Manage updates to Office 365 ProPlus with Microsoft Endpoint Configuration Manager

Microsoft Endpoint Configuration Manager has the ability to manage Office 365 client updates by using the Software Update management workflow. You can use Configuration Manager to update Office 365 ProPlus, Visio Online Plan 2 (previously named Visio Pro for Office 365), Project Online Desktop Client, and Office 365 Business.

When Microsoft publishes a new Office 365 client update to the Office Content Delivery Network (CDN), Microsoft simultaneously publishes an update package to Windows Server Update Services (WSUS). Then, Configuration Manager synchronizes the Office 365 client update from the WSUS catalog to the site server. Configuration Manager can then download the update and distribute it to distribution points selected by the administrator. The Configuration Manager desktop client then tells the Office client where to get the update and when to start the update installation process.

Here's an overview of the steps to enable Configuration Manager to manage Office 365 client updates:

  1. Review the requirements

  2. Enable Configuration Manager to receive Office 365 client package notifications

  3. Enable Office 365 clients to receive updates from Configuration Manager

After you perform these steps, you can use the software update management capabilities of Configuration Manager to deploy the updates. For more information, see Manage software updates in Microsoft Endpoint Configuration Manager.

Requirements for using Configuration Manager to manage Office 365 client updates

To enable Configuration Manager to manage Office 365 client updates, you need the following:

  • Microsoft Endpoint Configuration Manager (Current Branch)

  • An Office 365 client - Office 365 ProPlus, Visio Online Plan 2 (previously named Visio Pro for Office 365), Project Online Desktop Client, or Office 365 Business

  • Supported channel version for Office 365 client. For more details, see Release information for updates to Office 365 ProPlus

  • Windows Server Update Services (WSUS) 4.0

    You can't use WSUS by itself to deploy these updates. You need to use WSUS in conjunction with Configuration Manager

  • The hierarchy's top level WSUS server and the top level Configuration Manager site server must have access to the following URLs: *.microsoft.com, *.msocdn.com, *.office.com, *.office.net, *.onmicrosoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net. For more details, see Office 365 URLs and IP address ranges.

  • On the computers that have the Office 365 client installed, the Office COM object is enabled.

Enable Configuration Manager to receive Office 365 client package notifications

To start, you need to configure Configuration Manager to receive notifications when Office 365 client update packages are available. To do that, use the following steps:

  1. In the Configuration Manager console, choose Site Configuration > Sites, and then select your site server.

  2. On the Home tab, in the Settings group, choose Configure Site Components, and then choose Software Update Point.

  3. In the Software Update Point Component Properties dialog box, do the following:

    • On the Products tab, under Office, select Office 365 Client.

    • On the Classifications tab, select Updates.

      You can have other check boxes selected in the Products and Classifications tabs. But, Office 365 Client and Updates need to be selected for Configuration Manager to receive notifications when Office 365 client update packages are available.

  4. Next, synchronize software updates. If you don't do that, you won't see the updates in the console and the updates won't be available to deploy. For more information about how to synchronize software updates, see Introduction to software updates in Microsoft Endpoint Configuration Manager.

Enable Office 365 clients to receive updates from Configuration Manager

For Configuration Manager to be able to manage Office 365 client updates, an Office COM object needs to be enabled on the computer where Office is installed. The Office COM object takes commands from Configuration Manager to download and install client updates.

You can enable the Office COM object by using client policy in Configuration Manager, Group Policy, or the Office Deployment Tool. If you use more than one method, the Group Policy setting determines the final configuration.

Method 1: Use client policy in Configuration Manager to enable updates from Configuration Manager

To enable Configuration Manager to manage Office 365 client updates on specific computers by using client policy, do the following:

  • In the Configuration Manager console, click Administration > Overview > Client Settings.
  • Open the client settings, click Software Updates and select Yes for the Enable management of the Office 365 Client Agent setting.

For more information, see client policy.

