How to troubleshoot Office Setup, Deployment and Activation issues | Microsoft

How to troubleshoot Office Setup, Deployment and Activation issues | Microsoft

Show Video

Hello everyone, my name is Krishna and I'm partnering with my peer Anvita for this session. Today we're going to discuss about office downloads, activation and few troubleshooting scenarios on same discussion encompasses of office as a client protocol covering a broad spectrum of how it intercepts with layers of authentication, OS, network prerequisites and isolation of different scenarios. will also see few troubleshooting steps based on cases for office installation. Activation sign in, updates and other relevant information and logs to be collected. Let's get started. These the topics we will be covering today. Brief overview

of office flavors and versions, different modes of insulation. and how to utilize office customization tool to create configuration XML files per business needs. The basic concept behind activation prerequisites use cases like which depicts the approach and multiple scenarios based troubleshooting and isolation for sign in issues and so on. Please note this session is being recorded. To start with our agenda today, let us see two office installation technologies. MSI and C2R are the two common installation technologies used to install office. You can also get office installed from Microsoft

Store, the other way to install office, Click to run. Click to run uses Microsoft virtualization and streaming technologies. It can also be pushed via SCCM and applies to all subscription based office products and few perpetual versions. Example Microsoft Apps for Enterprise which was formerly known as Office 365 Pro Plus and other perpetual versions like Office 2019 etc. It can be customized using office customization tool and the main advantage over MSI is that office applications are ready to use while the setup is running behind. That makes it a good approach to start installing

with C2R based versions of office. Now coming to MSI, it is a traditional installation technology that most of us would have come across before, which typically comes when you purchase Microsoft Office through volume licensing, example Office professional or standard versions that we have seen so far. It can be pushed via SCCM as well and it applies to perpetual versions of office. To know which installation technology is used? The user can go to file office account and then click about outlook and you'll see the product information in any office apps like Outlook, Excel, Word.

etc. and another tip to quickly identify the installation technology used is that, in MSI version there is no such option named office updates. You can see that on the screen shot here the left the screenshot on the left side shows the C2R version. The Microsoft 365 apps for

Enterprise that comes with any of the office subscription that I use for purchase and you can see the office updates the highlighted option which is available and it is not available on the screenshot, that is to the right, which is basically an MSI based installation. So let's move to the next slide, which talks about the office versions. So here are two examples of perpetual and subscription based office clients. Microsoft 365

apps, which is formerly again, which is formerly called Office 365 Pro. Plus, It's a subscription based client that ensures you always have the most up to date modern Productivity Tools from Microsoft. With the subscription you always have the latest features, fixes and security updates. This can be installed on all the devices and sign into like you know you can, the user can sign into five different devices at the same time. Also to note that Microsoft 365 apps need connection to Internet at least every 30 days to avoid applications getting into reduced functionality more now just to overview reduced functionality mode.

The users can only view, print their documents and some of the other features like editing or creating a new document are disabled in reduced functionality mode, and this can be avoided when the user has Internet connection and just by simply reconnecting to Internet and just signing into the Microsoft 365 account. Now coming to office 2019. We have put 2019 here because 2019 is the latest version of perpetual versions of. Version of Office client. Office 2019 is a perpetual client sold as one time purchase from Microsoft, which basically means you pay a single upfront cost to get office apps on one computer whereas C2R gives you option of five devices. Now one time purchase are available for both PC's and MACs however there are no upgrade options which means if you plan to upgrade to the next major release, we will have to buy it separately. Security updates are still included with Office

2019 or any perpetual version based on their support lifecycle. But user won't get any new features as you get on C2R versions of office clients. So upgrades two major releases are also not included with perpetual versions. To move before we move on, the scenarios we cover today will focus mainly on Microsoft 365 apps. than the perpetual apps.

Good, the next slide talks about the support life cycle for office for Mac. Because we see there are certain environment still having Office 2016 for Mac and we get cases on those. So we just want to, you know update on this part that it is good time or it is required to move to office 2019 for Mac or Microsoft 365 for apps for Mac.

to be on the supported life cycle. The slide talks about some of the details on the life cycle and  the end of support from Microsoft. We will. We will share with you some of the resources at end of this delivery and you can go through it later. Good. Next, we'll move onto office installation. So, um. These are the common installation methods used for office. We can make users install office on their client

devices directly from the portal, that is and you can go to install office which will take to the users account and the user can self install office directly from there. This method gives less control over deployment but there is less administrative overhead needed.

So this would be good for users if you feel the users can install the office by themselves on their PCs. Office deployment tool the office deployment command line tool that can be used to download and deploy Microsoft 365 apps to the client computers deploying office from the cloud which is CDN, which is basically the content delivery network. Deploying it from there will minimize the the task needed for the administrators. However, if the network capacity doesn't allow office to be installed from the cloud, then. You know, then office can be deployed with ODT from a local source as well. We will go through some of the

configurations in the upcoming slides or how to make that possible. And continuing ODT which is the office deployment tool can be used as a standalone tool or you know it can be used with any third party software deployment tools that that if an existing environment has to distribute and manage software. Next, this can also be, you know,  network deployment or a GPU based deployment as well and the SCCM is talking about SCCM or the recently called as Microsoft Endpoint configuration manager. The configuration

manager basically scales for a large environment. It enables extensive control over insulation update and settings, especially when it comes to office. And the last option will be Intune based installation. Intune can also be used in office

deployment to MDM managed devices. You have a policy or you have a template to do it easily with respect to office. Moving on to the next slide is office customization tool. OCT, which is office customization tool plays a vital role in office deployment workflow. This web tool can be accessed from which

creates the configuration files that are used to deploy office in larger organizations. We will walk you through the customization tool and how we can leverage to create the XML file with customized deployment settings. Now this configuration files give you more control over an office installation like we can define which applications and languages are installed or how those applications should be updated, and some of the other application preferences that normally and a larger organization or any organization would would be in need. Now in this, in this shown section on the screenshot the You see the architecture and the product that need to be deployed must be chosen. The first highlighted box shows the architecture, the bitness of 32 bit or 40 to 64 bit. Sorry.

