With Microsoft Intune we can control the Windows 10 Update rings by using the Software Updates policies. For the Office365 Pro-Plus installations this is a different story, at this moment we are not able to configure this through a GUI policy within Intune. In my current project it’s one of the requirements to control and enforce the update channels of the Office365 Pro-Plus installations. I was discussing this requirement with my colleague Peter van der Woude and he challenged me to check if this was possible through ingesting a Office ADMX policy file. My answer was: Challenge Accepted! 
This blogpost covers the steps needed to configure Intune so you’re able to control and enforce the Office365 Pro-Plus update channels. I will not explain the technology in detail since this is documented very well here and here. Also my colleague Peter has written some great posts about this, you can find them here and here. With these links you should have enough background information for this solution. Now let’s dive into the steps and configuration needed to control the Office365 Pro-Plus update channels. I started with searching for the Office 2016/Pro-Plus ADMX files, I found them here. In this package of ADMX files the office2016.admx is the file you need when you want to control and configure the update channels of your Office365 Pro-Plus installation.
My first try was to ingest the office2016.admx with Intune but this failed with an error that there was a catastrophic failure during the ingestion of the ADMX file. Since this ADMX file is large my second try was to just cut and paste the ‘update’ section from this file in a new ADMX file and try to upload this file with Intune, but this ended in the same error on the client. After testing some other solutions I found out that when I remove the following text (‘noSort=”true” required=”false”’) from the Enum entry L_UpdateBranchID I was able to ingest the ADMX file through Intune on the clients. When I resolved this issue I was able to configure the update channels. I configured the following within Intune to control the Office365 Pro-Plus channels:
Office365 ADMX Ingest Policy:
- Create 3 groups for each Office365 Pro-Plus update channel: Monthly Channel, Semi-Annual (Targeted) channel and Semi-Annual channel.
- Go to the Intune section in the Azure portal (https://portal.azure.com)
- Go to Device Configuration –> Profiles and click on Create Profile.
- Give the profile a Name, select Windows 10 and later as platform and select Custom as Profile type.
- Now click on Add to add the OMA-URI setting. Enter a Name for the setting. Enter the following OMA-URI setting: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office365ProPlus/Policy/Office365ProPlusUpdateADMX
- Select String as data type and add the following XML to the value section:
- Now Save the policy and assign the policy to all groups created in step 1.
The above policy will ingest the ADMX file to the Windows 10 client so we can configure the update channels through another policy. The following steps can be used to create the policy for each update channel you want to configure:
- Go to the Intune section in the Azure portal (https://portal.azure.com)
- Go to Device Configuration –> Profiles and click on Create
Profile. - Give the profile a Name, select Windows 10 and
later as platform and select Custom as Profile
type. - Now we need to add the OMA-URI settings for enabling automatic updates, configure the update channel and hide the option to disable updates. For each of these settings we need to add an OMA-URI setting with a value (type –> String):
Enable Automatic Updates
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_EnableAutomaticUpdates
Value: <enabled/>
Configure Update Channel
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateBranch
Value: <enabled/><data id=”L_UpdateBranchID” value=”Current”/>Hide Disable Updates Option
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_HideEnableDisableUpdates
Value: <enabled/> - Click on Save to add the policy to Intune
- Assign the policy to the corresponding group created in the first step of this blogpost.
Note that the values in Step 4 of data_id L_UpdateBranchID are the following:
| Update Channel | Channel Setting |
| Insider Channel | InsiderFast |
| Monthly Channel | Current |
| Semi-Annual (Targeted) Channel | FirstReleaseDeferred |
| Semi-Annual Channel | Deferred |
When you’ve configured above policies you will see the following in the registry of the Windows 10 clients:
Ingestion of the ADMX file results in the Registry:
Results of the Update Channel policy settings in the registry:
and:
When the above settings are set in the registry the next time the Office365 update task runs the Office365 Pro-Plus will change to the configured channel and the Office365 Pro-Plus installation will be upgraded or degraded to the right version. During my testing the policy from Intune was only applied after a login of the user. With above configuration you will be able to configure and enforce the version and update channel of the Office365 Pro-Plus installations. This solution is tested on Windows 10 1709.
Hello,
Thanks for this great article. I have a problem when i try to ingest the part of the admx that you give.
When i deploy it, i have this error message:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (0D784085-89B4-4960-8184-F3DE75A9D34C), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office/Policy/Office.admx), Result: (Invalid data format for the specific protocol operation.).
So i have tried to put only the “EnableAutomaticsUpdate” part and it’s working.
Do you know what could be my problem?
Thanks
Hi Mickael,
You’re right. I replaced the ADMX with a working one and uploaded the ADMX to GitHub.
I’ve tested this one and it’s working on my clients.
Let me know if this solves your issue,
Regards, Arjan
Hi,
Thanks for this update, it’s working fine now. Could you tell me what was the problem? It could help me if i have the same problem with another ADMX file.
Regards,
Mickael
It was a copy/paste error from my side. ☹️
Regards, Arjan
Ah ok 😀
Thanks!
