Problem
If Microsoft 365 Apps are managed by a mix of deployment XML, Intune Administrative Templates, and Cloud Update profiles, update behavior can become hard to predict.
This guide documents a transition from mixed control to one clear model: Cloud Update as the single authority with Monthly Enterprise Channel as target.
Constraints
- Intune-managed Windows 11 devices (Entra-joined, Autopilot-provisioned)
- Microsoft 365 E3 and A5 licenses
- M365 Apps for Enterprise (64-bit, Norwegian language pack)
- config.office.com Cloud Update with two active profiles (Monthly Enterprise Channel and Current Channel)
- Intune Administrative Template policy targeting All Devices with update settings enabled
Decision
Three layers can overlap and create control conflicts:
Layer 1: The Deployment XML
M365 Apps were deployed via Intune using an ODT configuration XML with Channel="Current". That means new devices start on Current Channel unless changed later.
<!-- Original — wrong channel -->
<Add OfficeClientEdition="64" Channel="Current" MigrateArch="TRUE">
Layer 2: Intune Administrative Template
A legacy Office updates Administrative Template policy was assigned broadly with these settings enabled:
- Target Version: Enabled
- Enable Automatic Updates: Enabled
- Update Channel: Enabled
- Hide option to enable or disable updates: Enabled
- Update Deadline: Enabled
These settings write to the registry under HKLM:\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate. When these GPO-style registry keys exist, Cloud Update (config.office.com) cannot take management control of the device. Microsoft documents that Cloud Update defers to GPO/Intune policy registry keys when they are present.
If the Target Version was pinned to an older build, devices would never update beyond it. If it was empty but Enabled, it could still cause unpredictable behavior alongside Cloud Update.
Layer 3: Cloud Update (config.office.com)
Two servicing profiles were active: one for Monthly Enterprise Channel and one for Current Channel, both broadly targeting devices. When these overlap with Admin Template registry keys, channel control becomes inconsistent.
Outcome
Typical result in this mixed-control setup: devices stay on unintended channels and Cloud Update cannot consistently apply the expected policy.
Implementation
The fix is to consolidate to one management authority — Cloud Update via config.office.com — and remove everything that conflicts with it.
Step 1: Fix the Deployment XML
Update the M365 Apps Intune deployment configuration to use Monthly Enterprise Channel for all new device installations:
<!-- Configuration ID is generated by config.office.com — generate your own at https://config.office.com -->
<Configuration ID="xxx-xxxx-xxx-xxx">
<Add OfficeClientEdition="64" Channel="MonthlyEnterprise" MigrateArch="TRUE">
<Product ID="O365ProPlusRetail">
<Language ID="nb-no" />
<!-- Exclude apps not needed in your org -->
<ExcludeApp ID="Access" />
<ExcludeApp ID="Groove" /> <!-- OneDrive for Business legacy sync client -->
<ExcludeApp ID="Lync" /> <!-- Skype for Business — deprecated -->
<ExcludeApp ID="MSTeams" /> <!-- Old bundled Teams — New Teams installs separately -->
</Product>
</Add>
<!-- Licensing — all disabled for standard user-based licensing -->
<Property Name="SharedComputerLicensing" Value="0" />
<Property Name="SCLCacheOverride" Value="0" />
<Property Name="AUTOACTIVATE" Value="0" />
<Property Name="DeviceBasedLicensing" Value="0" />
<!-- Force-close Office apps during install to prevent stuck installations -->
<Property Name="FORCEAPPSHUTDOWN" Value="false" />
<!-- No <Updates> element — Cloud Update (config.office.com) manages updates.
Adding update settings here would conflict with Cloud Update. -->
<AppSettings>
<Setup Name="Company" Value="Org name" />
<!-- Default save formats: Excel=.xlsx (51), PowerPoint=.pptx (27), Word=.docx (default) -->
<User Key="software\microsoft\office\16.0\excel\options"
Name="defaultformat" Value="51" Type="REG_DWORD"
App="excel16" Id="L_SaveExcelfilesas" />
<User Key="software\microsoft\office\16.0\powerpoint\options"
Name="defaultformat" Value="27" Type="REG_DWORD"
App="ppt16" Id="L_SavePowerPointfilesas" />
<User Key="software\microsoft\office\16.0\word\options"
Name="defaultformat" Value="" Type="REG_SZ"
App="word16" Id="L_SaveWordfilesas" />
</AppSettings>
<!-- Full install UI with automatic EULA acceptance -->
<Display Level="Full" AcceptEULA="TRUE" />
</Configuration>
This only affects new installations. Existing devices need the proactive remediation below.