64 bit will be the default one unless it is, you know changed here or even install from the portal. And the second option under product section talks about the office suites. You have different flavors of like more Microsoft 365 apps for Enterprise, Business. And you can

also use this customization customization tool for the deployment of perpetual version. You can see office Professional plus 2019 volume volume license based. The enterprise and business can be chosen based on the license assigned to the users in the Organization. Good, so the next part of this tool. Here we can choose the the product that need to be installed along with the office suite. Please note that you know in many cases we can install office Project, Visio on the same computer, but there are some combinations that can't be installed together on the same computer. The reason we

highlight this point is that we get some of these scenarios. Uh, where you know office installation fail and upon checking will come to conclusion, or we will be identifying that there are some versions of Visio, Project that is being installed, which is, you know incompatible to be installed on the same machine, so will share the details on the supported scenarios for installing different versions of office Project and Visio on the same computer. Here you can also choose the language pack and the language pack that can be added additionally, along with this installation.

The next would be the update channel. Update channel like it determines how frequently the user client devices are updated with new features. Now there are multiple factors that will determine which update channel needs to be selected for deployement of Microsoft 365 apps. Say like network bandwidth utilization and other

organizational requirements like space, the resources, the storage space available, and other resources available and the highlighted first highlighted text box shows the some of the update channels that are currently available with Microsoft apps 365 apps. So the current channel will be the latest as it provides the users with newest office features as soon as they are ready. This can be, you know, you can select the pilot of users to deploy the current channel or the most common will be semi annual enterprise channel which will be a six months six months once release. Anvita will be talking more brief on it at the end of the session. Also please note that group policy and ODT are the only supported methods to change update channels. There are some scenarios where we would be in need to change the supported channels. Sorry

the update channels because some of the applications or the addins that organization use might not be supported on the current channel and you might want to backport to the monthly channel or the semiannual enterprise channel which is the last stable version of release for office. So so please be aware of that and the apps section here at the defines which Microsoft 365 apps product should not be installed. you can see one drive for business so its turned off, so the apps turned off here own get installed when you use this XML file for the deployment of office. OK. So. Here we have an option to include multiple languages and can use, there is a attribute name match operating system attribute that helps to automatically install the same languages that are in use on the client device like. Uh, the the operating the language that you have it on your operating system. The default primary language

installed along with office, so I would I just want to let you know that this is not mandatory, that you know this XML has to be generated from here, but it is an easy tool or recommended tool to generate. But you also have certain other attributes and elements that can be added manually. If you're proficient with XML customization. So some of the attributes that. like match operating system that I said is the attributes like you can see when the XML file is the XML is getting exported as a file. We will share that as well for your reference in future what are the the supported attributes that can be added to XML. It's something like what you have parameters in PowerShell in Exchange Online or SharePoint Online which cannot be found in UI.

OK. So, um and yeah, the highlighted proofing tools. So what proofing tools is that? So we would have come across some of the grammatical mistakes that word can help or any office application can help us to auto correct. And if the user you know is business, needs to use a different language and just want that language to be used for proofing purposes for auto correction or other thing for dictionary. You know that languages can be added here as a proofing tool. So. Next slide.

be on the installation options. This section, like it, allows to choose whether office files directly can be installed file directly from the cloud or from a local source on the network. So as discussed earlier, this can be chosen based just like based on various requirements and resources availability. These are the different methods that

you could opt in from this tool. And the other option that you see are like, you know, pin icons to taskbar. Show installation to user so that the as we said, C2R or like the apps users streaming technology. The installation happens in behind and users can start to use office on the go but you can still show the installation to the user if it is required and you can also pin all the icons by default to the taskbar like all Word Excel and all of his applications icons will be pinned to taskbar by default. Yeah.

So. This upgrade options like we see here, basically it removes any existing office, Visio and Project that were installed using Windows Installer MSI from the computer prior to the installation of Microsoft 365 apps. So the option highlighted here. Just enabling it ensures, it removes the non essential MSI versions on the machine. Basically all MSI versions of office installed on the machine, so you could also opt in to remove Visio and Project along with this deployment. It is highly

important to note that before installing Microsoft 365 apps for enterprise or business. We highly recommend removing any existing MSI versions of office on that PC. Because both installation technology are not You know, supported to be running on same PC.

OK. The next would be on product key. Basically the product key section helps deploying volume license version of Office. The option that you see here:  The volume activation like provides two different models.

Key management service KMS and which you know, which is like a very one option to activate Windows and other clients. Now it allows organization to activate systems within their own network and the other option of multiple activation key, MAK. It's a one time basis like it uses using the Microsoft shared Services or the activation services. In our case it is. We focus on Microsoft 365 apps and it is not a volume license version and it does not require KMS or MAK activation. What is then How is Microsoft 365 apps get activated? We have the highlighted option so you'll see the highlighted check box there that shows user based and shared computer. These are the two common methods of activation of

Office. Now the user based is the default licensing mode for Microsoft 365 apps. In this mode, the license is carried within the user's profile. So user based licensing requires an user level activation and it uses it, requires user to sign into their Azure Active Directory account.

