In this post, I will show you the steps to configure Windows diagnostic data using Intune. Windows diagnostic data is used by Microsoft to keep Windows secure and up to date, troubleshoot reliability issues, and improve product quality. In enterprise scenarios, diagnostic data is also a dependency for several Microsoft services and reports. For example, Windows Update for Business (WUfB) reports require the diagnostic data level to be set to at least Required (Basic).
In Windows 10 versions 1903 and earlier, Diagnostic data could be set as Basic, Enhanced, or Full. Microsoft simplified this in later versions of Windows and replaced it with Diagnostic data off, Required, and Optional.
It is important to note that managing Windows driver updates with Intune requires telemetry to be enabled with at least the Required diagnostic data level. In the following sections, we will explore different methods for configuring the telemetry or diagnostic data level on both Windows 10 and Windows 11 devices using Intune.
If diagnostic data is set too low, you can see gaps such as devices not appearing (or appearing anonymously) in Windows Update for Business reports. Reduced insight for updating health and troubleshooting scenarios.
Contents
Diagnostic data levels and what they mean
The table below shows the current naming convention for the diagnostic data and its corresponding legacy name with the value you can set via the policy to configure it.
| Display name | Legacy name | Value |
|---|---|---|
| Diagnostic data off (Security) | Security | 0 |
| Required | Basic | 1 |
| Enhanced | Enhanced | 2 |
| Optional | Full | 3 |
Setting 0 (Security) is only supported on specific editions (Enterprise, Education, Server, and some IoT variants). If you attempt to set 0 on unsupported editions, Windows treats it as 1 (Required/Basic).
Best Practices
- Prefer Settings catalog over other templates: Intune Settings catalog is Microsoft’s preferred way to deploy most modern Windows policy settings. Use templates (like device restrictions) only when you specifically need them for legacy reasons or in line with an existing implementation approach.
- Set a portfolio baseline: Required (1) for most enterprises: For most organizations, Required (1) is the best baseline. It meets common service dependencies while minimizing data compared to Optional (3). Microsoft’s recommendation for Windows Update for Business (WUfB) reports explicitly states that Required (1) is the minimum and can be safely set higher if required.
- Prevent users from lowering diagnostic data: On Windows 10 (1803+) users can potentially change diagnostic data to a more restrictive value unless you disable the opt-in UX. Use ConfigureTelemetryOptInSettingsUx = 1 (Disable Telemetry opt-in Settings).
- If you use Windows Update for Business reports, enable device naming: If device names are not allowed in diagnostic data, reports can show anonymized devices (for example, “#”) rather than actual device names. Microsoft recommends enabling device name transmission for report usability. Use AllowDeviceNameInDiagnosticData = 1 to allow the device name in diagnostic data.
- Align tenant-level “Windows data” configuration (Optional): Some Intune features and reporting that rely on Windows diagnostic data require tenant-level configuration and license attestation (Windows E3 or equivalent). This is managed under Tenant administration > Connectors and tokens > Windows data.
Prerequisites
- Devices are enrolled in Intune, and the OS is supported.
- Network allows required diagnostic endpoints such as *.events.data.microsoft.com and settings-win.data.microsoft.com.
Check Current Diagnostic Data Setting
Using Settings UI:
- On a Windows 10 device: Go to Settings > Privacy > Diagnostic & feedback.
- On a Windows 11 device: Go to Settings > Privacy & Security > Diagnostic & feedback.
Using registry:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection.
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection.
Method 1: Configure Diagnostic Data via Settings Catalog
Settings catalog provides the cleanest, most maintainable approach and makes it easy to configure the diagnostic data settings for Windows devices.
- Sign in to the Intune Admin Center > Devices > Configuration > + Create > New Policy.
- Select Platform type as Windows 10 and later. Select Profile type as Settings Catalog.
- Click on Create.
- On the Basics tab, provide a name and description of the policy. Click Next.
- On the Configuration settings tab, click + Add settings. In the Settings picker, search for
allow telemetry. Click on the System category and select Allow Telemetry.
- Set to Basic/Required (1) for baseline, or Full/Optional (3) if you have a justified requirement.
Apart from configuring the AllowTelemetry setting, you can optionally add controls to prevent user overrides and enable device naming, as outlined in best practices. Where applicable, use the following settings:
- Configure Telemetry Opt-In Change Notification: Set this to 1 to disable telemetry change notifications if you prefer not to display UX prompts to users.
