SCCM Office 365 updates management is finally integrated to the standard software update process (since the release of SCCM 1602). Prior to this release it was announced as a new features, but it was not completely managed. It was necessary to add Office 365 updates to WSUS manually in order to manage them trough SCCM software update afterward. It’s now manageable natively with the release of SCCM 1602.
The integration of Office 365 Updates to SCCM will ease overall management of updates with these key features :
- Centralized management
- Standard Software Update
- Ability to use Automatic Deployment Rules
- Easier distribution to branch offices with Software Update packages
- Applications can run while updating
Before this integration, Office 365 Updates needed to :
- Manually downloaded
- Manually distributed or to create a package than distribution on Distribution Point
- Application need to be shut down before the update
This post will explain how to natively manage Office 365 desktop client update with SCCM 1602 and later. Refer to our post on how to deploy Office 2016 using SCCM if you’re looking at a complete Office 365 installation guide.
[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]
Following recent modification to the documentation on Technet (link https://technet.microsoft.com/en-us/library/mt628083.aspx )
Here’s what’s new :
- Minimum versions per channel :
- Current Channel, Version 1602
- Build 6741.2017
- First Release for Deferred Channel, Version 1602
- Build 6741.2014 (same as before)
- Deferred Channel, Version 1602
- Build 6741.2048
- Current Channel, Version 1602
- Because the version numbers are not the same for each Channel, here how to validate what Channel is installed. You can also refer to our free Office 365 inventory report to display your versions.
- Under the registry key HKLM/Software/Microsoft/Office/ the value of CDNBaseURL should match one of the following.
- For Insider Preview / First Release for Current Channel:
- For Current Channel :
- For First Release for Deferred Channel :
- For Deferred Channel:
- Look our post about Office 365 inventory to help out (link https://systemcenterdudes.com/sccm-office-365-inventory-report/ )
- Office 365 client supported products :
- Office 365 ProPlus
- Visio Pro for Office 365
- Project Online Desktop client
- Office 365 Business
- Use the latest Office 2016 deployment tool to create the original installation package
- Updated : 9/9/2016
- Use the latest Office 2016 ADMX
- Updated 9/2/2016
SCCM Office 365 Updates Configurations
There are two ways to configure Office 365 to get updates from SCCM :
- Using the Configuration.xml at installation time of the Click-to-run package
- Using Office 2016 latest GPO
- SCCM 1602 or later
- Windows Server Update Services (WSUS) 4.0
- Office 365 Client – First Release for Deferred Channel version 16.0.6741.2014 or later
Determine which Office 365 Channel to use[su_box title=”Office Channel” style=”glass” title_color=”#F0F0F0″]The Office team has recently changed terminology from Branch to Channel.[/su_box]
Before we go on to the configurations details, choosing your management Channel is key for managing updates.
With standard software updates, you probably used different Software Update Group / Deployment to manage test, pilots and production groups to validate updates.
For Office 365, similar process can be done. There’s 4 different Channels :
- First Release for Current Channel
- This is basically an Insider build for Office
- Current Channel
- Provide users with the newest features of Office as soon as they’re available
- First Release for Deferred Channel
- Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel
- Deferred Channel
- Provide users with new Office features a few times a year
The best example on how to use this comes from Technet :
- Provide a group of pilot users with Current Channel, so they can try out the new features of Office as they become available
- Provide your application compatibility testers with First Release for Deferred Channel so that they can test that the finance applications will work with the next Deferred Channel release
- Provide your finance department, which has several key line-of-business applications, with Defered Channel
As of now, only First Release for Current Channel and First Release for Deferred Channel are available in SCCM. Current Channel and Deferred Channel should be available in the next months.[su_box title=”Important” style=”glass” title_color=”#F0F0F0″]Configuration.xml and GPO haven’t been updated to match the terminology of Channels. They both still use Branch.[/su_box]
Configure Office 365 Click-to-Run Package
- Download the Office Deployment Tools
- After downloading the tool, run OfficeDeploymentTool.exe
- Extract the files to a drive on your computer
- You’ll end up with 2 files – Setup.exe and Configuration.xml
- Edit the Configuration.xml file using a text editor
- Change the Branch and OfficeMgmtCOM value to Validation and True respectively
- Editing the Configuration.xml this way will :
- Download and install Office 365 First Release for Deferred Channel
Branch = Validation
- Enable Office to be managed by SCCM
- OfficeMgmtCOM = True
- Download and install Office 365 First Release for Deferred Channel
With the change to Channel, the latest OCT needs to have the new values for Channel instead of Branch.