So it's basically attached to one user who has an Azure Active Directory account? Now, if the organization, let's say the organization has a virtual desktop infrastructure VDI implementation or have users that share workstations connecting to RDS servers like terminal service. Then shared computer activation can be enabled for those devices when you deploy Microsoft 365 apps, This mode is typically used in scenarios with multiple licensed users connecting to the same devices. So we come across multiple organizations where users have to connect to a RDS.

They connect from the same PC, but but still they want their own office experience and you know can fix to work. So this can be achieved using shared computer activation and shared computer activation has certain customization to be done and we will see that on the upcoming slides you know which Anvita will be highlighting on some of the best practice to do so. And the next would be the application preferences.

So in this section you can choose what preferences to apply when deploying office. So we can define application preferences for supported product like you know you can see the default file locations are the default file format, etc. And a more details of the settings can be learned by clicking the appropriate setting and and you know the details will be shown on the portal itself. The next would be the sample config XML file. This XML file is is a sample from the Office customization tool. The OCT tool. You have an option to import and export. We have exported the customization what we have seen on the previous slides and so these are the some of the common values. So we can now use this configuration file with the

office deployment tool or another software distribution solution. Now the deployment tool is run from the command line as we have discussed before and it uses this configuration file to determine what settings to apply when deploying office. Uh, so like like the highlighted box  you can see the shared computer licensing. This is one of the settings or the property that tells you know if SCA is enabled. SCA is shared computer activation is to be enable.  SCL cache override is also related to the same. So once offices you know once the deployment tool uses configuration, it knows whether it need to enable shared computer licensing. So it's

nothing but. For example, if this is set to one, you would see a registry key enabled on an office registry hive under Click to run Microsoft Software, Microsoft Office 16 and Click to run so that hive will have shared computer licensing set to one and the cache override is another value that tells the storage path for the licensing token files, and yeah, others are pins icons to taskbar, which you have seen before. And the auto activates just to highlight on that because we have seen some of the cases recently. Microsoft 365 apps is set to activate automatically. Right, and this part activate property is not needed and to be set for Microsoft 365 apps product. So

basically it is needed for the perpetual versions like 2019 and it is not required here because the M365 apps are said to be automatically activated by default. And yes, you see this device based licensing, this is another licensing method which is like it's a new licensing model, so we'll just give a overview of, like you know, how is it like. This licensing model will apply to the machines and have no link to user like whatever. In a sense

It's like a volume license with subscription features so. Uh. Like currently, the license is Microsoft 365 apps for Enterprise device and is available only through enterprise agreement or enterprise agreement subscription, EAS.  For education customers, it was introduced with education customers and it licenses Microsoft 365 apps for education device and that is also available only through the enrollment for education solutions EES. That's about it. And if you see on the right,

we have the steps to deploy using office deployments, you have to download the Office deployment tool from the link highlighted and you can create a folder, any folder like let let's take it ODT and you save the config dot XML file that we have exported from the Office customization tool. OCT tool And then open the elevated command prompt as administrator. Navigate to the ODT folder that we have created an which has the config file and start running the commands below. So the first commandsetup.exe/download configuration dot XML will actually download the office bits. Now the config dot XML. So let's take you have this file on a shared folder. It is. We need to ensure that.

the setup.exe path and the configuration dot XML path. The actual path should have the full UNC path of that shared folder and the file in it. The next command like setup.exe/configure  Configuration dot XML will actually begin the installation of office based on the settings what you see on the left screenshot screenshot to the left. And one tip to note is that, like once office, once downloading starts, the easiest way to know that or identify that if the download has already started, you could go to the same folder, the source folder and you will find a path. Sorry, a folder name office and if you click on it

you will see the office bits getting downloaded to that folder. So that's one easiest way to identify that you know the office has been downloaded. Because this is just a command line tool and doesn't tell you if it is actually being downloaded, just you will see just a blink on the screen unless the command completes.

Good. So, uh. The next option would be troubleshooting office installation issues. The first thing we would recommend to understand the customer environment. As you have seen before, that I'm certain multiple environments like this could be a user base activation or a shared computer activation, where in the office is installed on remote desktop servers like hosted services and you know the customer might have. Uh, the other other tools like FS logic. So FS logic is basically a profile management tool. We have to check some of those things that like if if

if the office is installed or deployed in such a environment and the second thing would be the isolation based on domain joined versus non domain join, we will be sharing a little more about this on the upcoming scenarios and the modes of installation. The very common issues that comes is like a very basic thing that we missed. That's some of the issues that miss out is C2R or an MSI, so we will see tool in the next slide which will help us to identify if we have any other versions of office installed on that machine and we could, you know, identify if those are compatible to be installed on that on the same PC and the next will be user specific. Isolation likes permission issues. For example, let's say that you allow the users to install it themselves, the user should have at least a read permission over the folders that are that have the office bits downloaded. So this is very that scenario, but it could rarely users would deploy, but it is good to know. And yeah, this previous instances is same what we discussed. We'll see on the next slide about ROI scan.

