SCCM Office 365 updates management is finally integrated to the standard software update process (since the release of SCCM 1602). Prior to this release it was announced as a new features, but it was not completely managed. It was necessary to add Office 365 updates to WSUS manually in order to manage them trough SCCM software update afterward. It’s now manageable natively with the release of SCCM 1602.

The integration of Office 365 Updates to SCCM will ease overall management of updates with these key features :

  • Centralized management
  • Standard Software Update
  • Ability to use Automatic Deployment Rules
  • Easier distribution to branch offices with Software Update packages
  • Applications can run while updating

Before this integration, Office 365 Updates needed to :

  • Manually downloaded
  • Manually distributed or to create a package than distribution on Distribution Point
  • Application need to be shut down before the update

This post will explain how to natively manage Office 365 desktop client update with SCCM 1602 and later. Refer to our post on how to deploy Office 2016 using SCCM if you’re looking at a complete Office 365 installation guide.


[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

Following recent modification to the documentation on Technet (link )

 Here’s what’s new :


SCCM Office 365 Updates Configurations

There are two ways to configure Office 365 to get updates from SCCM :

  • Using the Configuration.xml at installation time of the Click-to-run package
  • Using Office 2016 latest GPO


  • SCCM 1602 or later
  • Windows Server Update Services (WSUS) 4.0
  • Office 365 Client – First Release for Deferred Channel version 16.0.6741.2014 or later

Determine which Office 365 Channel to use

[su_box title=”Office Channel” style=”glass” title_color=”#F0F0F0″]The Office team has recently changed terminology from Branch to Channel.[/su_box]

Before we go on to the configurations details, choosing your management Channel is key for managing updates.

With standard software updates, you probably used different Software Update Group / Deployment to manage test, pilots and production groups to validate updates.

For Office 365, similar process can be done. There’s 4 different Channels :

  • First Release for Current Channel
    • This is basically an Insider build for Office
  • Current Channel
    • Provide users with the newest features of Office as soon as they’re available
  • First Release for Deferred Channel
    • Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel
  • Deferred Channel
    • Provide users with new Office features a few times a year

The best example on how to use this comes from Technet :

  • Provide a group of pilot users with Current Channel, so they can try out the new features of Office as they become available
  • Provide your application compatibility testers with First Release for Deferred Channel so that they can test that the finance applications will work with the next Deferred Channel release
  • Provide your finance department, which has several key line-of-business applications, with Defered Channel

As of now, only First Release for Current Channel and First Release for Deferred Channel are available in SCCM. Current Channel and Deferred Channel should be available in the next months.

[su_box title=”Important” style=”glass” title_color=”#F0F0F0″]Configuration.xml and GPO haven’t been updated to match the terminology of Channels. They both still use Branch.[/su_box]

Configure Office 365 Click-to-Run Package

sccm 2012 Office 2016 deployment

  • Extract the files to a drive on your computer

sccm 2012 Office 2016 deployment

  • You’ll end up with 2 files – Setup.exe and Configuration.xml

sccm 2012 Office 2016 deployment

  • Edit the Configuration.xml file using a text editor
  • Change the Branch and OfficeMgmtCOM value to Validation and True respectively

[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]New screen shot to reflect the new naming convention of Channel in the configuration.xml.[/su_box]



  • Editing the Configuration.xml this way will :
    • Download and install Office 365 First Release for Deferred Channel
      • Branch = Validation
      • Channel=”FirstReleaseDeferred”
    • Enable Office to be managed by SCCM
      • OfficeMgmtCOM = True

[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

With the change to Channel, the latest OCT needs to have the new values for Channel instead of Branch.

The possible values are  :

  • Current
  • Deferred
  • FirstReleaseDeferred
  • FirstReleaseCurrent[/su_box]
  • Launch the Office 365 installation using a command line :
    • Setup.exe /configure Configuration.xml

All details about Office Deployment tool can be found on Technet.

