The writing style for this brief post will not be like the usual blog posts that I do, but more like a service ticket being handled. So let’s get started with it!
Table of Contents
Title: The case of wrong Office update channel on Intune-managed Windows devices.
Issue Description
- We run an M365 cloud-only environment with devices managed purely from the cloud with Intune.
- We deploy the built-in Microsoft 365 Enterprise App from Intune set to the Semi-Annual channel for our managed Windows corporate devices.
- We have no other specific configuration profile/policy in Intune to determine the Office update channel.
The expected behavior was to observe a single version of Office throughout the environment, all in the Semi-Annual channel. But the actual observed behavior was somehow different, as can be seen from the snap below.
We observe that on many of our Windows corporate Intune-managed devices, the Office app suite has jumped the update channel and moved to the Current channel.
What is the Desired Outcome?
To be able to move back Office to the intended Semi-Annual update channel on all the Intune-managed Windows devices.
Troubleshooting checks performed
As already mentioned,
- Our environment is purely cloud and thus the devices are fully cloud-managed, meaning Entra ID joined and managed from Intune, and as such, there is no GPO in the context.
- We also did not have any configuration policy created in Intune to interfere with the Office update channel on the devices.
We ended up opening a service request to Microsoft. The MS engineer assisting us, post doing his checks, also confirmed that he couldn’t identify any misconfiguration in our tenant either.
He advised us to create the policy as per the following guide – Update Microsoft 365 using administrative templates in Microsoft Intune | Microsoft Learn and let him know of the outcome from it.
We created the policy as described.
- Enable Automatic Updates for Microsoft Office 2016 (Machine) set to Enabled.
- Update Channel (2.0) set to Enabled and configured to Semi-Annual Channel.
Confirmed that the policy reported as succeeded on the affected devices. [I forgot to take the snapshot!]
But I did not forget to take a snapshot of the reg path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\<Provider ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates from an affected device with the above-created policy applied.
As per the guide, since we see L_UpdateBranch has value <enabled /><data id=”L_UpdateBranchID” value=”Deferred” /> means the Intune policy is applied and it’s set to Semi-Annual Channel.
The same can also be seen from the below registry on the device.
Snapshot of reg path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
Here the regKey CDNBaseURL points to the Semi-Annual channel.
It is to be noted that this key is set when Office is installed on the device, meaning Office correctly installed with the Semi-Annual channel set.
But regKey UpdateChannel points to the Current channel.
Now this is a dynamic key that changes depending on the winning configuration settings.
Thus, even though we see that the Intune policy is getting applied, but it is not taking effect, because there is somehow, another policy for the Current channel coming from somewhere, which is winning, and thus overriding the Intune configuration.
As such, even if we run the Office Automatic Update 2.0 task following the MS guide as above and the task runs successfully, it doesn’t make any changes to the Office update channel as we would have expected it to.
The question that comes to us is
What is this policy for the Current channel and where it is coming from?
As already mentioned, since the devices are purely cloud-managed, there is no context of GPO and Config Manager coming in here. There is no other policy configured in Intune also confirmed to be conflicting. Then from where else can we set Office update policies?
There can only be two other admin portals as below.
- Microsoft 365 Apps Admin Center (config.office.com)
- Microsoft 365 Admin Center (admin.microsoft.com)
However, the settings configured in Microsoft 365 Admin Center are only applicable to unmanaged installations and don’t affect managed installations.
Since we are dealing with managed installations on managed devices here, then the only place left to us is the Microsoft 365 Apps Admin Center, and surely, it turned out to be that somewhere from where the Current channel policy was being pushed to our managed devices.
It was found out that somehow, cloud update got enabled in the Microsoft 365 Apps Admin Center which resulted in many of our devices being targeted with the cloud update policy.
As MS states, if a device receives update channel related policy from multiple sources, as in our case, from Intune and Cloud Update, the Cloud update policy will always take priority and the Intune policy, even though getting applied, will not get enforced.
And finally, Getting to the Resolution
As in our case, since the requirement is to have all managed Office installations in the Semi-Annual channel and because Cloud update at this point has no support for the same, the way forward was to completely disable/deactivate Cloud update for the tenant.
Cloud update currently supports only Current and Monthly Enterprise channel with support for Semi-Annual channel listed as a coming soon feature.
If you wish to continue with cloud update, you may not need to deactivate it completely. But then use the exclusion in the cloud update configuration to scope out devices which you want to follow the settings from Intune or other management tool (Config Manager/GPO) that you have in your environment.
Post deactivating (excluding device from) cloud update, to get the Office app on an affected device to move back from the Current channel to the Semi-Annual channel, we need to do either of the following.
Possible Action #1
- Step 1: Delete the regPath HKLM:\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate which pertains to the Office cloud update policy hub.
- Step 2: Delete the present value of the regKey UpdateDetectionLastRunTime at regPath HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Updates and set it to value 0. This helps to reset the update detection last runtime clock for the Office C2R client.
- Step 3: Trigger Office update.
This can be done by running the Office Automatic Update 2.0 task from the Task Scheduler or initiating an update manually from any of the Office apps, or if you prefer the PS way, then by using the short code below.
$processArgs = @{
'FilePath' = "$env:ProgramFiles\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe"
'ArgumentList' = "/update user"
'Wait' = $true
}
if (-not (Test-Path $processArgs['FilePath'])) { throw "OfficeC2RClient.exe not found!" }
Start-Process @processArgs
Possible Action #2
- Step 1: Ensure regPath HKLM:\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate contains regKey ignoregpo with value set to 0. [This means the device is now excluded from the cloud update servicing profile and you can use other management tools to take control of office updates on the device]
- Step 2: Configure the policy as explained in the guide Update Microsoft 365 using administrative templates in Microsoft Intune | Microsoft Learn and have it pushed to the said group of devices.
- Enable Automatic Updates for Microsoft Office 2016 (Machine) set to Enabled
- Update Channel (2.0) set to Enabled and configured to Semi-Annual Channel
- Step 3: Delete the present value of the regKey UpdateDetectionLastRunTime at regPath HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Updates and set it to value 0. This helps to reset the update detection last runtime clock for the Office C2R client.
- Step 4: Trigger Office update.
This can be done by running the Office Automatic Update 2.0 task from the Task Scheduler or initiating an update manually from any of the Office apps, or if you prefer the PS way, then by using the short code as provided earlier.
Ending
Either way, once the update action is complete, you will notice that the Office apps have moved back to the Semi-Annual channel on those managed devices where the action is performed. You can verify the same from the registry as well.
1 Trackback / Pingback
Comments are closed.