Antivirus filtering software on machines, that would also be one of the cause where it would stop you from installing or activating office. So there are certain you orders that need to be allowed. If we are have allowed all the Office 365 URL's and IP addresses recommended by Microsoft. We are well and

good to go, but there are certain specific activation URLs that also need to be allowed on your proxy servers or firewall. or any filtering services that comes in between the office activation service and the client. Check for office bitness is 64 bit or 32 bit. You know that sometimes cause issues. It would be clearly shown on the error code and yeah then again the same or on MSI or C2R compatibility. We

highlight this because these are the most common things that comes with the when it comes to the compatibility issues. OK, so there are certain points that would help us to narrow down the issue and we will cover up some of these scenarios and that would give us you know more light on those steps to isolate this issue. So the next would be ROI scan, The ROI scan is is basically it's robust office inventory scan and it is a Vbscript which performs the environmental checks on the machine where office is installed. You just have the user have to just double click on it. It executes the script and provides an original provides result in the notepad file. So what we see on ROI scan is so basically these can

this script assist with the installed Office configuration on the the computer that we executed, so we'll get the details like shown in this screenshot. So you see the computer name and you see the OS detail like what version or the build, number of OS and the languages that is installed along with OS that comes like what we discussed before match operating system if it comes to a language pack issue. And the logged in user and and it also contains some of the the product details like what version of the OR what version of the product is being installed is installed on that machine. So if you see the next slide you will see

some of the details of CDN based URL and the update to version. So these are the. So this basically this machine. had a CDN based deployment of office. This get installed directly from Office cloud, it doesn't have any local source path to get the office package to be installed and you also have updates link, so this is one way to find you know if the CDN is CDN is what the office on that machine is looking for updates and features. So so yeah, this is some of the details that you could see on registry hive as well. You could go to, you know the user hive. So Microsoft Office 16 and correct Click to

run and you will see the same details which would which would cover most of the details that you have customized office customization tool like what version to be installed like what channel is being configured on this machine and and some of the other settings that we have given from office customization tool. OK. And the next would be ULS verbose logging. When you troubleshoot office issues,

like traditional log settings sometimes. You know, don't collect enough information. So when we come across certain environments that has a complex deployment, it makes it difficult to troubleshoot with the default logging. So and

that's when the ULS verbose logging that would help. So you have a default logging enabled, but still it is not verbose enabled. So these logging might include. You know, this might help in like certain sign in issues like installation, and update issues etc. To collect more verbose logging details, these registry keys must be added so you see the log level. The first registry key and you have to run it as command prompt as administrator on the machine which is affected and the first two registry keys will help us to enable the verbose logging and you could begin the installation process or we can. Basically we

have to reproduce the issue and the logs will be captured. The logs once captured can be copied from Temp folder within Directory, just system directory temp folder or the user temp folder. The local appdata temp folder and so how to collect our how to? You know identify the log file is by the filename so the format of the file name would be machine name, hyphen, date hyphen time dot log so you can see the example here like PC name. Let's say you have a PC name as my PC one. And then you have the date and time and followed by time and you have a dot log extension added to it, so that's how we that because this is one of the logs we get more often when it comes to office installation, activation or sign in issues. So we just

want to stress on this slide and how to enable or be aware of this log that Microsoft support would need to proceed on any complex environment. So another thing is that it is recommend or we recommend to disable the verbose logging post troubleshooting. We can use the command shown here at the end to delete the registry key, reg delete command or you could also the manually disable it to avoid taking the excess storage spaces when it when it is keep turned on.

OK, so good now I'll hand it over to Anvita who will help us with some of the best practices, troubleshooting and isolation tips on various office installation, activation and signin scenarios that we most common commonly come across. Thanks and Anvita you can proceed. Thank you Krishna. Thanks for walking us through the flavors of office and about ODT and troubleshooting installation issues and helping us with the isolation steps. So the reason we want this stress on the

best practices is because we know that Microsoft Partners do not just work on the support incidents, but they are also customers advisors and they also help the customers with deployment. So we have curated some of the scenarios based on the top call generators and we have identified some of the issues where customers face issues and how we can mitigate those. So some of the best practices here would be that. If you are helping the customers with deployment and they might have had a previous product of office, either Click to run or MSI then it would be good to ensure that even if they have deleted it, it would be good to ensure that you double check it before deployment in order to avoid any challenges that might occur later. And one of the best ways to do that would be there is a publicly available script, script called Off Crop. Will

will share those details is well with you. And you can run the script on the machines so that any previous instances of office has been removed from that machine. Because so, if there are any instances of previous versions already present, then it might not cause issues so directly while deployment, but it might cause the issues later after activating office and they might see some of these errors are popping up when they are using the office product. OK, so running through some of these scenarios which most of the customers get and the first scenario here would be office installation stops at 56%.

So this is again a generic error, and it necessarily does not have to be perfect. It could be at any given point during the course of installation, and you will be able to see that it stops at a specific percentage. So, uh, since though its a generic error and  Krishna already stressed on the fact that office being client based product there is lot of, uh, impact based on the customer's environment. So understanding the customers environment plays a pivotal role here. So first thing would be to isolate based on what kind of environment they have and second of all, for especially for installation issues, we need to check that Click to run service is running in the background.