The possible values are :
- Launch the Office 365 installation using a command line :
- Setup.exe /configure Configuration.xml
All details about Office Deployment tool can be found on Technet.
Configure Office 365 Update using Group Policy (GPO)
Using this method will override configurations made by Configuration.xml at install time.
You could use both if you want in order to support already installed Office 365 as well as new installations.
- Download the Office 365 ADML/ADMX
- Import ADML/ADMX in your GPO repository
- Create an Office 365 GPO and edit it
- Go to Computer Configuration / Policies / Administrative Templates / Microsoft Office 2016 / Updates
- 2 settings must be configured :
- Office 365 Client Managment
- Set this setting to Enabled – This allow SCCM to manage update for Office 365
- Office 365 Client Managment
- Update Channel
- Set this setting to Enabled
- In the Channel Identifier field, enter Validation for First Release for Deferred Channel – (Refer to Technet documentation for Branch Configuration Names – Current, Business, Validation)
As per our testing, the GPO as no impact to change the Channel for Office 365 when managed by SCCM.
When SCCM manage the updates, it will support only the Channel specified at the installation time.
Example : You install Office 365 with Current Channel. You have a GPO setting Channel to Deferred. You deploy release updates with SCCM for Current and Deferred Channel, the client will only see the update for Current as necessary. Deferred will never be applied.[/su_box]
- Configure Hide option to enable or disable updates to ensure user don’t disable updates
- Here’s the results in Office when setting is set to Not Configured or Disabled
- Here’s the result in Office when setting is set to Enabled
[su_box title=”Update 2016-09-26″ style=”glass” title_color=”#F0F0F0″]
The Update Enabled element in the configuration.xml or in the GPO should be set to TRUE/Enabled
Quote technet : “Also, we recommend that you set the value of the Enabled attribute to True in the Updates element. If you set the value of the Enabled attribute to False, Office 365 clients can still receive updates from Configuration Manager. But, users won’t see any notifications when updates are pending”
NOTE: even with this from the TechNet Documentation, we can’t say the real impact with SCCM managing the update.. We have tested with True and False. Both times, updates were available within the Software Center as excepted.
It might only affect this warning, when updates comes straight from the web without SCCM involved.
- Configuring Enable Automatic Updates, is also a good idea to prevent clients from updating automatically
- Here’s the results in Office if setting is Not Configured or Enabled
- Here’s the results in Office if setting is Disabled
Configure SCCM 1602 and Later
Software Update Point
- Ensure that you are running SCCM 1602 and later (How to verify)
- Go to Administration / Site Configuration, select Configure Site Components / Software Update Point on the top ribbon
- On the Products tab, select Office 365 Client
- Initiate a synchronization by clicking Synchronize Software Updates on the top ribbon
- Once the synchronization is completed, Office 365 client updates will be available in Software Library / Software Updates / All Software Update
- They can be managed just as any other updates
Software Update Group
- Go to Software Library / Software Updates / Software Update Groups
- Create a new Software Update Group
- Download the update to a new Deployment Package
- Be sure to select the needed languages for your environment
- Each updates will take more than 1GB of disk space. Take that in consideration when downloading your updates
- Before updating, the Office 365 version is 16.0.6741.2014 which is the minimum requirement for updating from SCCM
- Initiate a Software Update Scan Cycle and Software Update Deployment Evaluation cycle on your client. The update will be available to the client
- Compared to standard Software Update, the Office 365 Update is not downloaded in your SCCM Cache folder (By default – C:\Windows\CCMCache)
- Instead, the update will be downloaded in C:\Program Files (x86)\Microsoft Office\Updates\Download
- The update will automatically clean itself after rebooting
- Interaction in Software Center is exactly the same as any other Software Update
- Even with all Office products opened during updating, we encounter no problem for the installation, without user interaction
- Once computer is restarted, Office as been updated
SCCM Office 365 Software Update Reports
Related SCCM reports that give you detailed information about Office 365 Software Updates.
