Managing Office 365 Updates with SCCM

Jonathan LefebvreOFFICE, SCCM55 Comments

SCCM Office 365 updates management is finally integrated to the standard software update process (since the release of SCCM 1602). Prior to this release it was announced as a new features, but it was not completely managed. It was necessary to add Office 365 updates to WSUS manually in order to manage them trough SCCM software update afterward. It’s now manageable natively with the release of SCCM 1602.

The integration of Office 365 Updates to SCCM will ease overall management of updates with these key features :

  • Centralized management
  • Standard Software Update
  • Ability to use Automatic Deployment Rules
  • Easier distribution to branch offices with Software Update packages
  • Applications can run while updating

Before this integration, Office 365 Updates needed to :

  • Manually downloaded
  • Manually distributed or to create a package than distribution on Distribution Point
  • Application need to be shut down before the update

This post will explain how to natively manage Office 365 desktop client update with SCCM 1602 and later. Refer to our post on how to deploy Office 2016 using SCCM if you’re looking at a complete Office 365 installation guide.

 

[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

Following recent modification to the documentation on Technet (link https://technet.microsoft.com/en-us/library/mt628083.aspx )

 Here’s what’s new :

.[/su_box]

SCCM Office 365 Updates Configurations

There are two ways to configure Office 365 to get updates from SCCM :

  • Using the Configuration.xml at installation time of the Click-to-run package
  • Using Office 2016 latest GPO

Prerequisites

  • SCCM 1602 or later
  • Windows Server Update Services (WSUS) 4.0
  • Office 365 Client – First Release for Deferred Channel version 16.0.6741.2014 or later

Determine which Office 365 Channel to use

[su_box title=”Office Channel” style=”glass” title_color=”#F0F0F0″]The Office team has recently changed terminology from Branch to Channel.[/su_box]

Before we go on to the configurations details, choosing your management Channel is key for managing updates.

With standard software updates, you probably used different Software Update Group / Deployment to manage test, pilots and production groups to validate updates.

For Office 365, similar process can be done. There’s 4 different Channels :

  • First Release for Current Channel
    • This is basically an Insider build for Office
  • Current Channel
    • Provide users with the newest features of Office as soon as they’re available
  • First Release for Deferred Channel
    • Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel
  • Deferred Channel
    • Provide users with new Office features a few times a year

The best example on how to use this comes from Technet :

  • Provide a group of pilot users with Current Channel, so they can try out the new features of Office as they become available
  • Provide your application compatibility testers with First Release for Deferred Channel so that they can test that the finance applications will work with the next Deferred Channel release
  • Provide your finance department, which has several key line-of-business applications, with Defered Channel

As of now, only First Release for Current Channel and First Release for Deferred Channel are available in SCCM. Current Channel and Deferred Channel should be available in the next months.

[su_box title=”Important” style=”glass” title_color=”#F0F0F0″]Configuration.xml and GPO haven’t been updated to match the terminology of Channels. They both still use Branch.[/su_box]

Configure Office 365 Click-to-Run Package

sccm 2012 Office 2016 deployment

  • Extract the files to a drive on your computer

sccm 2012 Office 2016 deployment

  • You’ll end up with 2 files – Setup.exe and Configuration.xml

sccm 2012 Office 2016 deployment

  • Edit the Configuration.xml file using a text editor
  • Change the Branch and OfficeMgmtCOM value to Validation and True respectively
[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]New screen shot to reflect the new naming convention of Channel in the configuration.xml.[/su_box]

954862

 

  • Editing the Configuration.xml this way will :
    • Download and install Office 365 First Release for Deferred Channel
      • Branch = Validation
      • Channel=”FirstReleaseDeferred”
    • Enable Office to be managed by SCCM
      • OfficeMgmtCOM = True
[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

With the change to Channel, the latest OCT needs to have the new values for Channel instead of Branch.

The possible values are  :

  • Current
  • Deferred
  • FirstReleaseDeferred
  • FirstReleaseCurrent[/su_box]
  • Launch the Office 365 installation using a command line :
    • Setup.exe /configure Configuration.xml

All details about Office Deployment tool can be found on Technet.

Configure Office 365 Update using Group Policy (GPO)

Using this method will override configurations made by Configuration.xml at install time.

You could use both if you want in order to support already installed Office 365 as well as new installations.

