Blog Post

Core Infrastructure and Security Blog
5 MIN READ

Co-Management of Office Click-to-Run apps Workload

arnabmitra's avatar
arnabmitra
Icon for Microsoft rankMicrosoft
Sep 23, 2019

This post is about co-managing the Office click-to-run apps workload between Configuration Manager and Intune.

 

A co-managed device gives you the flexibility to use the solution that works best for your organization by allowing it to be managed concurrently with both Configuration Manager and Intune.

 

Lean more about co-management here: http://aka.ms/comanagement

 

Update 10/1 - Modified section 2.2 per guidance from engineering.

 

Scenarios

When we talk about co-managing Office click-to-run apps workload, there are primarily two scenarios:

  • Installation of O365 suite
  • Update Management of O365 suite

 

 

1.      Installation of O365 suite

For on-premise machines, you may like to deploy O365 suite directly from ConfigMgr by leveraging DP and cache mechanisms to save the network bandwidths.

Refer instructions for deploying O365 suite via ConfigMgr here: https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configuration-manager

 

Internet facing devices are a good candidate to receive the Intune O365 suite directly from Office CDN (Content Delivery Network) over the internet. Autopilot deployments is a great example here.

Refer instructions for deploying the O365 suite installer via Intune here: https://docs.microsoft.com/en-us/intune/apps-add-office365

 

On a Co-Managed device missing Office 365 suite, when you move the Office Click to Run Apps Workload, you can no longer install the ConfigMgr version of O365 installers.

Typically, the ConfigMgr Application Deployment Evaluation Cycle hides the Office 365 Apps from Software center, but you may catch it before the evaluation and see the error above.

This behavior is due to a Global Conditon which blocks the installer on Co-Managed devices with O365 workload moved to Intune/Pilot.

Now if you launch Company Portal to install the Intune O365 suite, it won’t be available either. You will see the message below.

This is an expected behavior, on an Intune managed device with ConfigMgr agent, you need to additionally move the Client Apps workload to view the Intune Apps via Company Portal.

The client apps workload is a pre-release feature. To enable it, see Pre-release features.

Now the Company Portal will list the available apps for install.

Starting ConfigMgr 1906, you can now configure different pilot collections for each of the co-management workloads. Using different pilot collections allows you to take a more granular approach when shifting workloads.

This ability works great for moving the O365 workloads based on scenarios where client originating from Internet will deploy O365 workloads from Intune and the one’s which are expected to remain on-premises can be pushed via ConfigMgr.

                                              

 

 

 

2.      Update Management of O365 suite

Now that we have deployed O365 suite, the next requirement is to ensure its managed with the desired tool meeting company requirements.

 

Typically, O365 suite deployed via ConfigMgr is managed and updated by ConfigMgr itself and the one deployed via Intune is managed and updated directly over the Internet via Office CDN (Content Delivery Network).

This is controlled by OfficeMgmtCOM which is configured and set to True for ConfigMgr installs.

 

There could be scenario’s where you may have pushed O365 suite via ConfigMgr and would now like the O365 update’s management via Intune over Office CDN. Another scenario could be where you deployed Office 365 via Autopilot as a Hybrid scenario where the device is domain joined and your requirement is the updates management is controlled on-premises via ConfigMgr.

 

Let’s see how to achieve the requirements from the two scenarios above:

 

2.1      Switching O365 Updates management from ConfigMgr to Intune (Office CDN over Internet)

In this scenario you deployed the Office 365 suite from ConfigMgr and would like the updates management to be handled by Intune which will leverage the Office CDN over Internet instead of using on-premises infrastructure.

While IT Pros are always in control, Office 365 ProPlus is automatically kept up-to-date via evergreen model.  IT Pros can offload servicing aspect of Office 365 ProPlus to Microsoft so they can focus on other duties removing repetitive tasks.

Benefits:

  • Admins don’t have to spend time developing processes to duplicate CDN content on-premises.
  • Admins don’t have to build processes to target software updates to collections. Each machine will pull updates on it’s own.
  • Aligns with “Modern Desktop” motion where machines are increasingly managed by Mobile device management (MDM) rather than on-premises solutions without requirement for any infrastructure.
  • CDN supports a variety of advanced policies to control updates at granular level such as “delay downloading and installing updates for Office”, “prioritize BITS”, “Target Version”, “Update Channel”, “Update Deadline”. IT Pros can control updates effectively without the need for on-premises software.
  • Leverages inbox task scheduler \Microsoft\Office\Office Automatic Updates 2.0 to perform updates based on trigger mechanism (Weekly, At log on, On idle)

Benefits reference: https://techcommunity.microsoft.com/t5/Office-365-Blog/Understanding-Office-365-ProPlus-Updates-for-IT-Pros-CDN-vs-SCCM/ba-p/795728

 

Configuration

All you need is to move the Co-Management slider for Office Click-to-Run Apps. Starting 1906, if you have controlled this behavior to a subset of collection, you need to add the device to the respective collection.

Once the policies are processed, you may need a restart of the “Microsoft Office Click-to-Run Service” service. You will notice Office is no longer managed by ConfigMgr which clears the yellow background.
It is now updated via Office CDN.