Because as soon as you start installation, the service that starts running is the Click to run service an you will be able to see it. So you can go and check in the service section is this service is running. And one of the common things we check is we go to the task manager and check if there are any other long running processes which are running in parallel and if it is not important you can pause it so that installation takes precedence and then observe the behavior. And yeah, checking from network standpoint would be a good thing to start with, because there could be a possibility that there could be some specific component of office installation file that is not recognized by filtering devices like antivirus, firewall etc and that specific component of file could be blocked by these devices. So as isolation steps we can try to disable it. Oh sorry you don't have to disable it, you can just pause it and try to.

 continue the process. And we can perform a clean boot on the machine. We can check for previous instances like mention and another major thing the command lines that you can run which will help you, especially if it is a machine specific issue. Mostly installation issues are machine specific issues, unless if it is happening for bulk users then it is based on the delivery mechanism. For example if you have used intune as a delivery mechanism and have have been deploying for hundreds of users and the installation has paused. Then we have to isolate both from Intune and office standpoint, so if it is single user issue then this is these are some of the command lines that you can run. So first is on

a command prompt as an administrator, that is an elevated command prompt. You can run the  Dism.exe /Online /Cleanup- image/RestoreHealth, so when you run this command or dism uses Windows Update to provide the files that are required to fix corruption. So this is basically to ensure that if there are any system based corruption or any file corruption, these command lines will help you fix that and after you run that you can run SFC scan. Now there's a scan. Now Command will scan all the

protected system files and replace the corrupted files with a cached copy and that cache copy again is located in the compressed folder in Windows Directory. So these are two commands that you can use and most of the time if it is 1 machine specific, issue it using these commands you will be able to resolve the issues very quickly if it is just machine specific issues, and given that there could be any or corruptions in the file. So and you have also isolated based on network and other isolation that we're talking about. So our next step would be to collect ROI scan and ULS verbose logs In this specific scenario the fix that worked was once we collected the logs. We were able to identify that there was a specific registry and in that registry of current version which you see here in Hkey local machine there was a profile list which was missing.

Which is essential for installation to work. So as soon as they created this, the installation happened seamlessly. So again this is for this specific scenario. After we collected the logs after we isolated and collected, the logs were able to identify it might not be the same for every user.

It could be different for different users because this is again a generic error. But yeah, these are some of the things that you can check and some of these registries that you can go and check to see if this is already present or not. Moving on to the next scenario again, this screenshot shows that there could be a possible problem with the Internet connection or so there could be a possibility that there is no enough space. So in this scenario we checked the ULS verbose logs and in the logs we were able to see that prerequisite check has failed.

So these five pointers which are mentioned here in the slide are the prerequisites that we're talking about. That is, the bitness, like Krishna already mentioned that 32 and 64 bit cannot coexist in the same machine. So if there is a previous product, let's say a Visio or project product of 32 bit which was already installed on the machine, and you're trying to install office suite or again Click to run, but you are installing a 64 bit version, so because. The visual project could be 32 bit and you're

trying to install 64. This issue can happen, so it's best that if you have a previous product which is of a particular bitness, to install the other office suite also of the same bitness. Next would be this disk space. Yeah, because this might not always be the case most of the time this is not the case, but this is one of the prerequisites that we have to check. Next would be in network costs, which we discussed upon and admin context, If the user has  logged as standard user or as an admin and to check any previous version, either MSI is present before. So starting with the office activation, so this is also one of the top called generators, so when it comes to office issues we get a lot of office activation issues where users are either not able to activate office or they have been using office they have activated and they've been using office for quite some time and suddenly they start to get these error messages. That office is not activated and they're not able

to activate it. So before we start with this scenarios. I would just like to go through the workflow of how the activation works. So office activation and sign in go hand in hand, but are two different things and if if for some of you have already attended the session on Identity online, there were some of these aspects on authentication which could have been covered so. So when it comes to activation, first thing is that a user provides the office credentials. That is, as soon as the office

is installed and you open any of the office product, let's say word, it gives you a prompt which asks you to activate. So that is when the first time when you are trying to activate you give your username and password. So as soon as you enter these, these details are sent for authentication at the Office 365 Portal that is So when it goes to, these

details are again verified and the subscription service checks if this user has the correct license that this user claims to have, so the license entitlement check is done where the subscription service service confirm. If this user  so has the valid license, and once this this so subscription service confirms this, these users licensing details is sent to something called. Office licensing Server. Now because client being a standalone thing it will not be able to communicate directly, so office licensing server will give this information back to the client and telling that the license entitlement check is done. So now the office licensing server that is OLS authorizes and registers this request. And once this is done, the office activation is done and the user will be able to use the product seamlessly.

So these are some of the office activation scenarios that we come across. So, uh, activation in managed environment that is managed as the cloud only domain. When the customers  environment is cloud only domain, so when we're talking about understanding the customers environment, these were some of the aspects again that we can consider. That is understanding if they have a managed environment or if they have a Federated environnement that is Federated as in they use the ADFS Active Directory Federation services and next thing would be shared computer activation. Which will talk in detail about in the upcoming

slides. So this is another kind of activation. The workflow is similar to activation or the normal activation, but the purpose of SCA is little different from the normal activation and again SCA in persistent and non persistent VDI environment. So coming to the key factors of office activation issue. First thing would be Windows. We always check if the issue is

build specific, profile specific because we want to make sure that the Windows build or the operating system is not one of the things that are causing an hindrance with the activation and next would be network specific. Krishna was  talking about filtering the URLs and IPS. So for activation to work. Seamlessly, we need to ensure that all the Office 365 URL's and IP's are sure white listed on all the filtering devices that you might have. That the customers might have

and on firewalls etc. So that is something that plays a role and next is  identifying if the issue is user specific that is there any user specific. That is, we have to check if the issue is happening with one specific user on one specific machine. It would be a good isolation to ask the user to check to try to activate on another completely different machine, or if you're trying to activate on the same machine on another Windows profile so that we can isolate if the issue is really user specific or if the issue is machine specific.

And next would be browser. So it is important that the all the browsers are updated to the latest build. And it might not cause issues with the managed environment, but when it comes to Federated environment we need to ensure that the ADFS site is added to the trusted sites of Office sku and we have to also ensure that the installed SKU that is office licensing SKU matches with the assigned office license. Moving on to shared computer activation. So like I mentioned, the workflow remains the same as the normal activation, but the purpose for a shared computer activation is specifically for to ensure that multiple users will be able to use the office, and this is specifically again for remote desktop services when there is RDS server in place.