  • Download the Office 365 ADML/ADMX
  • Import ADML/ADMX in your GPO repository
  • Create an Office 365 GPO and edit it
  • Go to Computer Configuration / Policies / Administrative Templates / Microsoft Office 2016 / Updates
  • 2 settings must be configured :
    • Office 365 Client Managment
      • Set this setting to Enabled  – This allow SCCM to manage update for Office 365

SCCM Office 365

  • Update Channel
    • Set this setting to Enabled
    • In the Channel Identifier field, enter Validation for First Release for Deferred Channel  (Refer to Technet documentation for Branch Configuration Names – Current, Business, Validation)
[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

As per our testing, the GPO as no impact to change the Channel for Office 365 when managed by SCCM.

When SCCM manage the updates, it will support only the Channel specified at the installation time.

Example : You install Office 365 with  Current Channel. You have a GPO setting Channel to Deferred. You deploy release updates with SCCM for Current and Deferred Channel, the client will only see the update for Current as necessary. Deferred will never be applied.[/su_box]

SCCM Office 365

 

  • Configure Hide option to enable or disable updates to ensure user don’t disable updates

SCCM Office 365

  • Here’s the results in Office when setting is set to Not Configured or Disabled                             

SCCM Office 365

  • Here’s the result in Office when setting is set to Enabled

SCCM Office 365

[su_box title=”Update 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

The Update Enabled element in the configuration.xml or in the GPO should be set to TRUE/Enabled

Quote technet : “Also, we recommend that you set the value of the Enabled attribute to True in the Updates element. If you set the value of the Enabled attribute to False, Office 365 clients can still receive updates from Configuration Manager. But, users won’t see any notifications when updates are pending”

NOTE: even with this from the TechNet Documentation, we can’t say the real impact with SCCM managing the update.. We have tested with True and False. Both times, updates were available within the Software Center as excepted.

It might only affect this warning, when updates comes straight from the web without SCCM involved.

954860

[/su_box]
  • Configuring Enable Automatic Updates, is also a good idea to prevent clients from updating automatically

SCCM Office 365

  • Here’s the results in Office if setting is Not Configured or Enabled

SCCM Office 365

  • Here’s the results in Office if setting is Disabled

SCCM Office 365

Configure SCCM 1602 and Later

Software Update Point

  • Ensure that you are running SCCM 1602 and later (How to verify)
  • Go to Administration / Site Configuration, select Configure Site Components / Software Update Point on the top ribbon
  • On the Products tab, select Office 365 Client
SCCM Office 365
[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]Warning :  Microsoft as gone crazy with the numbers of release for each Channel. You might want to reconsider the way you manage Superseded updates. For example, Current Channel had 4 releases within a month!

954861[/su_box]
  • Initiate a synchronization by clicking Synchronize Software Updates on the top ribbon

SCCM Office 365

  • Once the synchronization is completed, Office 365 client updates will be available in Software Library / Software Updates / All Software Update
  • They can be managed just as any other updates

SCCM Office 365

Software Update Group

  • Go to Software Library / Software Updates / Software Update Groups
  • Create a new Software Update Group

SCCM Office 365

  • Download the update to a new Deployment Package

SCCM Office 365

  • Be sure to select the needed languages for your environment

SCCM Office 365

  • Each updates will take more than 1GB of disk space. Take that in consideration when downloading your updates

SCCM Office 365

Client Side

  • Before updating, the Office 365 version is 16.0.6741.2014 which is the minimum requirement for updating from SCCM

SCCM Office 365

  • Initiate a Software Update Scan Cycle and Software Update Deployment Evaluation cycle on your client. The update will be available to the client

SCCM Office 365

  • Compared to standard Software Update, the Office 365 Update is not downloaded in your SCCM Cache folder (By default – C:\Windows\CCMCache)
  • Instead, the update will be downloaded in C:\Program Files (x86)\Microsoft Office\Updates\Download
  • The update will automatically clean itself after rebooting

SCCM Office 365

  • Interaction in Software Center is exactly the same as any other Software Update
  • Even with all Office products opened during updating, we encounter no problem for the installation, without user interaction

SCCM Office 365

  • Once computer is restarted, Office as been updated

SCCM Office 365

SCCM Office 365 Software Update Reports

Related SCCM reports that give you detailed information about Office 365 Software Updates.

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

55 Comments on “Managing Office 365 Updates with SCCM”

  1. I have to say I’m not impressed by the message the user gets when you disable Enable Automatic Updates. Office is still updated, but pushed from SCCM rather than pulled by the computer. The user, if they see that, is likely to contact support.

