SCCM Office 365 dashboard Unmanaged clients

If you’ve always been managing your Office 365 (Now Microsoft 365 Apps) clients with SCCM, and suddenly realize you have Unmanaged devices in your dashboard, you’re not alone. Don’t worry, it’s not a bug, it’s a feature! And I’ll explain all about it in this post so you can regain full control over your managed 365 Clients.

What happened?

As Microsoft is pushing very hard for the Cloud, they added a new way to manage Office 365 clients other than SCCM. Unfortunately, the cloud management console also relies on the same “OfficeMgmtCOM” registry value as SCCM’s client management.

Your Clients are not “Unmanaged” as SCCM’s dashboard says, they are now managed by the Cloud console instead.

How did this happen?

Since the beginning of Office 365, Microsoft has been recommending enterprises to use the Semi-Annual channel for better reliability. In recent years, they changed this recommendation and now ask Enterprises to move to either Monthly or Current channels.

If someone went to the 365 Cloud Management console and enabled cloud management, this is where the fun begins.

After Cloud update has been enabled, once you move to either Current or Monthly channels, it also changes the management console to the Cloud console automatically.

Why does this happen when changing channels?

There are 2 reasons for this:

1. The Cloud Management policies have higher priority than anything else, including:
   • SCCM’s client settings (local policies)
   • Group Policies
   • Intune Configuration Profiles
2. The Cloud Management console only supports the Monthly and Current channels currently, so devices on Semi-Annual are not being switched to Cloud Management and remain managed by SCCM.

What is this Cloud Management Console?

https://config.office.com

Microsoft’s description : Cloud update provides advanced management capabilities, offers more comprehensive insights, and gives you better control over your Semi-Annual Channel (coming soon), Monthly Channel, and Current Channel updates.

The Cloud management portal does offer much better management capabilities than SCCM has, but it only works with “Cloud Updates”, meaning your updates are downloaded directly from Microsoft’s servers, or from peers using Delivery Optimization. You cannot use SCCM Distribution Points to deploy Office updates for computers managed by the Cloud.

How can SCCM regain control of the Cloud-Managed devices?

The best way to regain control over your now Cloud-Managed devices in SCCM is to create an Entra ID (Azure AD) group containing all the devices that you want to manage using SCCM, and add it to the Exclusions in the Cloud portal.

1. Go to https://config.office.com
2. Click the Sign in button and login with your account that has one of the following roles assigned:
   • Global Administrator
   • Security Administrator
   • Office Apps Administrator
3. Expand Cloud Update
4. Click on Overview
5. Click on Tenant Settings

6. Click on Exclude Groups
7. Select “Exclude specific groups of devices”
8. click “Add group to list”

9. Search for your previously created exclusion group, select it and click Add to list

Not seeing “Cloud Update” and instead seeing “Servicing”?

The Cloud Update pane is currently only available in public preview. If you don’t have access to the preview and still only see the Servicing pane, the procedure is a little different. The principle is the same, but the exclusions are applied at the servicing profile level instead of at the tenant level like above.

1. Go to https://config.office.com
2. Click the Sign in button and login with your account that has one of the following roles assigned:
   • Global Administrator
   • Security Administrator
   • Office Apps Administrator
3. Expand Servicing
4. Click on Monthly Enterprise (repeat steps below for all channels listed under Servicing)

5. Go to Settings

6. Scroll down to the section Exclude Devices
7. Select “Exclude specific groups of devices”

8. click “Add group to list”
9. Search for your previously created exclusion group, select it and click Add to list

SCCM Office 365 dashboard Unmanaged Clients – Troubleshooting Hints

If you do not see the Cloud Update section, make sure you have one of the 3 following rules assigned and active on your account :

• Global Administrator
• Security Administrator
• Office Apps Administrator

If you had the Cloud console opened before enabling the role with PIM, a refresh is not enough. You’ll need to sign out, and sign back in.

Unmanaged clients do not appear in Cloud Console, but OfficeMgmtCOM is set to true in registry

If you realize that your clients are no longer managed by SCCM, and also not managed by the Cloud console, then it may be because they are managed by Intune.

To validate this theory, open your SCCM Console, go to Administration -> Cloud Services -> Cloud Attach and open the Properties of CoMgmtSettingsProd

Check the Co-management settings under the Enablement Tab to confirm if you have devices that are co-managed

Next, go to Workloads, and see the status of the Office Click-to-Run apps slider:

If the slider is switched to Pilot Intune or Intune, then you’ll need to change it back to Configuration Manager to have it manage those devices again.

Office 365 Client Inventory Report

If the built-in Office 365 Dashboard is too limited for you, we have developed a free Office 365 Inventory report. You can use this report to identify everything related to Office 365. You can download it for free on our store.