My question is related to deploying Office 365 updates via SCCM 1806 using ADR we seem to be having issues with the updates installing outside the collection defined maintenance window. The ADR rule runs on Tuesday but starts installing the updates the next day on Wednesday, our collection is setup with a Maintenance window for Friday. Our clients try to postpone the update for 2 hrs but get the next alert 30 minutes later that that they have 30 min before the office application closes and update installed. Is there a way to control the install of the O365 updates to follow the collection defined maintenance window. I found in your blog that it’s recommended to set the following GPO setting OfficeMgmtCOM=”TRUE” does this setting allow SCCM to manage the maintenance window, is this also the same setting configured in the client device settings in SCCM
Anyone have an idea how to force Office 365 to check for and retrieve an update AFTER changing the update channel when using SCCM as the delivery mechanism? We that the channel is controlled by the CDNBaseUrl value, but after changing that, how do you force it to then get an update on that channel? Thanks for any assistance.
To change the channel using the built-in mechanism, run this:
OfficeC2RClient.exe /changesetting branch=
To force an update check, run this:
OfficeC2RClient.exe /update user
Otherwise it can be updated via SCCM as usual.
Can’t seem to find an easy answer to this, but is there a way to ‘update’ the deploy package for O365 without just having to create another one? I created it from inside ConfigMan and that is 8431.2215. I created this over 6 months ago and we are now into a pretty large roll out and it is putting an older version and then requiring the updates to come down to bring it to latest version. Seems like a waste in my mind.
thoughts or ideas?
I have to say I’m not impressed by the message the user gets when you disable Enable Automatic Updates. Office is still updated, but pushed from SCCM rather than pulled by the computer. The user, if they see that, is likely to contact support.
Thanks for the nice guide. I am following Mikael Nystrom’s blog https://deploymentbunny.com/2013/12/08/nice-to-know-put-office365-click-to-run-in-the-ref-image-using-mdt-2013/ to put Office 365 into my reference image. During OSD, I run an OPPTransition command to activate following the guide from Garrett at https://sysadminedu.wordpress.com/2017/01/07/step-by-step-guide-to-deploying-office-365-pro-plus-with-device-based-activation-with-sccm/. That works fine, but when deploying to machines, the channel is always the “Semi-Annual Channel” and I would like to change to “Monthly”. There are command line options for changing the channel at https://blogs.technet.microsoft.com/odsupport/2017/05/10/how-to-switch-channels-for-office-2016-proplus/. Would that be something that can be run after the OPPTransistion step during OSD? Would this need to be done in a wrapper to prevent the task sequence from moving on to the next step?
After a long time of trying to figure out why I couldn’t update any of my o365 client for a long time, I finally found the culprit.
Inside of Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
“UpdateChannel” and CDNBaseUrl MUST match or else the o365 update will never show up.
Would be nice if you could post this, I’m sure there a lot of other people out there also trying to figure this one out.
thanks for sharing this information. One of my client provided the exact same information.
I’m looking for more details on this, if you can provide more, it my be enough for a post about this…
I’m wondering about, was this an upgrade from 2013 C2R?
– Were you trying to update from a network share prior to SCCM?
– What was in the UpdateChannel?
– What was in the Config.xml?
– any Office 2016 GPO settings?
