Easily switch Office update channel with Intune

This blog post is a follow-up to the recent post that I made on the Office Update channel topic. But in there, I talked about the change of the Office update channel due to Cloud Policy getting enabled at the tenant level.

But here in this post, the situation is a bit different, as in consider,

• you have no cloud update policy in the tenant, and
• you only deploy the Office package using the built-in Intune application package, in which, you have the update channel set to Semi-Annual channel, and
• you have no existing policy configuration in Intune to set the Office update channel on managed devices
• the devices are purely cloud-managed, so no ConfigManger or interfering GPO is in place.

Yet you notice the issue of Office installation on your corporate Windows fleet deviating from the initial Update channel (semi-annual for our case) with which it was deployed and instead reverting to using the Current channel.

Thus, the question of this blog post

How to remediate Office update changes when deviation is detected and bring them back to their desired update channel?

Remediate and switch the Office update channel with Intune

Detect Office Update channel deviation:

As you can already guess, I will be going the Intune remediation way.

Below is a sample detection script that can detect if the current instance of the Office application on a managed device is using the update channel with which it was installed.

try
{
    $Path = "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration"
    $CDNBaseUrl = Get-ItemPropertyValue -Path $Path -Name "CDNBaseURL"
    $UpdateChannel = Get-ItemPropertyValue -Path $Path -Name "UpdateChannel"
    If ($CDNBaseUrl -ne $UpdateChannel) {
   
       # Remediation needed on exit code 1
         Write-Output "Remediation needed"
         Exit 1
    }
    else
    {
       # Remediation not needed on exit code 0
         Write-Output "Remediation not needed"
         Exit 0
    }
}
catch
{
    $errMsg = $_.Exception.Message
    Write-Output $errMsg
    Exit 1
}

A quick explanation of the logic behind the script:

You can find the configuration details for the current Office instance from the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

The registry key CDNBaseURL points to a unique update channel GUID URL. This gets set when Office is installed on the device and the value of this cannot be changed.

But the update channel that the Office installation is using actively is shown by the value of the registry key UpdateChannel, which is a dynamic key, the value of which changes depending on the winning configuration provider settings value.

For an ideal scenario, the values of the CDNBaseURL key and UpdateChannel key should match, pointing to the same channel GUID URL, meaning the Office instance is using the same update channel configuration with which it was installed.

However, if the value doesn’t match, means there is a problem that needs remediation.

Remediate Office Update channel deviation:

To remediate the deviation, we will need two things as followed:

• A policy from Intune to set the correct update channel for Office on the managed devices, and
• A remediation script to trigger the Update channel switch.

Step 1: Create an Intune policy to set Update channel for Office apps

Create the policy following the guide here Update Microsoft 365 using administrative templates in Microsoft Intune | Microsoft Learn

• Enable Automatic Updates for Microsoft Office 2016 (Machine) set to Enabled
• Update Channel (2.0) set to Enabled and configured to Semi-Annual Channel

Once the policy is created, deploy it to the required group that targets the devices on which you want to remediate the Office Update channel issue.

You can confirm the policy application state on the device using the registry.

Looking at reg path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\<Provider ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates, as per the guide, since we see L_UpdateBranch has value <enabled /><data id="L_UpdateBranchID" value="Deferred" /> that means the Intune policy is applied and it’s set to Semi-Annual Channel.

The same can also be seen from the below registry on the device.

Step 2: Use remediation script from Intune to trigger the update channel change for Office apps.

Below is the sample remediation script that you can use to trigger the Office update channel change.

try
{
    $Path = "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Updates"
    Set-ItemProperty -Path $Path -Name "UpdateDetectionLastRunTime" -Value "0"
}
catch
{
    $errMsg = $_.Exception.Message
    Write-Output $errMsg
}

### Triger Office C2R client to initiate an update

$processArgs = @{
    'FilePath'     = "$env:ProgramFiles\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe"
    'ArgumentList' = "/update user"
    'Wait'         = $true
}
if (-not (Test-Path $processArgs['FilePath'])) { throw "OfficeC2RClient.exe not found!" }
Start-Process @processArgs

Note: The detection as shown earlier and the remediation as shown above is part of the same remediation package deployment.

Once the remediation finishes, you will have Office revert to the desired update channel on the targeted device(s).

How to implement the same?

Ending

That was all for today. Will be back with some other topic soon. But before we end for today…

Another use-case for this remediation approach

If you are restricting office installation to follow the Semi-Annual update channel, and need to rollout copilot, and for the same, deploying another instance of the Office365 package from Intune set with the Current update channel, this same approach can be utilized to trigger Office update channel change on such managed devices from semi-annual to current channel without requiring uninstallation of the existing office instance.