Forum Discussion
Office bypassing Target Version set by Intune
Ok so I was managing my Microsoft patches through Intune. A while back Microsoft sent out this messageā¦. https://docs.microsoft.com/en-us/DeployOffice/other/devices-updating-monthly-enterprise-chann...
manoth_msft I am interested in this as well.
We have just started using Intune and targeting the Current Channel.
config.office.com had been set up and there is a Monthly Enterprise Channel servicing profile configured.
We are finding a lot of machines are reverting to the Monthly Channel.
Is it only possible to have the Monthly Enterprise Channel as the Servicing option in config.office.com?
Sorry can you please confirm what MEC and SAEC means?
Thanks in advance.
manoth_msft
Microsoft
MicrosoftHi Steven,
MEC = Monthly Enterprise Channel
SAEC = Semi-Annual Enterprise Channel
As mentioned above, if the same group of devices is targeted by Intune and Servicing Profiles, profiles will win and overrule the update channel assigned by Intune. If you want to have both update channels in your environment, you need to use the "group filtering" feature in Servicing Profile to restrict the scope or de-select "Current Channel" from the Selection Criteria page. Check out https://youtu.be/YO6a3iNVXXI for more details on how Profiles work.
And yes, as of now, the outcome of a device being targeted by Servicing Channel is always Microsoft 365 Apps on Monthly Enterprise Channel. Currently Profiles does not support keeping devices current on SAEC or CC (Current Channel).
MEC = Monthly Enterprise Channel
SAEC = Semi-Annual Enterprise Channel
As mentioned above, if the same group of devices is targeted by Intune and Servicing Profiles, profiles will win and overrule the update channel assigned by Intune. If you want to have both update channels in your environment, you need to use the "group filtering" feature in Servicing Profile to restrict the scope or de-select "Current Channel" from the Selection Criteria page. Check out https://youtu.be/YO6a3iNVXXI for more details on how Profiles work.
And yes, as of now, the outcome of a device being targeted by Servicing Channel is always Microsoft 365 Apps on Monthly Enterprise Channel. Currently Profiles does not support keeping devices current on SAEC or CC (Current Channel).
- Thank you for the confirmation. due to our business structure, we only have some users on Intune. We were pushing the Current Channel out via Intune, but were having issues with config.office.com pushing out the MEC.
As you say, we could exclude Intune users from the MEC, but probably easier to have both areas pushing the same version. We use Tenable for vulnerability scanning, and it was firing alarms when the new monthly version came out. which always kept us behind. no one wants to see lots of vulnerabilities every month!- Is there a simple way to determine which 'service' is applying to a single device, when both of the registry locations exist?
Is it as 'simple' as
1. if the value "updatebranch" key HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate exists then config.office.com wins. "updatetargetversion" is set to "latest". (we were having problems with the install staying at 2207 with updatetargetversion set to 16.0.15427.20284
2. if the above key doesn't exist then fall back to the "updatebranch" value in HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
I have a situation where both of the above keys are set ( updatebranch in 1 = Current, 2 = MonthlyEnterprise)
yet the Apps are set to MonthlyEnterprise.
very confusing!- manoth_msftHi Steve,
there is more to it. For troubleshooting I would check these locations in the following order:
1) HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate > IgnoreGPO
If this key is 1, then the values in the same location are the winning ones, set by Servicing Profile / config.office.com.
If this key is 0, Servicing Profiles / config.office.com is not controlling updates on this box and any potentially existing values in this key are ignored.
2) If No 1 is not the winner, Office checks these locations in the following order for the winning setting:
1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
*4th Priority: UnmanagedUpdateURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UnmanagedUpdateURL
5th Priority : CDNBaseURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl
3) If No 1 & 2 yield an update channel different from the installed one, I would check if the Microsoft 365 Apps are deployed through Intune using the native app mode and have a different update channel set. In this case Intune will detect a configuration drift (e.g. after Profiles moved the device to channel A, but the Intune app is configured to be on Channel B) and trigger the setup engine to move back to the configured channel. Check this video for an explanation of how Intune can handle the Microsoft 365 Apps: https://youtu.be/fA8lcnRXmkI
Hope this helps!