Mar 03 2021 02:25 PM - edited Mar 22 2021 03:01 PM
Mar 03 2021 02:25 PM - edited Mar 22 2021 03:01 PM
Hi everyone, the Microsoft 365 Apps Rangers would like to share some tips & tricks with you on our latest set of features released to the Apps Admin Center. No idea what we’re talking about? Take a minute and review the Road map to modern management for Microsoft 365 Apps. This article will highlight how you can benefit from these new features (Apps health, Inventory, Servicing Profiles and Monthly Enterprise Channel). Takes just 5 minutes!
When you enable the new inventory feature (preview) and start getting insights across all the Microsoft 365 Apps installed and connected to your tenant, you might run into scenarios where some devices do not appear in the portal. Below you will find the two most common root causes for devices not showing up in inventory and steps on how you can resolve them:
This post will walk you through the steps to identify and fix these issues. We will do our best to update and expand this post as issues are identified.
Step 1 - Identify devices that are running an outdated build of the Microsoft 365 Apps
First things first: we need to check if your devices are running a version of the Microsoft 365 Apps that supports the new features in Apps Admin Center. This is a prerequisite for onboarding devices to the new service. The Microsoft 365 Apps need to be running version 2008 (16.0.13127.21064) or higher. Here are the steps:
When this step is completed, all devices should be running on version 2008 or newer. Within a few hours they should start registering with the new service and appearing in inventory.
Step 2 - Identify devices that have not onboarded with Apps Admin Center
The next step is to identify devices that meet the minimum app version requirement, but failed at one of the following stages:
The net result of both issues is that the devices are not visible in the Apps Admin Center.
The Ranger team has crafted a configuration baseline for Microsoft Endpoint Configuration Manager to help automate the detection and remediation of these issues. The content is provided AS-IS and is hosted on GitHub for your reference. To leverage the baseline, proceed as follows:
The remediation script will stamp the Tenant Association Key into the registry, which acts as a token to make the connection to your tenant. This will mitigate any issues which are rooted in the device’s inability to fetch the key for itself.
With the next launch of an Office application, the onboarding process should kick off and the device should become visible in inventory within the next few hours.
We value your feedback as you use the Apps Admin Center and if you wish, you can use the feedback tool in Apps Admin Center to provide feedback directly to the team working on the different features. Optionally you can also add your email address to the feedback, so the team can get in contact with you.
At the time of writing this post, the Apps Admin Center features (Apps health, inventory, and Servicing Profiles) are in Public Preview, so things might change over time. We will try to keep this post as current as possible. We are happy to answer any questions or take your feedback in the comments below.
The Ranger team is a small team of die-hard experts when it comes to deploying, servicing and managing Microsoft 365 Apps. The above guidance is based on our experience working during the Preview phase with the new products and is provided as-is.
In addition to this information, we have an Ignite session available for viewing that walks through the device onboarding process in greater detail. For more information about this session and our other content check out aka.ms/IgniteAACLinks.
Mar 16 2021 09:30 AM
Mar 16 2021 03:40 PMSolution
Great question and attention to detail. This behavior is intended. The TAK should exist under the cloud key. If Serviceability Manager is unable to pull the TAK and write it to this location we fallback to the GPO key. This is why the script remediation writes to the GPO location. If you attempt to manually write the TAK to the cloud key it will be overwritten during the next checkin. TAK delivery will be receiving some fixes in a future release to address this.
In addition, the baseline has been updated to address the TAK CI. The detection logic now properly checks both registry keys for the TAK. Previously it was only looking at the cloud key, resulting in the CI remaining non-compliant.
Mar 16 2021 05:22 PM
Mar 16 2021 05:54 PM
There is a decimal point towards the end of the string with another set of characters following. Do the keys match up to this point?
We are currently using TechCommunity to discuss the new preview features, so feel free to continue the discussion here.
Mar 17 2021 07:14 AM
Mar 17 2021 09:46 AM
With regards to onboarding, the TAK is only used to identify the tenant. If you are in a scenario where the TAK is not being pulled down automatically the recommendation is to use the one from the portal (and corresponding appid). Devices that do automatically retrieve the TAK will end up with a unique appid, but it does not affect the onboarding process.
Jun 15 2021 08:15 AM
Hello and thank you for all this documentation and guides.
Is there anything else we can do if our devices are not shown in the Inventory?
We followed the process from your video clip 'How to onboard devices to the Microsoft 365 Apps admin center' and used all the information from here.
The device has the TAK properly sitting in the registry, all tasks from the scheduler are running etc. but I can't find any check-ins in the logs in Temp folder and ProgramData -> Office is also empty, no sign of Inventory text file/log.
Is there anything you guys need to do from the Cloud side, I understand the device will be deleted from the cloud after 180 days but it's a long time to find out... Anything we can do more?
I can see another device will disappear as well as it's not changed for two days, just the same as it was with the first one. Will update about the progress.
@Opti365 a change was introduced recently that disabled logging for Serviceability Manager by default. This might be why you are not seeing the check-in messages, along with any other pertinent information. To re-enable logging add the following registry value:
Once added, logging will resume during the next scheduled task execution. I will PM you if there is more investigation necessary.
Sep 07 2021 07:28 AM
Sep 09 2021 07:54 AM
@Marco Mangiante deployment using the ODT is supported and should not impact onboarding.
First I would confirm the missing devices meet the following requirements:
If the requirements look good, you can manually stamp the TAK in the registry using the following steps:
If there are no additional blockers, I would expect to see the device appear in Inventory within 5 minutes.
Sep 12 2021 08:47 AM
Sep 13 2021 07:25 AM
@LegalAlien the inventory feature isn't designed for auditing account termination and access. For that I would recommend the following: Remove a former employee - Overview - Microsoft 365 admin | Microsoft Docs