Configure Office 365 Update using Group Policy (GPO)

Using this method will override configurations made by Configuration.xml at install time.

You could use both if you want in order to support already installed Office 365 as well as new installations.

  • Download the Office 365 ADML/ADMX
  • Import ADML/ADMX in your GPO repository
  • Create an Office 365 GPO and edit it
  • Go to Computer Configuration / Policies / Administrative Templates / Microsoft Office 2016 / Updates
  • 2 settings must be configured :
    • Office 365 Client Managment
      • Set this setting to Enabled  – This allow SCCM to manage update for Office 365

SCCM Office 365

  • Update Channel
    • Set this setting to Enabled
    • In the Channel Identifier field, enter Validation for First Release for Deferred Channel  (Refer to Technet documentation for Branch Configuration Names – Current, Business, Validation)

[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

As per our testing, the GPO as no impact to change the Channel for Office 365 when managed by SCCM.

When SCCM manage the updates, it will support only the Channel specified at the installation time.

Example : You install Office 365 with  Current Channel. You have a GPO setting Channel to Deferred. You deploy release updates with SCCM for Current and Deferred Channel, the client will only see the update for Current as necessary. Deferred will never be applied.[/su_box]

SCCM Office 365


  • Configure Hide option to enable or disable updates to ensure user don’t disable updates

SCCM Office 365

  • Here’s the results in Office when setting is set to Not Configured or Disabled                             

SCCM Office 365

  • Here’s the result in Office when setting is set to Enabled

SCCM Office 365

[su_box title=”Update 2016-09-26″ style=”glass” title_color=”#F0F0F0″]

The Update Enabled element in the configuration.xml or in the GPO should be set to TRUE/Enabled

Quote technet : “Also, we recommend that you set the value of the Enabled attribute to True in the Updates element. If you set the value of the Enabled attribute to False, Office 365 clients can still receive updates from Configuration Manager. But, users won’t see any notifications when updates are pending”

NOTE: even with this from the TechNet Documentation, we can’t say the real impact with SCCM managing the update.. We have tested with True and False. Both times, updates were available within the Software Center as excepted.

It might only affect this warning, when updates comes straight from the web without SCCM involved.



  • Configuring Enable Automatic Updates, is also a good idea to prevent clients from updating automatically

SCCM Office 365

  • Here’s the results in Office if setting is Not Configured or Enabled

SCCM Office 365

  • Here’s the results in Office if setting is Disabled

SCCM Office 365

Configure SCCM 1602 and Later

Software Update Point

  • Ensure that you are running SCCM 1602 and later (How to verify)
  • Go to Administration / Site Configuration, select Configure Site Components / Software Update Point on the top ribbon
  • On the Products tab, select Office 365 Client
SCCM Office 365

[su_box title=”Update : 2016-09-26″ style=”glass” title_color=”#F0F0F0″]Warning :  Microsoft as gone crazy with the numbers of release for each Channel. You might want to reconsider the way you manage Superseded updates. For example, Current Channel had 4 releases within a month!

  • Initiate a synchronization by clicking Synchronize Software Updates on the top ribbon

SCCM Office 365

  • Once the synchronization is completed, Office 365 client updates will be available in Software Library / Software Updates / All Software Update
  • They can be managed just as any other updates

SCCM Office 365

Software Update Group

  • Go to Software Library / Software Updates / Software Update Groups
  • Create a new Software Update Group

SCCM Office 365

  • Download the update to a new Deployment Package

SCCM Office 365

  • Be sure to select the needed languages for your environment

SCCM Office 365

  • Each updates will take more than 1GB of disk space. Take that in consideration when downloading your updates

SCCM Office 365

Client Side

  • Before updating, the Office 365 version is 16.0.6741.2014 which is the minimum requirement for updating from SCCM

SCCM Office 365

  • Initiate a Software Update Scan Cycle and Software Update Deployment Evaluation cycle on your client. The update will be available to the client