– Office COM Management enabled in SCCM clients?
You can email me at email@example.com
Steps worked like clockwork, great article ! I However do have a couple of questions.
Once users are migrated is the a report /query in SCCM than can display the following information.
1. All installations of Office 2016 (click to run version)
2. The account that was used to activate then installation.
We are trying to verify if the installation !
Pingback: Ms Office 2010 Error 1704
What is the recommneded option if Office clients are still on 16.0.4549.1000 or 16.0.4591.1000 ?
Fresh installs across the fleet? 🙂
My client is currently set to First Release for Deferred Channel and has the following link set in the registry
I have deployed out two FRDC updates but none has gone through on his machine.
This is the client’s MS Office Folder
https://i.imgur.com/GZdmiN6.png – with nothing in it that folder. Just detection.
Can you please advise?
Can you control which updates to deploy and what updates not too?
I can see all the updates in SCCM and deploy them successfully. Software Center shows them installed however the version doesn’t upgrade. Machine is on Current Channel and running 1703 (16.0.7927.1020). When I install the 1704 update via SCCM it says successful but after reboot it is still on the same version.
Hi @ all
In my environment with SCCM 1610CU2 the Office Update in deffered channel works fine.
Did someone else recognized, that the client transfers 1000 small .tmp file and not one big one ?
“When SCCM manage the updates, it will support only the Channel specified at the installation time.” So this means you can never change to a different channel?! This totally explains why my machines do not show updates as Required in SCCM. All machines are installed with the channel set to First Release Deferred. I have changed the channel on some machines via gpo to Current but the updates never show as Required in SCCM. I really hope this a bug and MS fixes it. Thanks so much for all your articles!
I am noticing the same thing as you. I have over 5000 clients world wide with Office 365 (2016) installed and “Required” is zero for all of them. We prevented them from updating from the CDN back in mid October 2016 via the suggested GPO. We’re just now looking into deploying updates internally via SCCM however this makes no sense whatsoever.
Office 365 clients are currently getting updates from the Microsoft CDN. Then we enable management of Office 365 Client Agent from the client settings within configuration manager or via group policy. Will the Office 365 clients still check for updates against the Microsoft CDN or setting Office 365 management from SCCM prevents this? Otherwise, we are forced to disable automatic updates to accomplish full control of O365 updates?
I was recently working on getting Deferred updates up and running for my company. I am able to see Updates in SCCM, I can see my test PC needs the update, I can download and deploy to my test PC but the job errors out
“The hash value is not correct” – 0x80091007
I have 16.0.6965.2092 installed
I verified regedit to have CDNBaseUrl to be http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114
I verified UpdatesEnabled = True
I verified OfficeMgmtCOM = True
I could see some temp files in c:\windows\ccmcache but now they are gone. I did some reading on this page and see you said they will be in C:\Program Files (x86)\Microsoft Office\Updates\Download and I see a “PackageFiles” folder that was created around the time of the deployment and it has 16.0.7369.2055 folder inside of it, but that folder is empty.
So my guess is the files are not making it to the local update folder like they should. But I do not know why
XML config below
Clicked the “Update Now” inside of Office and it appears to be downloading…but from the internet. Which is what WE DO NOT WANT but this proves it is getting out to microsoft site. But in reality we never want our clients going to the internet to download updates…we want them to come from SCCM…just like normal MS updates(which those work fine btw)
I cannot seem to post my xml data…thus the duplicate posts…sorry
Most of the time you get an HASH value error, you need to Update Distribution Point on your package. Because of this error, the SCCM client is unable to download a valide version of the package.
The Hash value of a package is how SCCM validate that the package used as not be interfered with by any means. This can be caused by manually editing a downloaded package in the CCMCache, Antivirus can also cause that kind of issue.
As for the Update Now button, it will always look for Windows Update servers. It is not related to SCCM.
We are experiencing exactly same problem.