Method 2: Use Group Policy to enable updates from Configuration Manager

You can enable Configuration Manager to manage Office 365 client updates on specific computers by using Group Policy. You can apply this setting to multiple computers, an organizational unit (OU), or a domain.

To use Group Policy, do the following:

  • Download and install the Administrative Template files (ADMX/ADML) for Office from the Microsoft Download Center.

  • Enable the Office 365 Client Management policy setting. You can find this policy setting under Computer Configuration\Policies\Administrative Templates\Microsoft Office 2016 (Machine)\Updates.

Method 3: Use the Office Deployment Tool to enable updates from Configuration Manager

You can use the latest version of the Office Deployment Tool to configure Office 365 clients to receive updates from Configuration Manager.

To configure this capability, use a text editor, such as Notepad, to modify the configuration file for the Office Deployment Tool. In the Add element, include the OfficeMgmtCOM attribute and set its value to True, as seen in the following example.

<Configuration>
  <Add OfficeClientEdition="32" Channel="Monthly" OfficeMgmtCOM="True" >
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
  </Add>  
  <Updates Enabled="True"  /> 
 </Configuration>

We recommend that you also set the value of the Enabled attribute to True in the Updates element (note that this is the default setting). When OfficeMgmtCOM and Updates element are both set to true, updates are still delivered only by Configuration Manager. Note that the scheduled task Office Automatic Updates 2.0, which is registered during Office 365 ProPlus installation, must remain enabled. That task initiates product configuration tasks such as channel management.

Enable Office 365 clients to receive updates from the Office CDN instead of Configuration Manager

If it meets your business and technical requirements, we recommend updating your client devices automatically from the Office CDN. To enable a device to recieve updates from the Office CDN instead of from Configuration Manager, use one of the following methods:

Method 1: Use client policy in Configuration Manager to enable updates from the CDN

  • In the Configuration Manager console, click Administration > Overview > Client Settings.
  • Open the appropriate device settings to enable the client agent. For more information about default and custom client settings, see How to configure client settings in Microsoft Endpoint Configuration Manager.
  • Click Software Updates and select No for the Enable management of the Office 365 Client Agent setting.

For more information, see client policy.

Method 2: Use Group Policy to enable updates from the CDN

  • Download and install the Administrative Template files (ADMX/ADML) for Office from the Microsoft Download Center.

  • Disable the Office 365 Client Management policy setting. You can find this policy setting under Computer Configuration\Policies\Administrative Templates\Microsoft Office 2016 (Machine)\Updates.

Important

The Microsoft Office Click-to-Run Service is responsible for registering and unregistering Office COM application during service startup. Change domain policy or Configuration Manager client settings require explicit Disable selection for Office COM to be successfully deregistered and restore default configuration. Toggling Office 365 Client Management via Group Policy or Client Settings for Configuration Manager from Enabled to Not Configured is not sufficient.

Contents of the Office 365 client update package for WSUS

The update package that Microsoft publishes to WSUS only appears in the WSUS catalog. It doesn't contain a copy of the updated version of Office that's on the Office CDN. Instead, it contains information that Configuration Manager needs to be able to download and distribute the updated version of Office.

The package contains a file named noop.exe. But, that file doesn't contain any code and shouldn't be downloaded or run.

For each update release there are different packages for each architecture and for each update channel. For example, for the May update release, there is a package for the 32-bit edition of the Monthly Channel and a package for the 64-bit edition of the Monthly Channel. In June, there will be two new packages for Monthly Channel, one for each architecture. The packages contain information so that Configuration Manager knows which packages are more recent than other packages. For example, that the June package supersedes the May package.

There aren't separate packages for the different Office 365 clients. For example, an update package for the 32-bit edition of the Monthly Channel has information about the Office 365 ProPlus, Visio Online Plan 2 (previously named Visio Pro for Office 365), Project Online Desktop Client, and Office 365 Business clients.