  2. Jonathan,

    Thanks for the nice guide. I am following Mikael Nystrom’s blog https://deploymentbunny.com/2013/12/08/nice-to-know-put-office365-click-to-run-in-the-ref-image-using-mdt-2013/ to put Office 365 into my reference image. During OSD, I run an OPPTransition command to activate following the guide from Garrett at https://sysadminedu.wordpress.com/2017/01/07/step-by-step-guide-to-deploying-office-365-pro-plus-with-device-based-activation-with-sccm/. That works fine, but when deploying to machines, the channel is always the “Semi-Annual Channel” and I would like to change to “Monthly”. There are command line options for changing the channel at https://blogs.technet.microsoft.com/odsupport/2017/05/10/how-to-switch-channels-for-office-2016-proplus/. Would that be something that can be run after the OPPTransistion step during OSD? Would this need to be done in a wrapper to prevent the task sequence from moving on to the next step?

  3. Hi Jonathan,

    After a long time of trying to figure out why I couldn’t update any of my o365 client for a long time, I finally found the culprit.

    Inside of Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

    “UpdateChannel” and CDNBaseUrl MUST match or else the o365 update will never show up.

    Would be nice if you could post this, I’m sure there a lot of other people out there also trying to figure this one out.

    1. Hi Bruce,

      thanks for sharing this information. One of my client provided the exact same information.
      I’m looking for more details on this, if you can provide more, it my be enough for a post about this…

      I’m wondering about, was this an upgrade from 2013 C2R?
      – Were you trying to update from a network share prior to SCCM?
      – What was in the UpdateChannel?
      – What was in the Config.xml?
      – any Office 2016 GPO settings?
      – Office COM Management enabled in SCCM clients?

      You can email me at info@systemcenterdudes.com

      thanks
      Jonathan
      Thanks
      Jonathan

  4. Hey Johnathan,

    Steps worked like clockwork, great article ! I However do have a couple of questions.

    Once users are migrated is the a report /query in SCCM than can display the following information.
    1. All installations of Office 2016 (click to run version)
    2. The account that was used to activate then installation.

    We are trying to verify if the installation !

  5. Pingback: Ms Office 2010 Error 1704

  6. Hi all,

    What is the recommneded option if Office clients are still on 16.0.4549.1000 or 16.0.4591.1000 ?

    Fresh installs across the fleet? 🙂

    Thanks,
    Nigel

  7. I can see all the updates in SCCM and deploy them successfully. Software Center shows them installed however the version doesn’t upgrade. Machine is on Current Channel and running 1703 (16.0.7927.1020). When I install the 1704 update via SCCM it says successful but after reboot it is still on the same version.

  8. Hi @ all
    In my environment with SCCM 1610CU2 the Office Update in deffered channel works fine.
    Did someone else recognized, that the client transfers 1000 small .tmp file and not one big one ?

  9. “When SCCM manage the updates, it will support only the Channel specified at the installation time.” So this means you can never change to a different channel?! This totally explains why my machines do not show updates as Required in SCCM. All machines are installed with the channel set to First Release Deferred. I have changed the channel on some machines via gpo to Current but the updates never show as Required in SCCM. I really hope this a bug and MS fixes it. Thanks so much for all your articles!

    1. Stephanie,

      I am noticing the same thing as you. I have over 5000 clients world wide with Office 365 (2016) installed and “Required” is zero for all of them. We prevented them from updating from the CDN back in mid October 2016 via the suggested GPO. We’re just now looking into deploying updates internally via SCCM however this makes no sense whatsoever.

  10. Office 365 clients are currently getting updates from the Microsoft CDN. Then we enable management of Office 365 Client Agent from the client settings within configuration manager or via group policy. Will the Office 365 clients still check for updates against the Microsoft CDN or setting Office 365 management from SCCM prevents this? Otherwise, we are forced to disable automatic updates to accomplish full control of O365 updates?

  11. I was recently working on getting Deferred updates up and running for my company. I am able to see Updates in SCCM, I can see my test PC needs the update, I can download and deploy to my test PC but the job errors out

    “The hash value is not correct” – 0x80091007

    I have 16.0.6965.2092 installed
    I verified regedit to have CDNBaseUrl to be http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114
    I verified UpdatesEnabled = True
    I verified OfficeMgmtCOM = True
    I could see some temp files in c:\windows\ccmcache but now they are gone. I did some reading on this page and see you said they will be in C:\Program Files (x86)\Microsoft Office\Updates\Download and I see a “PackageFiles” folder that was created around the time of the deployment and it has 16.0.7369.2055 folder inside of it, but that folder is empty.

