Control Office365 Pro-Plus version/channels with Intune

Standard

With Microsoft Intune we can control the Windows 10 Update rings by using the Software Updates policies. For the Office365 Pro-Plus installations this is a different story, at this moment we are not able to configure this through a GUI policy within Intune. In my current project it’s one of the requirements to control and enforce the update channels of the Office365 Pro-Plus installations. I was discussing this requirement with my colleague Peter van der Woude and he challenged me to check if this was possible through ingesting a Office ADMX policy file. My answer was: Challenge Accepted! Smile

This blogpost covers the steps needed to configure Intune so you’re able to control and enforce the Office365 Pro-Plus update channels. I will not explain the technology in detail since this is documented very well here and here. Also my colleague Peter has written some great posts about this, you can find them here and here. With these links you should have enough background information for this solution. Now let’s dive into the steps and configuration needed to control the Office365 Pro-Plus update channels. I started with searching for the Office 2016/Pro-Plus ADMX files, I found them here. In this package of ADMX files the office2016.admx is the file you need when you want to control and configure the update channels of your Office365 Pro-Plus installation.

My first try was to ingest the office2016.admx with Intune but this failed with an error that there was a catastrophic failure during the ingestion of the ADMX file. Since this ADMX file is large my second try was to just cut and paste the ‘update’ section from this file in a new ADMX file and try to upload this file with Intune, but this ended in the same error on the client. After testing some other solutions I found out that when I remove the following text (‘noSort=”true” required=”false”’) from the Enum entry L_UpdateBranchID I was able to ingest the ADMX file through Intune on the clients. When I resolved this issue I was able to configure the update channels. I configured the following within Intune to control the Office365 Pro-Plus channels:

Office365 ADMX Ingest Policy:

  1. Create 3 groups for each Office365 Pro-Plus update channel: Monthly Channel, Semi-Annual (Targeted) channel and Semi-Annual channel.
  2. Go to the Intune section in the Azure portal (https://portal.azure.com)
  3. Go to Device Configuration –> Profiles and click on Create Profile.
  4. Give the profile a Name, select Windows 10 and later as platform and select Custom as Profile type.
    image
  5. Now click on Add to add the OMA-URI setting. Enter a Name for the setting. Enter the following OMA-URI setting: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office365ProPlus/Policy/Office365ProPlusUpdateADMX
  6. Select String as data type and add the following XML to the value section:
  7. Now Save the policy and assign the policy to all groups created in step 1.

The above policy will ingest the ADMX file to the Windows 10 client so we can configure the update channels through another policy. The following steps can be used to create the policy for each update channel you want to configure:

    1. Go to the Intune section in the Azure portal (https://portal.azure.com)
    2. Go to Device Configuration –> Profiles and click on Create
      Profile
      .
    3. Give the profile a Name, select Windows 10 and
      later
      as platform and select Custom as Profile
      type.
    4. Now we need to add the OMA-URI settings for enabling automatic updates, configure the update channel and hide the option to disable updates. For each of these settings we need to add an OMA-URI setting with a value (type –> String):

      Enable Automatic Updates
      OMA-URI:
      ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_EnableAutomaticUpdates
      Value: <enabled/>

      Configure Update Channel
      OMA-URI:
      ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateBranch
      Value: <enabled/><data id=”L_UpdateBranchID” value=”Current”/>

      Hide Disable Updates Option
      OMA-URI:
      ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_HideEnableDisableUpdates
      Value: <enabled/>

    5. Click on Save to add the policy to Intune
    6. Assign the policy to the corresponding group created in the first step of this blogpost.

Note that the values in Step 4 of data_id L_UpdateBranchID are the following:

Update Channel Channel Setting
Insider Channel InsiderFast
Monthly Channel Current
Semi-Annual (Targeted) Channel FirstReleaseDeferred
Semi-Annual Channel Deferred

When you’ve configured above policies you will see the following in the registry of the Windows 10 clients:

Ingestion of the ADMX file results in the Registry:
image

Results of the Update Channel policy settings in the registry:
image

and:
image

When the above settings are set in the registry the next time the Office365 update task runs the Office365 Pro-Plus will change to the configured channel and the Office365 Pro-Plus installation will be upgraded or degraded to the right version. During my testing the policy from Intune was only applied after a login of the user. With above configuration you will be able to configure and enforce the version and update channel of the Office365 Pro-Plus installations. This solution is tested on Windows 10 1709.

6 thoughts on “Control Office365 Pro-Plus version/channels with Intune

  1. Mickael

    Hello,

    Thanks for this great article. I have a problem when i try to ingest the part of the admx that you give.
    When i deploy it, i have this error message:
    MDM ConfigurationManager: Command failure status. Configuration Source ID: (0D784085-89B4-4960-8184-F3DE75A9D34C), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office/Policy/Office.admx), Result: (Invalid data format for the specific protocol operation.).

    So i have tried to put only the “EnableAutomaticsUpdate” part and it’s working.
    Do you know what could be my problem?

    Thanks

    • Arjan Vroege

      Hi Mickael,

      You’re right. I replaced the ADMX with a working one and uploaded the ADMX to GitHub.
      I’ve tested this one and it’s working on my clients.

      Let me know if this solves your issue,

      Regards, Arjan

  2. Mickael

    Hi,

    Thanks for this update, it’s working fine now. Could you tell me what was the problem? It could help me if i have the same problem with another ADMX file.

    Regards,
    Mickael

  3. RKast

    Can you do a write-up how to ‘minimize’ the admx file, you did not use the whole admx content. So how did you ‘trim’ down the admx content to what you have 🙂

Leave a Reply