Close Menu
    Monday, October 13

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    Eswar KonetiBy 3 Mins Read configmgr 1,068 Views

     

    In this blog post, we’ll walk through the steps to migrate Microsoft 365 (Office) updates from SCCM/MECM to Intune for devices that are co-managed or fully managed by Intune. This process is part of a broader cloud migration strategy, enabling organizations to manage Office updates via Intune for a subset of devices or all devices.

    This guide is applicable to both co-managed and fully Intune-managed devices. Let’s dive in!

    Requirements
    • Scenario: You have hundreds of Windows devices that are co-managed, with Microsoft 365 updates currently managed by SCCM. As part of your cloud migration to Intune, you want to transition Office updates to Intune for a subset of devices, monitor the results, and eventually move all devices to Intune.

    • Prerequisites: Ensure the devices are co-managed and that the Office Click-to-Run apps workload is ready to be moved to Intune. If you have devices that are purely Intune managed and no co-managed, the following steps still works.

    Step 1: Move the Office Click-to-Run Workload to Intune

    1. Adjust Co-Management Settings in SCCM:

      • Navigate to the co-management settings in SCCM.

      • Move the Office Click-to-Run apps workload slider from Configuration Manager to Pilot Intune.

      • image

      • In the staging section, select the collection (e.g., Collection ABC) that contains the devices you want to pilot.

      • image

    Initiate the Workload Transition:

    • Once the slider is adjusted and saved, the client devices will refresh their machine policy cycle.

    • This will begin the transition of the Office Click-to-Run workload to Intune for the selected pilot devices.

    For a detailed list of co-management workload values and their descriptions, refer to this guide.

    Step 2: Configure Microsoft 365 Update Settings in Intune

    Before creating the policy in Intune, ensure the device collection is synced to Intune using Tenant Attach/Cloud Attach. Alternatively, export the device list from SCCM, create an Entra ID group, and add the devices to it for Intune management.

    1. Create a New Policy in Intune:

      • Log in to the Microsoft Intune Admin Center.

      • Navigate to Devices > Windows > Configuration Profiles.

      • Click Create New Policy.

      • Select Platform: Windows 10 and later and Profile Type: Settings Catalog.

      • image

    1. Configure Policy Settings:

      • Name the policy (e.g. Microsoft 365 updates - Semi-Annual Enterprise Channel).

      • image

      • Under Add Settings, search for Microsoft Office 2016 (Machine) (Yes, Office 2016 is still referred for Microsoft 365 updates).

      • Select Microsoft Office 2016 (Machine)\Updates.

      • image

    2. Configure Update Controls:

      • Set the following settings (adjust as needed):

        • Deadline (Device): 2 days

        • Enable Automatic Updates: Enabled

        • Hide option to enable or disable updates: Enabled

        • Hide Update Notifications: Disabled

        • Office 365 Client Management: Disabled

        • Update Channel: Enabled

        • Channel Name (Device): Semi-Annual Enterprise Channel

        • Update Deadline: Enabled

      • image

    3. Assign the Policy:

      • Assign the policy to the Entra ID group or synced collection.

      • Review and create the policy.

    Step 3: Validate the Configuration

    Once the policy is applied, devices in the assigned group will receive the settings and begin processing updates according to the configured policy.

    1. Registry Validation:

      • On the endpoint, navigate to the following registry key to confirm the settings:

        Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

      • image

    2. Office Application Validation:

      • Open any Office application and verify that the Disable updates option is blocked, and only Update now allowed.

      • image

       

    3. End-User Experience:

    Step 4: Scale to All Devices

    Once the pilot results are validated, you can move the Office Click-to-Run workload to Intune for all devices. Add the remaining devices to the policy group in Intune.

    Note: Be cautious when applying this policy to AVD multi-session devices, as this scenario may require additional testing and configuration which i have not tested the user experience.

    Hope you find this blogpost useful!

     

    Share.

    Related Posts

    2 Comments

    1. Nawaz Kazi on

      The same settings might have been implemented, but what I see on the screen is that it prompts me to close all Office applications before starting the updates. However, when updating via SCCM, the update runs silently in the background, and the changes apply only when the Office applications are closed later.

      Can we apply the same behavior when deploying Via Intune?

      Reply
      • Eswar Koneti on

        Hi Nawaz,
        The behavior what you are seeing with MECM/SCCM is correct and the updates applied background offline by the C2R agent but wont be effective until the Office applications are restarted/closed/opened till next time.
        While with Intune (though it doesn't have capability to apply updates offline except the control of settings) and the updates are controlled through the defined schedule tasks C2R and this behavior what you are seeing is expected and i am not sure (AFAIK) if there is a way to get similar functionality for C2R updates without MECM/SCCM. I cannot find anything that does the same behavior but with intune, it offers better user experience.

        Thanks,
        Eswar

        Reply

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.