In this blog post, we’ll walk through the steps to migrate Microsoft 365 (Office) updates from SCCM/MECM to Intune for devices that are co-managed or fully managed by Intune. This process is part of a broader cloud migration strategy, enabling organizations to manage Office updates via Intune for a subset of devices or all devices.
This guide is applicable to both co-managed and fully Intune-managed devices. Let’s dive in!
Requirements
- Scenario: You have hundreds of Windows devices that are co-managed, with Microsoft 365 updates currently managed by SCCM. As part of your cloud migration to Intune, you want to transition Office updates to Intune for a subset of devices, monitor the results, and eventually move all devices to Intune.
-
Prerequisites: Ensure the devices are co-managed and that the Office Click-to-Run apps workload is ready to be moved to Intune. If you have devices that are purely Intune managed and no co-managed, the following steps still works.
Step 1: Move the Office Click-to-Run Workload to Intune
- Adjust Co-Management Settings in SCCM:
-
Navigate to the co-management settings in SCCM.
-
Move the Office Click-to-Run apps workload slider from Configuration Manager to Pilot Intune.
-
-
In the staging section, select the collection (e.g., Collection ABC) that contains the devices you want to pilot.
-
-
Initiate the Workload Transition:
- Once the slider is adjusted and saved, the client devices will refresh their machine policy cycle.
-
This will begin the transition of the Office Click-to-Run workload to Intune for the selected pilot devices.
For a detailed list of co-management workload values and their descriptions, refer to this guide.
Step 2: Configure Microsoft 365 Update Settings in Intune
Before creating the policy in Intune, ensure the device collection is synced to Intune using Tenant Attach/Cloud Attach. Alternatively, export the device list from SCCM, create an Entra ID group, and add the devices to it for Intune management.
- Create a New Policy in Intune:
-
Log in to the Microsoft Intune Admin Center.
-
Navigate to Devices > Windows > Configuration Profiles.
-
Click Create New Policy.
-
Select Platform: Windows 10 and later and Profile Type: Settings Catalog.
-
-
-
Configure Policy Settings:
-
Name the policy (e.g. Microsoft 365 updates - Semi-Annual Enterprise Channel).
-
-
Under Add Settings, search for Microsoft Office 2016 (Machine) (Yes, Office 2016 is still referred for Microsoft 365 updates).
-
Select Microsoft Office 2016 (Machine)\Updates.
-
-
-
Configure Update Controls:
-
Set the following settings (adjust as needed):
-
Deadline (Device): 2 days
-
Enable Automatic Updates: Enabled
-
Hide option to enable or disable updates: Enabled
-
Hide Update Notifications: Disabled
-
Office 365 Client Management: Disabled
-
Update Channel: Enabled
-
Channel Name (Device): Semi-Annual Enterprise Channel
-
Update Deadline: Enabled
-
-
-
-
Assign the Policy:
-
Assign the policy to the Entra ID group or synced collection.
-
Review and create the policy.
-
Step 3: Validate the Configuration
Once the policy is applied, devices in the assigned group will receive the settings and begin processing updates according to the configured policy.
- Registry Validation:
-
On the endpoint, navigate to the following registry key to confirm the settings:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
-
-
-
Office Application Validation:
-
Open any Office application and verify that the Disable updates option is blocked, and only Update now allowed.
-
-
-
End-User Experience:
-
For details on end-user update notifications, refer to Microsoft’s documentation.
-
Step 4: Scale to All Devices
Once the pilot results are validated, you can move the Office Click-to-Run workload to Intune for all devices. Add the remaining devices to the policy group in Intune.
Note: Be cautious when applying this policy to AVD multi-session devices, as this scenario may require additional testing and configuration which i have not tested the user experience.
Hope you find this blogpost useful!