    So my guess is the files are not making it to the local update folder like they should. But I do not know why

    XML config below

    any ideas?

    1. Clicked the “Update Now” inside of Office and it appears to be downloading…but from the internet. Which is what WE DO NOT WANT but this proves it is getting out to microsoft site. But in reality we never want our clients going to the internet to download updates…we want them to come from SCCM…just like normal MS updates(which those work fine btw)

    2. Hi Richard,

      Most of the time you get an HASH value error, you need to Update Distribution Point on your package. Because of this error, the SCCM client is unable to download a valide version of the package.

      The Hash value of a package is how SCCM validate that the package used as not be interfered with by any means. This can be caused by manually editing a downloaded package in the CCMCache, Antivirus can also cause that kind of issue.

      As for the Update Now button, it will always look for Windows Update servers. It is not related to SCCM.

      1. Hello,

        We are experiencing exactly same problem.
        “Empty file algorithms are not supported. Hash validation failed” and 0x80091007 eror in CAS.log

        All DPs are updated without issues, rest MS updates are distributed just fine except Office365 updates.
        We have already verified that all necessary languages were selected for Office365 updates during download, this solved the problem for some workstations only.

        Does anyone has a solution for this ?

  12. Hi,

    Great article! But i have a strange problem:

    SCCM 2012 1606 with hotfix
    Update classification selected on the SUP
    Office 365 Clients product selected on the SUP

    After i run the synchronisation the Office 365 Client updates don’t show up. All other updates like Windows 10 and Office 2016 are showing up.

    What could be wrong?

    1. HI Daniel,
      I suggest you have a look in the wsyncmgr.log on the server.

      When Office 365 client updates are discovered, you should see lines like this one :
      Synchronizing update d03a31c0-7548-4b53-8629-c140844f324a – Office 365 Client Update – First Release for Current Channel (1609-3) 64-bit Edition

      Be sure to have the Update Classification : Update select in the SUP configuration.
      Also, Office 365 Client updates have a Severity level : NONE

      Jonathan

      1. Hi Jonathan,

        The lines you are refering to are not being showed in the wsyncmgr.log, but it does say:

        Requested categories: Company=Local Publisher, Company=Adobe Systems, Inc., Product=Office 365 Client, Product=Windows 10, Product=Windows Server 2012 R2, Product=Windows Server 2008 R2, UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Upgrades, UpdateClassification=Service Packs, UpdateClassification=Updates, UpdateClassification=Critical Updates SMS_WSUS_SYNC_MANAGER 4-10-2016 13:28:41 5168 (0x1430)

        The update classificion is selected! What do you mean by: Office 365 Client updates have a Severity level : NONE?

        1. HI Daniel,
          the Severity Level is when the udpate is available under All Software Update. You can see a Severity level of a patch. In the case of the O365 client updates, the severity is None.

          Which version of SCCM do you have?
          WSUS version?

          Jonathan

          1. Problem solved!

            KB3159706 was installed on the SUP but not on the Primary Site Server.

  13. Hi,

    I’ve updated the post as new information as been available from Technet, and also following more testing on our side.

    Thanks
    Jonathan

  14. Hi Jonathan

    Have you tested with Current channel ? Waiting for your post.

    Regards
    Navneet Singh

    1. HI NAvneet,

      There as been numerous changes to the way O365 updates should be managed as per Microsoft Documentation. I will update this post shortly when I sort it all out.

      Jonathan

  15. Hi Jonathan

    Yes I have enabled office 365 client management policy setting but have not done through office deployment toolkit.

  16. This is not working for me. I have followed all the steps as mentioned above,

    I am using group policy to configure O365 update. And I have selected “Current” in Channel Identifier field of GPO.
    Current Version of office 365 ProPlus installed on machine is 16.0.7070.2036(Current Channel).
    I have deployed(using SCCM) Current channel Build 7167.2040 to the machine. But the machine is showing compliant in deployment status. And the client update does not get installed on the machine. So can you please advise me how to proceed further.

    As if I enable automatic update for the machine, it gets updated to the latest available Current channel version. Need help. 🙁

      1. Hi Jonathan

        Yes I have enabled office 365 client management policy setting but have not done through office deployment toolkit.

        Also I have updated the office Administrative Template, then deployed the current channel, made the deployment as available. But the office update does not appear in Software Center and in deployment status (on Sccm server) machine is shown as compliant. Any Suggestions.