So one best thing is that when Microsoft Partners interact with the customers, they also help the customers with the deployment. So you will be working closely with the customers and you will have a better understanding of their infrastructure, their operational requirements, that organizational l requirements. So if you have any specific customers who are looking for options and now being the pandemic situation SCA is the best option. Because more and more users are trying to use

their office workspace remotely, so we see that more and more users are trying to on board on this method for the activation. So you can. You can be the best judge if understanding their infrastructure. If this is something that would suit their

requirement. So, uh, SCA let's you deploy M365 apps  to a computer, and this can be accessed by multiple users. So talking about some of the scenarios. First thing would be - Let's say there are three workers who are working at the factory and they share the same physical computers and all three of them. Work 8 hour shift, but their timings do not overlap, so they can use the same physical computer and they can use SCA Shared computer activation and as soon as they log into their profile. They will be able to see their workspace.

So one good thing major aspect about shared computer activation is that let's say that user A. Lets say Let's say there are two or three RDS. Servers  in place and user A logs into RDS server 1 during morning hours of the day.

And he logs in to his workspace to his profile and he works on a specific files. Or save the Word document and then he logs out. And during the afternoon the RDS1 is not available. Somebody or multiple other users are using it so he uses RDS 2 and he again logs in with this profile seamlessly. He will be able to access his workspace and access all the work that he was.

He was doing without having to save it separately on a network drive or having to send it etc. So that is one major  advantage of using shared computer activation, so there are some of the other listed scenarios. Like 15 nurses at a hospital. Use office on 10 different computers throughout the day so the permutations and combinations can be multiple. And it can. It can be used in any scenario, and it can also be used. Let's say there's a conference room or some public

space in the in the company and multiple users can use office on that computer that's located over there. Oh OK, so another major advantage of shared computer activation is that when it comes to normal activation, if you have the license or for Microsoft 365 apps, it will let you deploy office only on five different PC's and five different mobile devices. But when it comes to a shared computer activation, there is no limit as such for deployment you can use shared computers activation to unlimited number of devices, though there is no limit that has been declared. We see that sometimes the users says issues where the error message clearly shows that they have exhausted the number of connections and in those scenarios. You can open the support ticket with Microsoft and we can verify with our engineering team as to why is this happening.

So some of the prerequisites for shared computer activation would be that in order to use shared computer activation. You would need an Office 365 plan that includes Microsoft 365 apps. So when it comes to normal activation, there is no such criteria on what kind of license, but when it comes to shared computer activation, only Microsoft 365 apps for enterprise and only E3 and E5 supported, and in Microsoft 365 business premium plan which includes the Microsoft365  apps for business, this is the only business plan that is supported. There are other business plans like Microsoft 365 Business Standard which also include Microsoft 365 apps for Business, but this plan is not supported for shared computer activation, so this is also one thing that we need to suggest to customers preemptively if they are looking for options and they haven't bought the licenses yet, then it would be best to guide them that if this is something that they would be looking out for  so they can buy the licenses accordingly. And also one more thing that I forgot to

mention was that shared computer activation will save you a lot of costs and it's very efficient and on operational level also it's very efficient. And the next thing is that shared computer activation is not available for office for Mac yet, so if the the the organization have a lot of users who are using office for Mac specifically, then this would not be beneficial for them. Uh, then, The activation in SCA. Like I said, it's

similar to normal activation, but when I said that user A's logging into RDS 1 at morning hours of the day and then logs in in the afternoon to another workspace as into another server. So how is this seamlessly happening is because each of this user has a unique licensing token which is stored in the specific location of local appdata, Microsoft Office licensing folder. So every user, whoever creates the whoever, creates a profile and has activated for them there is a unique licensing token which gets saved in this licensing folder and this is the same token that is being roamed, so when it is being roamed, we initialize these attributes in the either in the registry hive while deploying office. Or what you can do is you can also initialize it on the group policy. There's a very nice article called overview

of Shared Computer Activation which explains all these methods very clearly. All the details of that also would be included in our hand out that we will share later. So  again just like normal activation. These tokens also

needs to be renewed every 30 days and it needs a Internet connection for that to happen. If that fails, that is when the SCA breaks that is the activation breaks, the flow breaks and the users will start getting prompts that either they see a  reduced functionality mode screen or it simply ask for username and password. To be able to use office again. And I see the main advantages I see is that it's seamless, so that we need to ensure that you know the token is getting renewed every 30 days, and there is active Internet connection. OK, so moving on towards the office activation troubleshooting. Again, isolation plays a very key role

when it comes to troubleshooting these, and the first thing that we have to check is that users assigned with the right office license and best thing would be to always collect ROI scan and when you collect the ROI  scan it will show you all the product keys that are installed and if you see that there are multiple different product keys reinstalled and which might be from their previous versions that they were using, there is again a command line command called UNPKey which you can use to be able to delete these previous product key. You do not have. I also wanted to mention that you do not have to. Make a note of these things because we will ensure that all these details are consolidated, for you to refer later And then yeah, we always check if the issue is based on a specific user or specific machine and check from network specific standpoint and when it comes to network, one of the logs that is always helpful is fiddler logs. So Fiddler logs

will help us to understand what is going on when the when you when you start this activation process or any of the. other sign in related tasks which are going on. This fiddler will capture all the requests that are coming and also will give you the results based on what is happening in the background so that you can check and you can check based on the error codes and the status as in how the requests are coming and how is it responding and when it comes to activation. The other logs that we have to collect would be NULS logs, for installation it is ULS but for activation it is NULS log. And the next thing would be to browse through this URL - and to check if you are able to

see the metadata response and if it is passing through successfully. And if you see that there are any specific error messages that are  published on the metadata, then you can capture that and you can relay to the Microsoft support team to investigate. And one of the major thing that we have to always check is that office updates and Windows updates are always on the latest and the there could be some of the updates which might have already fixed the issues. If the customer facing and if it is a known issue that has been going on. So it would be best to have the office updated to the latest build and if the issue has impacted multiple users and everybody is on semi annual channel then you can try to check them or change the channel to the monthly channel to see if that is making an impact.

