In this blog post, we’ll walk through the steps to migrate Microsoft 365 (Office) updates from SCCM/MECM to Intune for devices that are co-managed or fully managed by Intune. This process is part of a broader cloud migration strategy, enabling organizations to manage Office updates via Intune for a subset of devices or all devices.
This guide is applicable to both co-managed and fully Intune-managed devices. Let’s dive in!
Requirements
- Scenario: You have hundreds of Windows devices that are co-managed, with Microsoft 365 updates currently managed by SCCM. As part of your cloud migration to Intune, you want to transition Office updates to Intune for a subset of devices, monitor the results, and eventually move all devices to Intune.
-
Prerequisites: Ensure the devices are co-managed and that the Office Click-to-Run apps workload is ready to be moved to Intune. If you have devices that are purely Intune managed and no co-managed, the following steps still works.
Step 1: Move the Office Click-to-Run Workload to Intune
- Adjust Co-Management Settings in SCCM:
Initiate the Workload Transition:
- Once the slider is adjusted and saved, the client devices will refresh their machine policy cycle.
-
This will begin the transition of the Office Click-to-Run workload to Intune for the selected pilot devices.
For a detailed list of co-management workload values and their descriptions, refer to this guide.
Step 2: Configure Microsoft 365 Update Settings in Intune
Before creating the policy in Intune, ensure the device collection is synced to Intune using Tenant Attach/Cloud Attach. Alternatively, export the device list from SCCM, create an Entra ID group, and add the devices to it for Intune management.
- Create a New Policy in Intune:
-
Configure Policy Settings:
-
Configure Update Controls:
-
Set the following settings (adjust as needed):
-
Deadline (Device): 2 days
-
Enable Automatic Updates: Enabled
-
Hide option to enable or disable updates: Enabled
-
Hide Update Notifications: Disabled
-
Office 365 Client Management: Disabled
-
Update Channel: Enabled
-
Channel Name (Device): Semi-Annual Enterprise Channel
-
Update Deadline: Enabled
-
-
-
Assign the Policy:
-
Assign the policy to the Entra ID group or synced collection.
-
Review and create the policy.
-
Step 3: Validate the Configuration
Once the policy is applied, devices in the assigned group will receive the settings and begin processing updates according to the configured policy.
- Registry Validation:
-
Office Application Validation:
-
Open any Office application and verify that the Disable updates option is blocked, and only Update now allowed.
-
-
End-User Experience:
-
For details on end-user update notifications, refer to Microsoft’s documentation.
-
Step 4: Scale to All Devices
Once the pilot results are validated, you can move the Office Click-to-Run workload to Intune for all devices. Add the remaining devices to the policy group in Intune.
Note: Be cautious when applying this policy to AVD multi-session devices, as this scenario may require additional testing and configuration which i have not tested the user experience.
Hope you find this blogpost useful!
2 Comments
The same settings might have been implemented, but what I see on the screen is that it prompts me to close all Office applications before starting the updates. However, when updating via SCCM, the update runs silently in the background, and the changes apply only when the Office applications are closed later.
Can we apply the same behavior when deploying Via Intune?
Hi Nawaz,
The behavior what you are seeing with MECM/SCCM is correct and the updates applied background offline by the C2R agent but wont be effective until the Office applications are restarted/closed/opened till next time.
While with Intune (though it doesn't have capability to apply updates offline except the control of settings) and the updates are controlled through the defined schedule tasks C2R and this behavior what you are seeing is expected and i am not sure (AFAIK) if there is a way to get similar functionality for C2R updates without MECM/SCCM. I cannot find anything that does the same behavior but with intune, it offers better user experience.
Thanks,
Eswar