@Martin Nothnagel I am interested in this as well.

 

We have just started using Intune and targeting the Current Channel.

config.office.com had been set up and there is a Monthly Enterprise Channel servicing profile configured.

We are finding a lot of machines are reverting to the Monthly Channel.

Is it only possible to have the Monthly Enterprise Channel as the Servicing option in config.office.com?

Sorry   can you please confirm what MEC and SAEC means?

 

Thanks in advance.

Hi Steven,

MEC = Monthly Enterprise Channel
SAEC = Semi-Annual Enterprise Channel

As mentioned above, if the same group of devices is targeted by Intune and Servicing Profiles, profiles will win and overrule the update channel assigned by Intune. If you want to have both update channels in your environment, you need to use the "group filtering" feature in Servicing Profile to restrict the scope or de-select "Current Channel" from the Selection Criteria page. Check out https://youtu.be/YO6a3iNVXXI for more details on how Profiles work.

And yes, as of now, the outcome of a device being targeted by Servicing Channel is always Microsoft 365 Apps on Monthly Enterprise Channel. Currently Profiles does not support keeping devices current on SAEC or CC (Current Channel).

Thank you for the confirmation. due to our business structure, we only have some users on Intune. We were pushing the Current Channel out via Intune, but were having issues with config.office.com pushing out the MEC.
As you say, we could exclude Intune users from the MEC, but probably easier to have both areas pushing the same version. We use Tenable for vulnerability scanning, and it was firing alarms when the new monthly version came out. which always kept us behind. no one wants to see lots of vulnerabilities every month!

Is there a simple way to determine which 'service' is applying to a single device, when both of the registry locations exist?

Is it as 'simple' as
1. if the value "updatebranch" key HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate exists then config.office.com wins. "updatetargetversion" is set to "latest". (we were having problems with the install staying at 2207 with updatetargetversion set to 16.0.15427.20284
2. if the above key doesn't exist then fall back to the "updatebranch" value in HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate

I have a situation where both of the above keys are set ( updatebranch in 1 = Current, 2 = MonthlyEnterprise)
yet the Apps are set to MonthlyEnterprise.

very confusing!

Hi Steve,

there is more to it. For troubleshooting I would check these locations in the following order:

1) HKLM\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate > IgnoreGPO
If this key is 1, then the values in the same location are the winning ones, set by Servicing Profile / config.office.com.
If this key is 0, Servicing Profiles / config.office.com is not controlling updates on this box and any potentially existing values in this key are ignored.

2) If No 1 is not the winner, Office checks these locations in the following order for the winning setting:
1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
*4th Priority: UnmanagedUpdateURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UnmanagedUpdateURL
5th Priority : CDNBaseURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

3) If No 1 & 2 yield an update channel different from the installed one, I would check if the Microsoft 365 Apps are deployed through Intune using the native app mode and have a different update channel set. In this case Intune will detect a configuration drift (e.g. after Profiles moved the device to channel A, but the Intune app is configured to be on Channel B) and trigger the setup engine to move back to the configured channel. Check this video for an explanation of how Intune can handle the Microsoft 365 Apps: https://youtu.be/fA8lcnRXmkI

Hope this helps!

This is SUPER useful information. I have been pulling my hair out for over a week with about 20 PCs that rolled back (or maybe never updated) from 2103 (?!?!) This just answered my question, seems that a super old GPO wrote a that build to the registry of these PCs. But there is no GPO doing that now so this was hard to figure out.

Quick follow up, do you know if there is a setting that sets the IgnoreGPO key? Or just push the key itself?

Thank you, Martin!
First off thanks for your patience! :)
We are using the Microsoft 365 Apps native install, and it looks like those settings are 'saved' to the HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration (which apps to install etc.)
We
Thanks for this information, it will help greatly in being able to manage our installs.
Looking at the inventory in config.office.com. we have a large number of different versions across different channels, so looking to tidy that up!
Thanks again!

The IgnoreGPO key is set by the servicing profile based on if a device is in scope of profiles or not (see https://learn.microsoft.com/en-us/deployoffice/fieldnotes/adopt-servicing-profiles#how-a-servicing-p...; the sentence "These devices will also receive commands that instruct the local Office Update Engine to ignore commands that are coming from other management solutions" is referring to IgnoreGPO being set.)

We do not recommend to set the IgnoreGPO manually. I would rather nuke the targetversion keys if those are left-overs from GPOs which are no longer applied.

Martin, again this info is GREAT! But just to pick your brain a bit, I have a few PCs listed as managed in the config.office.com console but the ignoregpo key is set to 0. Any idea why this would be? We still have duplicate AD computers in our directory since we are in Hybrid, so i was thinking maybe config.office.com is adding the unused dupe computer account but the computers are actively communicating with Config.office.com. And it's only a subset of computers. I may try to update the key manually on a test machine, but I would love any insight you might have on this.