You don't have to do it at the same time for everybody, you can try to move one user to monthly and see if that is something that's resolving so that is something that you can use as a work around. If it seems to be a known issue. OK. Next thing would be to identify the machine state. So this is the command line that you can you use

dsregcmd forward slash status on command prompt as an administrator and this the screenshot that I have attached it shows only the device state as in the machine is just domain joined or if it is both domain join an Azure AD joined or if it is workplace joined etc. But apart from this you see a lot of other details as well. And that will also help us to identify. For example, let's say that the users have both domain joined as well as Azure AAD join and Azure Active Directory PRT that is refresh tokens Is something that is causing the issue. So when we run this command will be able to see those details as well. That

is, the PRT is getting refreshed. If that is being issued or not. So this is also something potentially that you can collect while working on customers or scenarios. OK, so moving on to some of the activation issues that we come across day in day out. So in this one of the really common issues that we see is the unlicensed product error. So you see either a pink ribbon or yellow ribbon where it shows that your office suite is going to expire in so and so days. So this is when

the office is running on reduced functionality mode where you can view and print, but. You are not able to edit etc. So in this specific scenario, we first went with the process. We checked if the user has the right license and the right sku which has been installed, and we identified that the user is able to activate the office in another machine. So this issue turned out to be specific to one machine, so after it was isolated to be machine specific, we collected the NULS and process monitor logs.

So some of the highlighters are shown in the screenshot at the right, where as to what we see in these logs. And yeah, we see that you know the error shows that there is a trial notification bar which shows that after so and so days, the office is going to expire. So after perusing through these logs, we found that there is one specific registry key called. Software protection platform and that specific registry key in the hkey current user was missing permissions and as soon as we gave, we created this specific key and we gave full permission to it. The issue was resolved instantly. For this user.

So, um. Coming to the next scenario. So here again, this is. This shows that something went wrong and then you are able to see the error code. So in this specific scenario is well. We identified that the issue was so specific to this machine. When we check the Fiddler, we see

that. So this is how it looks when we collect the fiddlers, and when you view the files so you will be able to see the request that is going and you will see the HTTP. Status error code, so here it shows 401 that is unauthorized and it also shows that you know the method requires client TLS but the client did not provide one. So, here again, this also was Identified to be machine specific, so we collected the Fiddler and there is another log called a AADWAM log that we collect when it comes to activation scenarios. We when it comes to activation scenarios,

we collect three logs simultaneously that is in tandem. We enable NULS logging. We enable AADWAM logging and we start the Fiddler and we reproduce the issue and then stop all three logging because we want to correlate based on the timestamp from all three logs when we're checking so that we can see what is happening at what instance, so that we can match the pattern to be able to understand the root cause. So, uh, I think due to the time constraint we're not able to show you the demo of how we enable this, so will include those details as well. So after we collected these logs we also found. That, first thing we found  there was a specific URL for office activation to run and that URL had to be added to the trusted site. We added that and we move the content from the specific yellow highlighted aspect you can see down here in the slide that is users XX XX appdata, Microsoft .AAD Broker plugin. So we found out that this specific thing was corrupted, so we move the content from this path and we moved it to desktop and we we before starting this we had also disconnected the device from Azure Active Directory. So after moving the

content from this specific location to the desktop, we rejoined the machine to the Azure Active Directory and the issue was resolved after that. So this is something that we took the route based on the log analysis for this specific scenario it could be different for different users for the same errors as in same screenshot of the error that you see. It might not be. The resolution might not be the same for all of them, so but these are some things that you can check. Some of the basic things like you know you can check some of the basic things in the registry. Like I

mentioned profile list for installation or scenarios, so those parts you can go and check if they are present Moving on to sign in issues. So, uh, sign in issues again of when it comes to sign in, it can be initiated using either the MSA account or or 365 organization ID. And we only support issues which are specific o365 org ID. And talk about different scenarios for sign in issues.

Some of the Generic errors Again, we get are - We are unable to connect right now. Please check network or  We get like a blank sign in window when you're trying to sign in to office. So, uh, when we're isolating. We can check if the issue is specifically with the either one drive for Business or SharePoint Online services, and then we can check if the admin has configured something called sign in options. So talking about sign in options, so this is specifically configured by the admin to restrict the users from  using multiple accounts to sign into or activate Office suite.

So some of the organizations  configure it so that they can restrict the users from using any guest account to sign in to as in to activate on their machine. May be due to some of the compliance reasons or organizational reasons they might have settled. So let's say that the user can multiple different accounts and their sign in options is set to an option such that only their O365 Org ID's are allowed to sign in then. They they will have to check with them with the customer with the administrator. If this is something that has been purposely done or if it is OK, then we can set the sign in options to zero when it is set to zero, that means both, org ID's and guest account etc are allowed. And next is, you always do ensure that Windows and office are up to date and we can also check if there are any specific conditional access policies or any tenant wide conditional access policies set on SharePoint Online.