“Empty file algorithms are not supported. Hash validation failed” and 0x80091007 eror in CAS.log
All DPs are updated without issues, rest MS updates are distributed just fine except Office365 updates.
We have already verified that all necessary languages were selected for Office365 updates during download, this solved the problem for some workstations only.
Does anyone has a solution for this ?
Great article! But i have a strange problem:
SCCM 2012 1606 with hotfix
Update classification selected on the SUP
Office 365 Clients product selected on the SUP
After i run the synchronisation the Office 365 Client updates don’t show up. All other updates like Windows 10 and Office 2016 are showing up.
What could be wrong?
I suggest you have a look in the wsyncmgr.log on the server.
When Office 365 client updates are discovered, you should see lines like this one :
Synchronizing update d03a31c0-7548-4b53-8629-c140844f324a – Office 365 Client Update – First Release for Current Channel (1609-3) 64-bit Edition
Be sure to have the Update Classification : Update select in the SUP configuration.
Also, Office 365 Client updates have a Severity level : NONE
The lines you are refering to are not being showed in the wsyncmgr.log, but it does say:
Requested categories: Company=Local Publisher, Company=Adobe Systems, Inc., Product=Office 365 Client, Product=Windows 10, Product=Windows Server 2012 R2, Product=Windows Server 2008 R2, UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Upgrades, UpdateClassification=Service Packs, UpdateClassification=Updates, UpdateClassification=Critical Updates SMS_WSUS_SYNC_MANAGER 4-10-2016 13:28:41 5168 (0x1430)
The update classificion is selected! What do you mean by: Office 365 Client updates have a Severity level : NONE?
the Severity Level is when the udpate is available under All Software Update. You can see a Severity level of a patch. In the case of the O365 client updates, the severity is None.
Which version of SCCM do you have?
That isn’t the problem, they are not being synct:
My SCCM version: https://s10.postimg.org/6fmwkkmqh/sccm.jpg
WSUS 4.0 on Server 2012R2
KB3159706 was installed on the SUP but not on the Primary Site Server.
Thanks for the update Daniel
I’ve updated the post as new information as been available from Technet, and also following more testing on our side.
Have you tested with Current channel ? Waiting for your post.
There as been numerous changes to the way O365 updates should be managed as per Microsoft Documentation. I will update this post shortly when I sort it all out.
Have you tested with Current channel ?
Yes I have enabled office 365 client management policy setting but have not done through office deployment toolkit.
This is not working for me. I have followed all the steps as mentioned above,
I am using group policy to configure O365 update. And I have selected “Current” in Channel Identifier field of GPO.
Current Version of office 365 ProPlus installed on machine is 16.0.7070.2036(Current Channel).
I have deployed(using SCCM) Current channel Build 7167.2040 to the machine. But the machine is showing compliant in deployment status. And the client update does not get installed on the machine. So can you please advise me how to proceed further.
As if I enable automatic update for the machine, it gets updated to the latest available Current channel version. Need help. 🙁
Have you enabled the Office COM to be managed by SCCM?
Yes I have enabled office 365 client management policy setting but have not done through office deployment toolkit.
Also I have updated the office Administrative Template, then deployed the current channel, made the deployment as available. But the office update does not appear in Software Center and in deployment status (on Sccm server) machine is shown as compliant. Any Suggestions.
Navneet I’m still having the exact same problem and I’m glad you are too so it’s not just me. I feel like there must be a step that I’m missing but I don’t know what it is. I’ve done all the settings listed in the referenced articles but my updates are not appearing in SWC and in SCCM the status shows compliant just like yours.
I suggest you have a look at the update section in the post. I’ve done further testing.
This isn’t working for me. I am using the deferred channel and clients are running version 16.0.6741.2056. I see the updates in SCCM software updates, I can approve them and deploy them. They show up on my workstations but they fail to install with error 0x80004005. Any ideas on what might be causing the issue? I have deployed my group policies exactly as you have shown.
quick search around the web suggest that could be firewall/malware/AV issues that prevent updating Office.