Mickael
Can you do a write-up how to ‘minimize’ the admx file, you did not use the whole admx content. So how did you ‘trim’ down the admx content to what you have 🙂
Great past Arjan! Peter van der Woude sent me your way in hopes to resolve an issue that I am having with ADMX policies in Intune. Well not really an issue but lack of knowledge on how to correctly configure one.
I am trying to disable the Outlook 2016 signatures. Here is the original ADMX for Office 2016. For Outlook 2016 there are options to disable signatures and I was not sure if I was pulling the correct information based on your example in this article.
https://www.microsoft.com/en-us/download/details.aspx?id=49030
Intune reports that the Per-setting status has succeeded for the outlk12.admx, but failed for disabling the signature.
Here is my OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Outlook2016~Policy~L_OutlookOptions/disablesignatures
Data Type: String
Value:
Any thoughts?
Thank you in advance
Based on the downloaded Outlook ADMX file the OMA-URI should be:
./Device/Vendor/MSFT/Policy/Config/Outlook2016~Policy~L_MicrosoftOfficeOutlook~L_OutlookOptions~L_MailFormat/L_DisableSignatures
The Value type is: String with a value of < e n a b l e d / > (remove spaces) 🙂
You will also need to ingest the Outlook ADMX as I described in the blogpost.
Let me know if you need additional help with this. 🙂
Ah, make sense after reviewing the Excel file contain all the options I see this one. I will let you know the results in the next few days.
Thank you.
Hi Arjan,
That did not seem to work. I have applied to both user and device ( first device then user). The ADMX is successful. The error reported by Intune is “-2016281112 Remediation failed”
Any thoughts?
Thank you,
Niles
Hi Arjan,
I noticed that there is an String (XML file) option and have read that in other post that this was used and not just String.
Thoughts?
Both should work. Can you drop me an email through the contact form of my blog. Then we can try to solve this offline. 🙂
Regards, Arjan
Hello Arjan
Did you mange to resolve as I would like to do the same thing?
Kind Regards
Nick
I’ve added the policy within my environment and will try to get it working. Will report back with my results.
Regards, Arjan
Hi Nick,
I’ve got this working. I will write a short blogpost on this in the coming weeks.
Regards, Arjan
Hi Arjan,
thanks for this great post.
We are really need this kind of control for O365 channels via Intune and have configured and deployed this for ‘L_EnableAutomaticUpdates’ and ‘L_HideEnableDisableUpdates’ successfully.
The OMA-Uri ‘…\L_UpdateBranch’ with ‘’ is unfortunately NOT working – even after double-checking everything twice.
But this settings is based on ENUM… are there any special remarks for this type beside this post?
We notice that there is no key written under ‘…\PoliceManager\Providers...\Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates’.
Any Idea how to fix that for this (for us) most important key?
Thanks in advanced.
David
Hi David,
I’ve checked the new ADMX file and this setting is still the same as in my blogpost. So the good news is that it’s not changed, the bad news is that this is not your issue. Could you please drop me an email through the contact form of my blog. We can try to fix this offline and report back the solution.
Thanks,
Arjan
Arjan,
I have the same issue as David, The OMA-Uri ‘…\L_UpdateBranch’ seems not work. Intune reports error:
-2016281112 (Remediation failed)
There is no value written to registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\568
Did you find the reason?
Arjan,
I have the exact same issue as David, The OMA-Uri ‘…\L_UpdateBranch’ with ‘’ is NOT working. Did you figure out why?
Arjan/David,
Where you ever able to find a resolution to this problem? I have been going over this config but getting the same results on my devices (1803). L_UpdateBranch key is not written. Event viewer on the client the client gives the following, not very helpful, error;
(Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateBranch), Result: (Unspecified Error).
Intune;
L_UpdateBranch [root\ccm\cimodels:CustomConfiguration.Key=’./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateBranch]
Error
-2016281112 (Remediation failed)
Thanks in advanced,
Peter
Hi David,
I cannot find the documentation to get the right OMA URI to use for configuring Office. Where can I find them ?
Thanks
Hi Arjan,
Got issue as well with Update Channel setting, seems not apply:
./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates
/L_UpdateBranch
Best regards,
Oscar
Arjan,
I have the same question as David. ENUM based policy is not recognized. In your example, the L_UpdateBranch. Did you figure out why?
thanks
yining
Based on all comments I’ve tested the instructions in this blogpost again and it’s still working as expecting. I used the ‘raw’ button the retrieve the raw xml lines and add this to Intune. I’ve tested this on Windows 10 1709 and Insider Builds. I will test the 1709 version later this week.
Regards, Arjan
The problem is ” ”
The first one is wrong and the second one is right
Hi Arjan,
I try to copy using “Raw” but not working, Intune reported next error -2016281112 (Remediation failed). Could you help me please to solved it?
Thank you in advance.
We solved this issue. When you copy and paste in Intune, ” are wrong, you must change the quotes and write it again with your keyboard
Hi Guys,
The problem with update channel everyone is having is related to the ” character:
when you copy the setting from Arjan, you get the wrongly formatted version
–> wrong
–> correct
Try this and it will definitely work.
Good find, thanks!
To all people with problems check quotes. I solved it changing ” by “.
Hi Marc!
can you please help me with this ?
please contact me on varisprunte@gmail.com.
Thanks