        1. Navneet I’m still having the exact same problem and I’m glad you are too so it’s not just me. I feel like there must be a step that I’m missing but I don’t know what it is. I’ve done all the settings listed in the referenced articles but my updates are not appearing in SWC and in SCCM the status shows compliant just like yours.

          1. Hi Stephanie,
            I suggest you have a look at the update section in the post. I’ve done further testing.

            thanks
            Jonathan

  17. This isn’t working for me. I am using the deferred channel and clients are running version 16.0.6741.2056. I see the updates in SCCM software updates, I can approve them and deploy them. They show up on my workstations but they fail to install with error 0x80004005. Any ideas on what might be causing the issue? I have deployed my group policies exactly as you have shown.

    1. Hi Ari,

      quick search around the web suggest that could be firewall/malware/AV issues that prevent updating Office.

      You could also try to repair office prior to update it.

      Jonathan

  18. Hi Jonathan,

    I have a similar issue which Stephanie is experiencing, have you tested out with Current channel.

    Thanks Nikesh.

    1. Hi Nikesh,
      I haven’t had time to test with Current Channel… Have you tried Stephanie’s suggestion?
      Update the Office Admin template.

      The name change for branches is so confusing. Hard to follow what is what when configuring branches

      Jonathan

  19. I installed O365 16.0.6868.2060, applied the GPO, Channel I choosed “Current”. But SCCM software update Office 365 (16.0.7070.2022) shows required is 0. Have you tested it in Current Channel?

    thanks, Sandy

    1. HI Sandy,
      I’ve tried with the Current Channel at my client site last Friday without must success. I’ll give another try this week. Will update the comment or post accordingly.

      thanks
      Jonathan

        1. Thanks Sandy, will try that on my side also

          Just to let you know, it seems another version was released couple days ago.

          Jonathan

  20. Did you have to install a hotfix for SCCM or WSUS to be able to download the O365 updates? I’ve gotten to the point where I created my update group and package (which contain 10 updates with 1605 in the name) but when I attempt to download the updates it immediately fails with a “failed to download software updates” error.

    I can download updates for Windows 7 and 10 and Office 2010 and 13 just fine, but O365 just doesn’t want to come down. I have no errors in the patch downloader log (and even see it communicating with officecdn.microsoft.com just fine) and the security team isn’t seeing any failed or denied transfers from our primary site server.

    Am I missing something?

    1. Never mind. To get around this issue I signed directly into my primary site server over RDP, as opposed to using the console installed on another server I use for admin purposes.

    2. You are so brilliant at describing the sights and sounds around you, Kate. 🙂 Brilliant! I love this post. 🙂 I can feel the cold air and the pelting of confetti and I’m grinning at the descriptions of the people. I’m so glad you were able to help the man read. What a gift.Krista´s last post ..

  21. Hello Jonathan, thanks for the guid. Have you tested that for current channel? My test Workstation has deferred channel, is it possible use GPO order it update to current channel? SCCM said current channel update is not required in my test machine, GPO did set it “Current” in the test machine.

    Thanks, Sandy

    1. Hi Sandy,

      2 things here. First, Office 365 needs to be at minimum version 16.0.6741.2014 or later. this goes for all Channels.
      If you have Deferred Channel now on your computer, you will NOT receive or see O365 updates from SCCM as available.

      The minimum version was just released last week for Deferred Channel. Computers with Deferred Channel will require other patching/deployment methods than this one to reach the minimum requirement.
      The next updates will be available from SCCM.

      Second thing : if you change from Deferred to Current, you will not see the update from SCCM until you meet the minimum requirement for the version.

      Side note : if you want to test it, use First Release for Deferred Channel or Current Channel. You can you the configuration.xml to download a specific version of O365 to then test updates from SCCM.
      https://technet.microsoft.com/en-us/library/jj219426.aspx

      Hope this help!
      Jonathan

  22. I notice in your screenshot that the Required column shows 0 for all the updates. Is this normal? I’m trying to troubleshoot why my clients are not getting the update that I have deployed. I’ve went over the requirements several times and the update is still not installing. I have been referring to this article https://technet.microsoft.com/library/mt628083.aspx. My console is at 1602, clients are at version 16.0.6769.2015, gpos set according to article and verified on clients, WSUS 4.0. I must be missing something but I’m not sure what at this point. Anything you can suggest that I may be missing?

Leave a Reply

Your email address will not be published. Required fields are marked *