Which might also, which might also impact office sign in. And just like for activation we collect a fiddler and NULS for the investigation for the sign in issues as well. OK. So we are going to some of the basic prerequisites for

activation scenarios. First thing would be Federated, uh, when it comes to Federated environment, we know that there is ADFS in place, so when there's ADFS in place or single sign-on should be enabled, it's mandatory and Office 365 portal sign on behavior also should be seamless. WIA that is Windows Integrated authentication should be enabled on the browser and we need to ensure that SMTP and UPN of the user should match. We sometimes see they have a different SMTP under different UPN, but when it comes to Federated or environment, both of these should match. Coming towards SCA persistent and non persistent, persistent and non persistent, specifically with regard to VDI that is virtual desktop infrastructures, so coming towards the differences between persistent and non persistent. To put it in a very simple manner, non persistent would be where there would be one parent image, and multiple clone images and persistent would be almost similar like owning a laptop but in non persistent VDI.

There could be some limitations. For example, let's say you have a persistent environment and you have some of the thick client applications like Adobe Illustrator, Photoshop, etc. And you've been using those and you have created certain layers etc and you have saved those settings. And if you log out and log back in, all these settings and cache and cookies will be saved. It will not get reset, but when it comes to non persistent, if you have such thick clients and you are making these changes, none of these changes will be saved. So all the cookies cache they get reset. Uh, the basic settings like bookmarks etc that

will be saved in non persistent but some of the other changes like I mentioned will not be set. But most of the most of the times we get a customers scenarios with non persistent VDI and environments itself. It's very rare that we get persistent and non persistent has a lot of advantages so as well over persistent when it comes to cost, and optimization etc. So most users use non persistent. And the SCA will not defer a lot for these two environments. It

is almost the same, and RDS is required regardless of the environment. And when it comes to persistent SCA key must be enabled while deploying office. It is not the mandate for non persistent. And but when I say SCA must be enabled, that is when Krishna was showing the and how to set the value so he spoke about shared computer activation as well and how to enable it so when you're using for president you have to ensure that it in the configuration file itself you have set it and the XML has the SCA value as one.

So, um again, SCA works with Office Pro Plus licensing model and for sure that is for M365 Apps for Enterprise and Under Business Plan It can be used for business premium So when it comes to non persistent shared computer activation, that is where we use the token roaming system that is, the licensing tokens are saved at a specific location and. In order to roam these tokens, there are two specific registries. That is a SCL  cache override which is set to 1. And SCL cache override directory. This is where you have to put the path where you are roaming the token. For example, I showed  in one of the previous slides there in local appdata - licensing folders we had saved is where we save the tokens so that path can be given, It has to be given in the SCL cache override directory. It can be different

as well. You can save it on some other locations, but any path where you  Save the token that is. That part should be initialized in SCL cache override directory. This can either be done in the registry or registry editor. Or it can be done in the group policy. So when it comes to troubleshooting these  scenarios so we have to ensure that the token stands valid for 30 days, sometimes we see issues where. After every 30 days or let's say after every 90 days,

shared computer activation breaks, as in they either get an error or it simply ask for username and password again, which it is not supposed to. So there could be many different reasons why it could happen. If the pattern is consistent, that is, it is happening every 60 days or every 90 days period, then one good thing to check would be based on their environment. That is, if they

had also, is there machine state is also that they have azure AD joined machines and domain joint. Then we can, there is one specific thing that we can check. If they have any Azure AD policies where they have configured token lifetime for you know for example. for password to get expired. So if something like the such policies have been configured on Azure AD level so that can impact the client. So we see a lot of issues where some of these policies play a factor when it comes to shared computer activation, so we can, it would be good to ask the customers if they have any such policies in place. And most times customers might also not be aware of what

kind of policies the admin has configured. So that in those scenarios we have to isolate and get to the root cause. And yeah, reduced functionality mode is went in office, so when it shows that you know user is not assigned with the office license though it has the right license. And some of the other common scenario is when it

comes to non persistent environment there could be a conflict due to roaming profiles as well as configuring SCL cache override. So roaming profiles is different from a roaming the token when we're roaming the tokens we are initializing these tokens to be saved at a particular path and we're roaming these tokens when we are using roaming profiles, that is when they are either using the standard method or they're using some other third party services the customer, in order to roam these profiles itself. Both of them are supported, but we need to ensure that when you are using, especially when you're going through the shared computer activation methods, what Microsoft has published based on that. If your environment has the infrastructure which will match to that, or you can explore different options based on how you want it to be implemented as well. And, uh. Next thing, the important thing is that this specific keys that I was talking about SCL cache override and SCL cache override directory. They have to be

either configured manually, that is while creating the XML or by GPO that is either manually or by registry editor or or by GPO It cannot be both because if you configure both then the client will get confused as to which is the one that it has to pick, and it won't be able to prioritize. And then it will just give errors so it can. It always has to be one of these and or it can never be both. And again with sca also the logs to collect would remain the same fiddler NULS and AADWAM. And yeah, that's it for shared computer activation. So coming to the office updates.

Talking about the mode of updates, it can either be automatic updates or  GPO based or SCCM. So when mostly in the large organizations we see that they either have a SCCM in place or they are using group policy for controlling the updates because they want to have more control on how the updates are done etc. So um, update channels. There are three different that is current channel we have monthly enterprise channel and we have semi annual enterprise channel So when it comes to current channel, it provides users with the newest office features as soon as they're ready, and current channel usually receives new feature

2021-01-26 15:30

Show Video

Other news