- Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
- Microsoft Teams freezes: Set cam permissions for conferencing apps - Tue, Mar 21 2023
- Microsoft 365 Apps admin center: Remote Office configuration - Wed, Mar 8 2023
If you have ever used the Office Deployment tool, chances are that you have also tried to create a custom XML file to control its behavior. Microsoft offers a website to assist with that at config.office.com. It now resembles a wizard and allows you to easily make a custom XML file without worrying about syntax.
You can create or import an existing XML file and update it.
Scroll down the page to work through each section, exclude apps, or set the update channel and a specific version to deploy.
However, this is not the only thing the Microsoft 365 admin center is good for. If you sign into the site using your Microsoft 365 Administrator credentials, a lot of additional functionality is available to you to customize and monitor your Office applications and device health.
Microsoft 365 Apps admin center setup
Any office application that is signed into your tenant will report to this platform and can be controlled using policies. Below, we will walk through an overview of what each section allows you to do. The system does require setup, and several components, such as OneDrive monitoring, take a few days to start collating reports.
Once you're signed in, go to Setup in the left menu. If this is the first time you have signed in, you may be shown a screen saying setup is in progress. It says you may need to wait 10 minutes to 24 hours.
Once setup is completed, the setup section will show you a tenant association key and an inventory clean-up selector.
Tenant association key
The tenant association key was previously pushed out to devices along with a registry value (or GPO) 'SyncAdminReports.' This is being replaced by a new policy setting, as you will see later. It is now automatically retrieved by a device if it meets the requirements. You can read more about those requirements here.
Inventory cleanup
Inventory cleanup is used to keep the device inventory fresh. Any device that has not reported for a set period will be removed. By default, this is 90 days. After 90 days, the inventory data will be removed; it won't do anything to the device itself.
Moving back to the top of the page, we can start going through the available options.
Servicing
Under Servicing, we have the option to configure update policies for the Microsoft 365 Apps in our tenant. These policies will apply to any application that a member of the tenant signs into, and take precedence over any policies set in other management tools. This may be something to consider if you are using Intune.
The servicing profile is split into several sections. The main one requiring attention during configuration is Settings.
This is where you will configure how to target devices in your environment, and any exclusions you need to apply. For example, recently, a senior manager wanted to move their devices to an insider build of Office, so we needed to exclude their devices from our servicing policy. By creating a group in Azure AD for their devices (dynamic group by device ownership), we were able to easily target and exclude them.
You can also configure rollout waves by group targeting and set exclusion dates where no updates will be deployed. Possibly useful during tax season?
Under Devices, when your devices have checked in, you will see the device name and the version number of Office applications. You can also configure rollback groups if you need to roll back to a previous version.
Office Deployment Tool XML files
Under Device Configuration, we can create XML files to store for various purposes or choose from preexisting ones provided by Microsoft. These are not pushed out to any clients and simply serve as a repository of XML files available for download. These XML files are useful for controlling which apps and which SKU are deployed to a device.
For example, you may have a team that needs to have Access deployed to its machines, but you do not want to install it on all machines. You can create two XML files: one that installs Access and one that excludes it.
Alternatively, you may have a team that needs Project or Visio deployed on its machines.
Storing these XML files centrally in this portal means that they are easily accessible to any of the technicians who need them.
Policies
Under Policy Management, we can define settings for our Office applications.
Policies can be applied to specific users or to all users in the organization. I suggest testing with a small batch of users before rolling anything out to the whole organization. Policies are applied in priority order when conflicts arise.
There are over 2000 policy settings for all Office Apps that can be configured. Luckily, filters are available to narrow down what you may want to look at. I have to say that I found this section quite confusing.
In the Area column, notice that some settings say 'Security Baseline.' They also say 'Not configured,' so I didn't know if that meant the settings were configured to a baseline, or they were part of the baseline but not configured. I decided it was the latter. Where I wanted to copy the baseline policy, I copied what was visible. So in this example, I set the policy to Enabled, with Load only Outlook Controls.
There are 133 policy settings that have baseline tagged onto them, so grab yourself a flask of coffee and dive in.
Health
Under Health, you can see the health of your apps and how many errors have been logged per application. This is useful if you are monitoring the rollout of a new version of Office.
You can see information regarding security update status and monitor OneDrive sync health if your OneDrive clients are on the production or insiders ring. There is even a section to monitor the Office add-ins running in your organization and the impact they have on loading times.
Enabling inventory and health reporting
This leads us nicely to how to set this up on the client. As mentioned above, you previously used the tenant association key in your policy to tie your device to your organization.
It seems Microsoft has made changes to this functionality, and with the new builds of OneDrive, a new policy setting will be available.
Subscribe to 4sysops newsletter!
Old Setting | Value | Type |
SyncAdminReports | <tenant association key> | String |
GPOSetUpdateRing | 0, 1, or 2 | DWORD |
New Setting | Value | Type |
EnableSyncAdminReports | 1 | DWORD |
GPOSetUpdateRing | 4, 5, or 0 | DWORD |
Further reading
- Overview of the Office Customization Tool
- OneDrive sync reports in the Apps Admin Center
- Data sent to Microsoft for the inventory feature in the Microsoft 365 Apps admin center
- Onboarding Devices in the Microsoft 365 Apps Admin Center
Hi Robert,
Nice write up!
What roles grant or limit access to this portal?