Mar 03 2021 02:25 PM - edited Mar 22 2021 03:01 PM
Mar 03 2021 02:25 PM - edited Mar 22 2021 03:01 PM
Hi everyone, the Microsoft 365 Apps Rangers would like to share some tips & tricks with you on our latest set of features released to the Apps Admin Center. No idea what we’re talking about? Take a minute and review the Road map to modern management for Microsoft 365 Apps. This article will highlight how you can benefit from these new features (Apps health, Inventory, Servicing Profiles and Monthly Enterprise Channel). Takes just 5 minutes!
When you enable the new inventory feature (preview) and start getting insights across all the Microsoft 365 Apps installed and connected to your tenant, you might run into scenarios where some devices do not appear in the portal. Below you will find the two most common root causes for devices not showing up in inventory and steps on how you can resolve them:
This post will walk you through the steps to identify and fix these issues. We will do our best to update and expand this post as issues are identified.
Step 1 - Identify devices that are running an outdated build of the Microsoft 365 Apps
First things first: we need to check if your devices are running a version of the Microsoft 365 Apps that supports the new features in Apps Admin Center. This is a prerequisite for onboarding devices to the new service. The Microsoft 365 Apps need to be running version 2008 (16.0.13127.21064) or higher. Here are the steps:
When this step is completed, all devices should be running on version 2008 or newer. Within a few hours they should start registering with the new service and appearing in inventory.
Step 2 - Identify devices that have not onboarded with Apps Admin Center
The next step is to identify devices that meet the minimum app version requirement, but failed at one of the following stages:
The net result of both issues is that the devices are not visible in the Apps Admin Center.
The Ranger team has crafted a configuration baseline for Microsoft Endpoint Configuration Manager to help automate the detection and remediation of these issues. The content is provided AS-IS and is hosted on GitHub for your reference. To leverage the baseline, proceed as follows:
The remediation script will stamp the Tenant Association Key into the registry, which acts as a token to make the connection to your tenant. This will mitigate any issues which are rooted in the device’s inability to fetch the key for itself.
With the next launch of an Office application, the onboarding process should kick off and the device should become visible in inventory within the next few hours.
We value your feedback as you use the Apps Admin Center and if you wish, you can use the feedback tool in Apps Admin Center to provide feedback directly to the team working on the different features. Optionally you can also add your email address to the feedback, so the team can get in contact with you.
At the time of writing this post, the Apps Admin Center features (Apps health, inventory, and Servicing Profiles) are in Public Preview, so things might change over time. We will try to keep this post as current as possible. We are happy to answer any questions or take your feedback in the comments below.
The Ranger team is a small team of die-hard experts when it comes to deploying, servicing and managing Microsoft 365 Apps. The above guidance is based on our experience working during the Preview phase with the new products and is provided as-is.
In addition to this information, we have an Ignite session available for viewing that walks through the device onboarding process in greater detail. For more information about this session and our other content check out aka.ms/IgniteAACLinks.
Mar 16 2021 09:30 AM
Mar 16 2021 03:40 PMSolution
Great question and attention to detail. This behavior is intended. The TAK should exist under the cloud key. If Serviceability Manager is unable to pull the TAK and write it to this location we fallback to the GPO key. This is why the script remediation writes to the GPO location. If you attempt to manually write the TAK to the cloud key it will be overwritten during the next checkin. TAK delivery will be receiving some fixes in a future release to address this.
In addition, the baseline has been updated to address the TAK CI. The detection logic now properly checks both registry keys for the TAK. Previously it was only looking at the cloud key, resulting in the CI remaining non-compliant.
Mar 16 2021 05:22 PM
Mar 16 2021 05:54 PM
There is a decimal point towards the end of the string with another set of characters following. Do the keys match up to this point?
We are currently using TechCommunity to discuss the new preview features, so feel free to continue the discussion here.
Mar 17 2021 07:14 AM
Mar 17 2021 09:46 AM
With regards to onboarding, the TAK is only used to identify the tenant. If you are in a scenario where the TAK is not being pulled down automatically the recommendation is to use the one from the portal (and corresponding appid). Devices that do automatically retrieve the TAK will end up with a unique appid, but it does not affect the onboarding process.