You could also try to repair office prior to update it.
I have a similar issue which Stephanie is experiencing, have you tested out with Current channel.
I haven’t had time to test with Current Channel… Have you tried Stephanie’s suggestion?
Update the Office Admin template.
The name change for branches is so confusing. Hard to follow what is what when configuring branches
It’s always a relief when someone with obvious expertise answers. Thanks!
(Wireless Phone Accessory) This does work! Wouldn’t even turn on. No instruction manual or anything to tell you how to operate let aline how long to charge the battery. This is such a waste of money.
I installed O365 16.0.6868.2060, applied the GPO, Channel I choosed “Current”. But SCCM software update Office 365 (16.0.7070.2022) shows required is 0. Have you tested it in Current Channel?
I’ve tried with the Current Channel at my client site last Friday without must success. I’ll give another try this week. Will update the comment or post accordingly.
It is working now with Current Channel, I am not sure what really happened. I updated the Office 2016 Administrative Template files. https://www.microsoft.com/en-us/download/details.aspx?id=49030.
I am happy to deploy now Office 365 updates from SCCM. Thank you!
Thanks Sandy, will try that on my side also
Just to let you know, it seems another version was released couple days ago.
Did you have to install a hotfix for SCCM or WSUS to be able to download the O365 updates? I’ve gotten to the point where I created my update group and package (which contain 10 updates with 1605 in the name) but when I attempt to download the updates it immediately fails with a “failed to download software updates” error.
I can download updates for Windows 7 and 10 and Office 2010 and 13 just fine, but O365 just doesn’t want to come down. I have no errors in the patch downloader log (and even see it communicating with officecdn.microsoft.com just fine) and the security team isn’t seeing any failed or denied transfers from our primary site server.
Am I missing something?
Never mind. To get around this issue I signed directly into my primary site server over RDP, as opposed to using the console installed on another server I use for admin purposes.
You are so brilliant at describing the sights and sounds around you, Kate. 🙂 Brilliant! I love this post. 🙂 I can feel the cold air and the pelting of confetti and I’m grinning at the descriptions of the people. I’m so glad you were able to help the man read. What a gift.KristaÂ´s last post ..
Hello Jonathan, thanks for the guid. Have you tested that for current channel? My test Workstation has deferred channel, is it possible use GPO order it update to current channel? SCCM said current channel update is not required in my test machine, GPO did set it “Current” in the test machine.
2 things here. First, Office 365 needs to be at minimum version 16.0.6741.2014 or later. this goes for all Channels.
If you have Deferred Channel now on your computer, you will NOT receive or see O365 updates from SCCM as available.
The minimum version was just released last week for Deferred Channel. Computers with Deferred Channel will require other patching/deployment methods than this one to reach the minimum requirement.
The next updates will be available from SCCM.
Second thing : if you change from Deferred to Current, you will not see the update from SCCM until you meet the minimum requirement for the version.
Side note : if you want to test it, use First Release for Deferred Channel or Current Channel. You can you the configuration.xml to download a specific version of O365 to then test updates from SCCM.
Hope this help!
That’s a crackerjack answer to an interesting question
I notice in your screenshot that the Required column shows 0 for all the updates. Is this normal? I’m trying to troubleshoot why my clients are not getting the update that I have deployed. I’ve went over the requirements several times and the update is still not installing. I have been referring to this article https://technet.microsoft.com/library/mt628083.aspx. My console is at 1602, clients are at version 16.0.6769.2015, gpos set according to article and verified on clients, WSUS 4.0. I must be missing something but I’m not sure what at this point. Anything you can suggest that I may be missing?
From what I understand, you use Current Channel for the version 16.0.6769.2015.
you can find all version numbers here. https://technet.microsoft.com/en-us/library/mt592918.aspx
I’ve done my test with First release for defered channel.
I’ll try to test it with Current channel and see how it goes.
I’ll keep you posted on my test.