SCCM Office 365

  • Compared to standard Software Update, the Office 365 Update is not downloaded in your SCCM Cache folder (By default – C:\Windows\CCMCache)
  • Instead, the update will be downloaded in C:\Program Files (x86)\Microsoft Office\Updates\Download
  • The update will automatically clean itself after rebooting

SCCM Office 365

  • Interaction in Software Center is exactly the same as any other Software Update
  • Even with all Office products opened during updating, we encounter no problem for the installation, without user interaction

SCCM Office 365

  • Once computer is restarted, Office as been updated

SCCM Office 365

SCCM Office 365 Software Update Reports

Related SCCM reports that give you detailed information about Office 365 Software Updates.

Comments (59)


02.26.2019 AT 08:11 PM
My question is related to deploying Office 365 updates via SCCM 1806 using ADR we seem to be having issues with the updates installing outside the collection defined maintenance window. The ADR rule runs on Tuesday but starts installing the updates the next day on Wednesday, our collection is setup with a Maintenance window for Friday. Our clients try to postpone the update for 2 hrs but get the next alert 30 minutes later that that they have 30 min before the office application closes and update installed. Is there a way to control the install of the O365 updates to follow the collection defined maintenance window. I found in your blog that it's recommended to set the following GPO setting OfficeMgmtCOM=”TRUE” does this setting allow SCCM to manage the maintenance window, is this also the same setting configured in the client device settings in SCCM


10.24.2018 AT 02:30 PM
Anyone have an idea how to force Office 365 to check for and retrieve an update AFTER changing the update channel when using SCCM as the delivery mechanism? We that the channel is controlled by the CDNBaseUrl value, but after changing that, how do you force it to then get an update on that channel? Thanks for any assistance.


11.09.2018 AT 11:36 PM
To change the channel using the built-in mechanism, run this: OfficeC2RClient.exe /changesetting branch= To force an update check, run this: OfficeC2RClient.exe /update user Otherwise it can be updated via SCCM as usual.

Jeremy Dorst

09.18.2018 AT 03:52 PM
hey all, Can't seem to find an easy answer to this, but is there a way to 'update' the deploy package for O365 without just having to create another one? I created it from inside ConfigMan and that is 8431.2215. I created this over 6 months ago and we are now into a pretty large roll out and it is putting an older version and then requiring the updates to come down to bring it to latest version. Seems like a waste in my mind. thoughts or ideas? thanks! jeremy


06.15.2018 AT 06:40 AM
I have to say I'm not impressed by the message the user gets when you disable Enable Automatic Updates. Office is still updated, but pushed from SCCM rather than pulled by the computer. The user, if they see that, is likely to contact support.

Ryan Engstrom

02.08.2018 AT 05:20 PM
Jonathan, Thanks for the nice guide. I am following Mikael Nystrom's blog to put Office 365 into my reference image. During OSD, I run an OPPTransition command to activate following the guide from Garrett at That works fine, but when deploying to machines, the channel is always the "Semi-Annual Channel" and I would like to change to "Monthly". There are command line options for changing the channel at Would that be something that can be run after the OPPTransistion step during OSD? Would this need to be done in a wrapper to prevent the task sequence from moving on to the next step?


02.04.2018 AT 01:06 AM
Hi Jonathan, After a long time of trying to figure out why I couldn't update any of my o365 client for a long time, I finally found the culprit. Inside of Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration "UpdateChannel" and CDNBaseUrl MUST match or else the o365 update will never show up. Would be nice if you could post this, I'm sure there a lot of other people out there also trying to figure this one out.

Jonathan Lefebvre

02.05.2018 AT 08:03 PM
Hi Bruce, thanks for sharing this information. One of my client provided the exact same information. I'm looking for more details on this, if you can provide more, it my be enough for a post about this... I'm wondering about, was this an upgrade from 2013 C2R? - Were you trying to update from a network share prior to SCCM? - What was in the UpdateChannel? - What was in the Config.xml? - any Office 2016 GPO settings? - Office COM Management enabled in SCCM clients? You can email me at [email protected] thanks Jonathan Thanks Jonathan

James Howard

01.31.2018 AT 01:10 PM
Hey Johnathan, Steps worked like clockwork, great article ! I However do have a couple of questions. Once users are migrated is the a report /query in SCCM than can display the following information. 1. All installations of Office 2016 (click to run version) 2. The account that was used to activate then installation. We are trying to verify if the installation !

