. Endpoint Analytics shows nothing useful. Defender for Endpoint gives you partial signal. Basically: you've built a beautiful dashboard out of empty cells. đި
- Required: Everything in the Intune update + driver + endpoint analytics surface works. This is the floor.
- Enhanced / Optional: Adds richer telemetry that mostly helps Microsoft, not you.
Setting telemetry below Required on a managed fleet means you've explicitly chosen not to have working update reporting. That's a defensible choice in privacy-sensitive contexts, but it should be a deliberate one, not a default. For MKB on Business Premium with managed devices, the trade-off favors Required. The data leaves the tenant in aggregate. The operational visibility comes back in concrete reporting. đ¤
đ ď¸ Configuration Settingsâ
Applied via Settings Catalog â System category. Device scope.
| Setting | Value | Why |
|---|---|---|
Allow Diagnostic Data (System/AllowTelemetry) | Send required diagnostic data (value 1) | The floor for WUfB Reports, Driver Update inventory, Endpoint Analytics, and the modern update / hardware health surface in Intune. Below this and those features go dark. |
Configure Telemetry Opt In Change Notification (System/ConfigureTelemetryOptInChangeNotification) | Disable telemetry opt-in change notifications (value 1) | Stops Windows from prompting the user to change the diagnostic level when a feature update lands. The policy value should be the value, not a starting suggestion the user can override. |
Configure Telemetry Opt In Settings UX (System/ConfigureTelemetryOptInSettingsUx) | Disable Telemetry opt-in Settings (value 1) | Removes the diagnostic data toggle from the Settings UI. Same reasoning. Policy-set values shouldn't be silently downgradable by end users. |
Allow Device Name in Diagnostic Data (System/AllowDeviceNameInDiagnosticData) | Allowed (value 1) | Without this, WUfB Reports shows anonymous device IDs in dashboards. With it, the same dashboards show real device names. Operationally critical for "which laptop is stuck on KB5048667?" type questions. |
Limit Enhanced Diagnostic Data to Minimum Required by Analytics (System/LimitEnhancedDiagnosticDataWindowsAnalytics) | Enabled (value 1) | Belt-and-suspenders. If something on the device asks for Enhanced telemetry, this caps it at "only what Analytics needs." Prevents accidental verbose telemetry from third-party tooling. |
These five settings together produce the minimum diagnostic configuration where every Microsoft-side reporting and update feature works, the user can't accidentally turn it down, and device names appear in dashboards.
Caveats â ď¸â
License fit. Standard Settings Catalog System namespace settings on Windows 11 Pro/Business with M365 Business Premium. No tier-up needed.
Edition floor. Windows 11 Pro/Business cannot be configured below Required via policy. The Security-only level (value 0) is reserved for Enterprise/Education editions. Setting 0 on Pro/Business results in Windows silently using Required (1) anyway. So Required is the realistic floor regardless of policy intent. đ¤ˇ
Privacy framing for end users. If a tenant asks "what is being sent?", the straight answer for Required is: hardware identifiers (device name with this policy), Windows version, app crash reports, basic feature usage. No file contents, no keystrokes, no clipboard, no browsing data. The Microsoft Privacy Statement lists the categories precisely. Cite the source rather than paraphrasing from memory in customer-facing comms. đ
Reversibility. These settings write to the System/* CSP under ./Device/Vendor/MSFT/Policy/Config/System/⌠and they tattoo. Removing a device from this profile does not roll the values back to "not configured." That's fine in practice because there's no operational scenario where you'd want to un-set diagnostic data on a managed device. It does mean a device leaving MDM keeps these values until something explicitly rewrites them.
Off is gone. As of Windows 11 24H2, the Off (value 0) diagnostic data setting on consumer editions has been removed entirely. The floor in current Windows is Required. If you have a tenant still trying to send Off from a stale GPO, that GPO is doing absolutely nothing. Chef's kiss đ¨âđłđ for Microsoft for finally killing it.
đĄ SuperVision tipâ
Baseline policy. Golden Master â Windows â Configuration Profiles â Reporting & Updates â Diagnostic Data. Assigned to All Devices. No device-class carve-outs. The Required telemetry floor is the prerequisite for every downstream update / reporting feature, so excluding kiosks/IoT/W365 Boot just breaks their update visibility too. Self-own.
Tag candidates: none. This is infrastructure, not a tenant preference. Customers who want lower telemetry want it for an actual privacy reason, which is a contractual / written conversation, not a tag.
Drift detection. Worth checking quarterly. The most common drift cause is a previous-MDM GPO or a third-party "privacy" tool flipping AllowTelemetry back to 0. Easy to catch in WUfB Reports. Devices that suddenly stop reporting inventory are usually devices where someone re-disabled telemetry.
Prerequisite for several other docs. This policy is a hard prerequisite for:
- đđŞđť DU â Automatic (Recommended) (Driver Update profiles need Required telemetry)
- đđŞđť DU â Manual Review (Other) (same)
- đđŞ WUfB Reports - Setup (won't onboard without it)
Deploy this before the rings produce reportable signal. Otherwise the reports stay empty and you spend an afternoon wondering why. đľď¸
Multi-tenant scaling. Identical across every customer.
đĽ Group Assignmentsâ
â Included groups:â
All Devices
â Excluded groups:â
None. Required diagnostic data is the floor for WUfB Reports, Driver Update inventory, and Endpoint Analytics on every device class. Excluding kiosks or IoT here just makes them invisible in the same reports that need to surface their update state. If a customer contract genuinely requires lower telemetry on a specific device class, configure that per tenant. Not as a Golden Master blanket exclusion.
Standardize like a pro. Configure with intent. And remember: the choice is not "telemetry on or off". It's "operational visibility on, or operational visibility off." đ