Step 2: Delete the Intune Administrative Template
Remove the legacy Office updates Administrative Template policy from Intune entirely. This is the highest-impact step in this fix. As long as this policy exists, it keeps writing blocking registry keys on every policy sync and overrides remediation scripts.
Navigate to: Intune Admin Center → Devices → Configuration → [legacy Office updates policy] → Delete
If you need to keep the “Hide option to enable or disable updates” setting, create a new minimal policy with only that setting and set everything else to Not Configured.
Step 3: Configure Cloud Update as the Single Authority
In config.office.com → Cloud Update:
- Confirm the Monthly Enterprise profile is Active
- Set a reasonable Update Deadline (e.g., 48 or 72 hours for security updates)
- Optionally enable Rollout waves to stagger updates across pilot and production rings
- Review the Current Channel profile — once all devices migrate to MEC, this profile will have zero devices
Step 4: Deploy Proactive Remediation to Switch Existing Devices
Existing devices still on Current Channel with blocking registry keys need active remediation. Deploy this as a Proactive Remediation script pair in Intune.
Detection script — checks CDNBaseUrl, UpdateChannel, and blocking GPO registry keys:
# Monthly Enterprise Channel CDNBaseUrl
$targetCDNBaseUrl = "http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6"
$c2rRegPath = "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration"
$policiesRegPath = "HKLM:\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate"
# Check CDNBaseUrl (effective channel)
$currentCDN = (Get-ItemProperty -Path $c2rRegPath -Name "CDNBaseUrl" -ErrorAction SilentlyContinue).CDNBaseUrl
if ($currentCDN -ne $targetCDNBaseUrl) { $nonCompliant = $true }
# Check for blocking policy keys that prevent Cloud Update
foreach ($key in @("updatebranch", "updatepath", "updatetargetversion")) {
$value = (Get-ItemProperty -Path $policiesRegPath -Name $key -ErrorAction SilentlyContinue).$key
if ($null -ne $value -and $value -ne "") { $nonCompliant = $true }
}
# Full script: https://github.com/Thugney/eriteach-scripts/blob/main/intune/remediations/m365apps-channel-switch-detection.ps1
Remediation script — removes blocking keys, sets the correct channel, triggers update check, and verifies:
# Remove blocking policy keys
foreach ($key in @("updatebranch", "updatepath", "updatetargetversion",
"enableautomaticupdates", "updatedeadline")) {
Remove-ItemProperty -Path $policiesRegPath -Name $key -Force -ErrorAction SilentlyContinue
}
# Set CDNBaseUrl and UpdateChannel to Monthly Enterprise Channel
Set-ItemProperty -Path $c2rRegPath -Name "CDNBaseUrl" -Value $targetCDNBaseUrl -Force
Set-ItemProperty -Path $c2rRegPath -Name "UpdateChannel" -Value $targetCDNBaseUrl -Force
# Trigger Office update check
$c2rExe = Join-Path $env:CommonProgramFiles "Microsoft Shared\ClickToRun\OfficeC2RClient.exe"
Start-Process -FilePath $c2rExe -ArgumentList "/update user displaylevel=false forceappshutdown=false" -Wait -NoNewWindow
# Full script: https://github.com/Thugney/eriteach-scripts/blob/main/intune/remediations/m365apps-channel-switch-remediation.ps1
Deploy in Intune: Devices → Remediations → Create script package, schedule Daily, run as System (64-bit).
Step 5: Monitor
After deployment, monitor from two places:
- config.office.com → Cloud Update → Monthly Enterprise → Overview — watch devices appear under MEC management
- Intune Admin Center → Reports → Microsoft 365 Apps updates — watch the risk trend move down
Allow 48–72 hours for the full fleet to switch channels and pull the latest MEC build.
Outcome
Practical rule: avoid running more than one management authority for M365 Apps updates at the same time.
Pick one of these and use it exclusively:
| Authority | Best For | How It Controls Updates |
|---|---|---|
| Cloud Update (config.office.com) | Most organizations | Service-side management, rollout waves, deadline enforcement |
| Intune Admin Template | Orgs needing granular GPO-style control | Registry-based policy, pinned versions, channel control |
| Servicing profile via Intune | Integrated Intune-first management | M365 Apps update policies in Intune portal |
If you use Cloud Update, do not set Update Channel, Target Version, or Update Path via Intune Administrative Templates or GPO. These registry keys block Cloud Update from managing the device.
The deployment XML channel should also match your intended servicing channel so new devices don’t need a post-deployment channel switch. And critically — don’t include an <Updates> element in the XML if Cloud Update is your authority.