Nigel Wadsworth

12.06.2017 AT 09:18 PM
Hi all, What is the recommneded option if Office clients are still on 16.0.4549.1000 or 16.0.4591.1000 ? Fresh installs across the fleet? 🙂 Thanks, Nigel

Arshad Jugon

10.13.2017 AT 04:38 AM
Hi, My client is currently set to First Release for Deferred Channel and has the following link set in the registry I have deployed out two FRDC updates but none has gone through on his machine. This is the client's MS Office Folder - with nothing in it that folder. Just detection. Can you please advise? Many thanks,


10.12.2017 AT 12:44 PM
Can you control which updates to deploy and what updates not too?


05.25.2017 AT 01:04 PM
I can see all the updates in SCCM and deploy them successfully. Software Center shows them installed however the version doesn't upgrade. Machine is on Current Channel and running 1703 (16.0.7927.1020). When I install the 1704 update via SCCM it says successful but after reboot it is still on the same version.


03.12.2017 AT 01:07 PM
Hi @ all In my environment with SCCM 1610CU2 the Office Update in deffered channel works fine. Did someone else recognized, that the client transfers 1000 small .tmp file and not one big one ?

Stephanie Machicek

01.08.2017 AT 05:53 PM
"When SCCM manage the updates, it will support only the Channel specified at the installation time." So this means you can never change to a different channel?! This totally explains why my machines do not show updates as Required in SCCM. All machines are installed with the channel set to First Release Deferred. I have changed the channel on some machines via gpo to Current but the updates never show as Required in SCCM. I really hope this a bug and MS fixes it. Thanks so much for all your articles!


01.13.2017 AT 08:39 AM
Stephanie, I am noticing the same thing as you. I have over 5000 clients world wide with Office 365 (2016) installed and "Required" is zero for all of them. We prevented them from updating from the CDN back in mid October 2016 via the suggested GPO. We're just now looking into deploying updates internally via SCCM however this makes no sense whatsoever.


12.05.2016 AT 12:10 PM
Office 365 clients are currently getting updates from the Microsoft CDN. Then we enable management of Office 365 Client Agent from the client settings within configuration manager or via group policy. Will the Office 365 clients still check for updates against the Microsoft CDN or setting Office 365 management from SCCM prevents this? Otherwise, we are forced to disable automatic updates to accomplish full control of O365 updates?

Richard Keel

11.16.2016 AT 04:40 PM
I was recently working on getting Deferred updates up and running for my company. I am able to see Updates in SCCM, I can see my test PC needs the update, I can download and deploy to my test PC but the job errors out "The hash value is not correct" - 0x80091007 I have 16.0.6965.2092 installed I verified regedit to have CDNBaseUrl to be I verified UpdatesEnabled = True I verified OfficeMgmtCOM = True I could see some temp files in c:\windows\ccmcache but now they are gone. I did some reading on this page and see you said they will be in C:\Program Files (x86)\Microsoft Office\Updates\Download and I see a "PackageFiles" folder that was created around the time of the deployment and it has 16.0.7369.2055 folder inside of it, but that folder is empty. So my guess is the files are not making it to the local update folder like they should. But I do not know why XML config below any ideas?

Jonathan Lefebvre

11.18.2016 AT 09:42 AM
Hi Richard, Most of the time you get an HASH value error, you need to Update Distribution Point on your package. Because of this error, the SCCM client is unable to download a valide version of the package. The Hash value of a package is how SCCM validate that the package used as not be interfered with by any means. This can be caused by manually editing a downloaded package in the CCMCache, Antivirus can also cause that kind of issue. As for the Update Now button, it will always look for Windows Update servers. It is not related to SCCM.


