Forum Discussion
Office bypassing Target Version set by Intune
Ok so I was managing my Microsoft patches through Intune. A while back Microsoft sent out this message…. https://docs.microsoft.com/en-us/DeployOffice/other/devices-updating-monthly-enterprise-chann...
Is there a simple way to determine which 'service' is applying to a single device, when both of the registry locations exist?
Is it as 'simple' as
1. if the value "updatebranch" key HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate exists then config.office.com wins. "updatetargetversion" is set to "latest". (we were having problems with the install staying at 2207 with updatetargetversion set to 16.0.15427.20284
2. if the above key doesn't exist then fall back to the "updatebranch" value in HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
I have a situation where both of the above keys are set ( updatebranch in 1 = Current, 2 = MonthlyEnterprise)
yet the Apps are set to MonthlyEnterprise.
very confusing!
Is it as 'simple' as
1. if the value "updatebranch" key HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate exists then config.office.com wins. "updatetargetversion" is set to "latest". (we were having problems with the install staying at 2207 with updatetargetversion set to 16.0.15427.20284
2. if the above key doesn't exist then fall back to the "updatebranch" value in HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
I have a situation where both of the above keys are set ( updatebranch in 1 = Current, 2 = MonthlyEnterprise)
yet the Apps are set to MonthlyEnterprise.
very confusing!
manoth_msft
Microsoft
MicrosoftHi Steve,
there is more to it. For troubleshooting I would check these locations in the following order:
1) HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate > IgnoreGPO
If this key is 1, then the values in the same location are the winning ones, set by Servicing Profile / config.office.com.
If this key is 0, Servicing Profiles / config.office.com is not controlling updates on this box and any potentially existing values in this key are ignored.
2) If No 1 is not the winner, Office checks these locations in the following order for the winning setting:
1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
*4th Priority: UnmanagedUpdateURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UnmanagedUpdateURL
5th Priority : CDNBaseURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl
3) If No 1 & 2 yield an update channel different from the installed one, I would check if the Microsoft 365 Apps are deployed through Intune using the native app mode and have a different update channel set. In this case Intune will detect a configuration drift (e.g. after Profiles moved the device to channel A, but the Intune app is configured to be on Channel B) and trigger the setup engine to move back to the configured channel. Check this video for an explanation of how Intune can handle the Microsoft 365 Apps: https://youtu.be/fA8lcnRXmkI
Hope this helps!
there is more to it. For troubleshooting I would check these locations in the following order:
1) HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate > IgnoreGPO
If this key is 1, then the values in the same location are the winning ones, set by Servicing Profile / config.office.com.
If this key is 0, Servicing Profiles / config.office.com is not controlling updates on this box and any potentially existing values in this key are ignored.
2) If No 1 is not the winner, Office checks these locations in the following order for the winning setting:
1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
*4th Priority: UnmanagedUpdateURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UnmanagedUpdateURL
5th Priority : CDNBaseURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl
3) If No 1 & 2 yield an update channel different from the installed one, I would check if the Microsoft 365 Apps are deployed through Intune using the native app mode and have a different update channel set. In this case Intune will detect a configuration drift (e.g. after Profiles moved the device to channel A, but the Intune app is configured to be on Channel B) and trigger the setup engine to move back to the configured channel. Check this video for an explanation of how Intune can handle the Microsoft 365 Apps: https://youtu.be/fA8lcnRXmkI
Hope this helps!
- Thank you, Martin!
First off thanks for your patience! 🙂
We are using the Microsoft 365 Apps native install, and it looks like those settings are 'saved' to the HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration (which apps to install etc.)
We
Thanks for this information, it will help greatly in being able to manage our installs.
Looking at the inventory in config.office.com. we have a large number of different versions across different channels, so looking to tidy that up!
Thanks again! - This is SUPER useful information. I have been pulling my hair out for over a week with about 20 PCs that rolled back (or maybe never updated) from 2103 (?!?!) This just answered my question, seems that a super old GPO wrote a that build to the registry of these PCs. But there is no GPO doing that now so this was hard to figure out.
Quick follow up, do you know if there is a setting that sets the IgnoreGPO key? Or just push the key itself?- manoth_msftThe IgnoreGPO key is set by the servicing profile based on if a device is in scope of profiles or not (see https://learn.microsoft.com/en-us/deployoffice/fieldnotes/adopt-servicing-profiles#how-a-servicing-profile-is-applied-to-a-device; the sentence "These devices will also receive commands that instruct the local Office Update Engine to ignore commands that are coming from other management solutions" is referring to IgnoreGPO being set.)
We do not recommend to set the IgnoreGPO manually. I would rather nuke the targetversion keys if those are left-overs from GPOs which are no longer applied.- Thanks for insides.
So how to disable Cloud Update and revert back to GPO Management aka. `IgnoreGPO = 0` ?