On the device registry, it sets the OfficeMgmtCOM value to 0 in the following registry keys:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\Common\officeupdate

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\office\16.0\Common\officeupdate

 

 

 

 

2.2      Switching O365 Updates management from Intune (Office CDN over Internet) to ConfigMgr

The goal of co-management is to move the workloads to the cloud while honoring your investments in ConfigMgr. If you still decide to move the Office Updates workload back to on-premises from CDN, take the following 2 steps below (applicable only if Co-Management slider is in Pilot).

 

  1. Exclude device from the pilot collection of the Co-Management workload “Office Click-to-Run apps”.
  2. Create a custom Device Settings to enable Office client management and target this device.

 

Validate it by launching any Office apps and by clicking File > Account the yellow bar with text “Updates are managed by your system administrator

 

 

Happy Co-Managing O365 Click-to-Run apps with Intune and ConfigMgr 🙂

 

 

 

Thanks,

Arnab Mitra

 

 

Updated Oct 02, 2021
Version 2.0
arnabmitra
  • arnabmitra's avatar
    arnabmitra
    Icon for Microsoft rankMicrosoft
    Oct 12, 2020

    Yes, that is scenario 2.2 in this post. The key is value of OfficeMgmtCOM which needs to be True for MEMCM update authority. Depending on how Office was installed and the current value of OfficeMgmtCOM, you may need to tweak it.

  • Gbedeau85's avatar
    Gbedeau85
    Copper Contributor
    Jan 12, 2021

    arnabmitra Hello, in our situation Microsoft 365 Apps is deployed during Autopilot with Microsoft 365 Apps of Intune. The OfficeMgmtCOM is not configured in the installation XML but we configure the configuration profile you mentioned before to enable the component OfficeMgmtCOM.

    I also tried to add the value OfficeMgmtCOM at True in :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
    But in SCCM UpdatesDeployment logs I see :
     
    CEvalO365ManagementTask::Execute() UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    Reading CoManagementFlags ccm registry key. UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    Verifying if workload 128 is enabled in workloadFlags 239 UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    Result of & operation is 128 UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    Feature flag is ON, device should be managed by MDM. UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    OnO365ManageOptionChange - Turning off to disable CCM to manage O365 client updates. UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    SwitchO365Management - bIsManagedByCCM = [true], bIsTurnOn = [false], need to switch. UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    Turning off to disable CCM to manage O365 updates... UpdatesDeploymentAgent 11/01/2021 18:11:24 8976 (0x2310)
    Stopped the service 'ClickToRunSvc' successfully UpdatesDeploymentAgent 11/01/2021 18:11:25 8976 (0x2310)
    EvaluateO365Management - SwitchO365Management (off) returned with 0x0 UpdatesDeploymentAgent 11/01/2021 18:11:25 8976 (0x2310)
     
    And it doesn't works, could you help ?
  • Gbedeau85's avatar
    Gbedeau85
    Copper Contributor
    Oct 08, 2020

    Hello,

     

    Thank you for the article but something confusing me on the chapter 2.2. In the screenshot for Device configuration it show the workload Office Click To Run Apps on Intune Pilot. 

    Is it possible to manage the office update with SCCM when the workload Office Click To Run App is set to Intune Pilot ?

    I configured the Configuration Profile Office 365 Client Management to Enabled and the MEMCM Client settings to allow Microsoft 365 updates but it doesn't works.

    I saw after the installation of MEMCM Client the value officemgmtcom in

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate 

    switched to 0, same behaviour when I move the workload Click To Run App to intune pilot

     

    Thank you

  • arnabmitra's avatar
    arnabmitra
    Icon for Microsoft rankMicrosoft
    Oct 08, 2020

    Hi Gbedeau85, moving the Offlice Click-to-Run apps slider does two things, allows the installation of Office from Intune and resets OfficeMgmtCOM value. In your case you may want to check if there is a conflicting Office GPO which is blocking the override.

  • Gbedeau85's avatar
    Gbedeau85
    Copper Contributor
    Oct 12, 2020

    arnabmitra My device is AAD Join, not Hybrid AAD Join so there's no GPO conflicts possible.

     

    Could you confirm that it's possible to manage Microsoft 365 Apps updates with MEMCM with the Click To Run Apps workload set to Pilot Intune ? Just te be sure I'm not on the wrong way.

  • Gbedeau85's avatar
    Gbedeau85
    Copper Contributor
    Aug 22, 2022

    Hello rahuljindal-MVP, no sorry we didn't find the solution, we stopped co-management pilot for the moment. (not only for this reason)

  • CDeee's avatar
    CDeee
    Brass Contributor
    Feb 21, 2023

    Hmm, this is annoying to see...I was hoping we could use the Pilot Collection to allow updates to be picked up from both SCCM and Microsoft Updates (as the updates can be done) but having the Click-To-Run Apps workloads set to Pilot seems to fully make 365 Apps updates (and the installation of said app) go fully to InTune...With CoManagement and Click-To-Run Workloads set to Pilot we can no longer install 365 Apps from SCCM.

    I take it we can't have it so we can install Click-To-Run from SCCM AND allow updates for 365 Apps to come from both SCCM and InTune?