12.15.2016 AT 10:01 AM
Hello, We are experiencing exactly same problem. "Empty file algorithms are not supported. Hash validation failed" and 0x80091007 eror in CAS.log All DPs are updated without issues, rest MS updates are distributed just fine except Office365 updates. We have already verified that all necessary languages were selected for Office365 updates during download, this solved the problem for some workstations only. Does anyone has a solution for this ?

Richard Keel

11.16.2016 AT 04:51 PM

Richard Keel

11.16.2016 AT 04:52 PM
I cannot seem to post my xml data...thus the duplicate posts...sorry

Richard Keel

11.16.2016 AT 04:50 PM
Clicked the "Update Now" inside of Office and it appears to be downloading...but from the internet. Which is what WE DO NOT WANT but this proves it is getting out to microsoft site. But in reality we never want our clients going to the internet to download updates...we want them to come from SCCM...just like normal MS updates(which those work fine btw)


10.03.2016 AT 11:45 AM
Hi, Great article! But i have a strange problem: SCCM 2012 1606 with hotfix Update classification selected on the SUP Office 365 Clients product selected on the SUP After i run the synchronisation the Office 365 Client updates don't show up. All other updates like Windows 10 and Office 2016 are showing up. What could be wrong?

Jonathan Lefebvre

10.04.2016 AT 07:01 AM
HI Daniel, I suggest you have a look in the wsyncmgr.log on the server. When Office 365 client updates are discovered, you should see lines like this one : Synchronizing update d03a31c0-7548-4b53-8629-c140844f324a - Office 365 Client Update - First Release for Current Channel (1609-3) 64-bit Edition Be sure to have the Update Classification : Update select in the SUP configuration. Also, Office 365 Client updates have a Severity level : NONE Jonathan


10.04.2016 AT 07:12 AM
Hi Jonathan, The lines you are refering to are not being showed in the wsyncmgr.log, but it does say: Requested categories: Company=Local Publisher, Company=Adobe Systems, Inc., Product=Office 365 Client, Product=Windows 10, Product=Windows Server 2012 R2, Product=Windows Server 2008 R2, UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Upgrades, UpdateClassification=Service Packs, UpdateClassification=Updates, UpdateClassification=Critical Updates SMS_WSUS_SYNC_MANAGER 4-10-2016 13:28:41 5168 (0x1430) The update classificion is selected! What do you mean by: Office 365 Client updates have a Severity level : NONE?

Jonathan Lefebvre

10.04.2016 AT 07:50 AM
HI Daniel, the Severity Level is when the udpate is available under All Software Update. You can see a Severity level of a patch. In the case of the O365 client updates, the severity is None. Which version of SCCM do you have? WSUS version? Jonathan

Jonathan Lefebvre

10.04.2016 AT 11:07 AM
Thanks for the update Daniel


10.04.2016 AT 10:12 AM
Problem solved! KB3159706 was installed on the SUP but not on the Primary Site Server.


10.04.2016 AT 08:05 AM
Hi Jonathan, That isn't the problem, they are not being synct: My SCCM version: WSUS 4.0 on Server 2012R2

Jonathan Lefebvre

09.26.2016 AT 09:35 AM
Hi, I've updated the post as new information as been available from Technet, and also following more testing on our side. Thanks Jonathan

Navneet Singh Ghura

09.13.2016 AT 04:23 AM
Hi Jonathan Have you tested with Current channel ? Waiting for your post. Regards Navneet Singh

Jonathan Lefebvre

09.14.2016 AT 11:44 AM
HI NAvneet, There as been numerous changes to the way O365 updates should be managed as per Microsoft Documentation. I will update this post shortly when I sort it all out. Jonathan

Navneet Singh Ghura

09.13.2016 AT 04:22 AM
Hi Jonathan Have you tested with Current channel ? Regards Navneet Singh