- Configure Telemetry Opt-In Settings UX: Set this to 1 to prevent users from changing telemetry settings in the Windows Settings app.
- Allow device name to be sent in Windows diagnostic data: Set this to Allowed (1) if you use Windows Update for Business reports.
Method 2: Configure Diagnostic Data via Device Restrictions Template
Device restrictions can set diagnostic data, but it is less flexible than Settings catalog if you also want to control user override behavior and reporting-related settings in a single profile.
- Sign in to the Intune admin center > Devices > Configuration > + Create > New Policy.
- Select Platform as Windows 10 and later. Profile type: Templates
- Template Name: Device Restrictions
- Basics Tab: Provide a name and description of the policy.
- Configuration settings: Locate the Reporting and Telemetry section in the list of categories and select the Share usage data option as per your requirement. For demonstration, I will select Required.
Method 3: Configure Diagnostic Data via OMA-URI
OMA-URI is useful when you need explicit CSP targeting, you want to deploy a scriptable baseline, or you need settings not exposed in your current UI flow.
- Go to Intune admin center > Devices > Configuration > + Create > New policy.
- Platform: Windows 10 and later. Profile type: Templates > Custom.
- Add each OMA-URI setting (given below), assign, and monitor.
| Setting | OMA-URI | Data type | Recommended value |
|---|---|---|---|
| Diagnostic data level | ./Vendor/MSFT/Policy/Config/System/AllowTelemetry | Integer | 1 (baseline) |
| Disable user opt-in UX | ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx | Integer | 1 |
| Allow device name in diagnostic data | ./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData | Integer | 1 |
OMA-URI setting (AllowTelemetry)
./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry
| Telemetry Level / Diagnostic Data Level (./Vendor/MSFT/Policy/Config/System/AllowTelemetry) | Value |
|---|---|
| Turn off Diagnostic data (Not Recommended) [Only supported on Enterprise, Education, and Server Editions] | 0 |
| Required (Default) [Minimum diagnostic data necessary to keep Windows secure and up to date] | 1 |
| Optional | 3 |
End User Experience
After the Intune policy is assigned to the target Entra group of users or devices, the diagnostic data level is set according to the policy configuration. I tested this by setting the diagnostic data level to Required, and it was applied successfully to the target devices.
Troubleshooting
- Policy applies but users can still change diagnostic settings: This usually means the diagnostic level was set but the opt-in UX was not disabled. Configure: ConfigureTelemetryOptInSettingsUx = 1.
- You set “Security (0)” but the device shows “Required”: That is expected on unsupported editions. Windows treats 0 as 1 unless the device edition supports Security level telemetry.
- Devices missing or anonymized in Windows Update for Business reports: Enable AllowTelemetry and set it to >=1 and AllowDeviceNameInDiagnosticData = 1. Also ensure users cannot lower diagnostic data below your configured setting by using ConfigureTelemetryOptInSettingsUx.
FAQs
How to disable telemetry in Windows 10 and Windows 11?
Microsoft does not recommend disabling diagnostic data completely. Even when you attempt to set “off (Security)”, it is only supported on specific editions, and many enterprise reporting and servicing scenarios require at least Required diagnostic data.
What should I deploy as a standard baseline?
For most environments:
AllowTelemetry = 1 (Required)
ConfigureTelemetryOptInSettingsUx = 1 (prevent user override)
AllowDeviceNameInDiagnosticData = 1 (if using WUfB reports)
What’s the difference between telemetry levels?
Required: Required diagnostic data, formerly known as basic diagnostic data, collects a limited but essential set of information to understand the device and its configuration. This includes device attributes such as display type, camera information, battery details, processor specifications, memory architecture, and more. You can find additional details at the following link: Required diagnostic data.
Optional: Optional diagnostic data goes beyond the basic level and provides additional information about the device and its settings. This can include details such as device usage patterns, enhanced error reporting, and, in some cases, information related to browsing activity. For a more detailed explanation, refer to the link: Optional diagnostic data.
Diagnostic data off: Enabling this setting disables the sharing of diagnostic and telemetry data from the device to Microsoft.
Conclusion
Use Settings catalog to deploy a consistent diagnostic data baseline, and treat “diagnostic level” and “user override controls” as a single configuration objective. This approach keeps Windows compliant with enterprise reporting dependencies while avoiding common gaps caused by user overrides and incomplete report enrollment settings.
