Deploy Office 365 Updates Using SCCM
This post is a step by step guide to deploy Office 365 updates using SCCM. SCCM makes it easy not to deploy Office 365 but to manage office 365 software updates as well. In my previous posts, I covered on deploying Office 365 using SCCM. I also posted Office 365 client management dashboard details.
After you deploy Office 365, deploying software updates is the next major task. SCCM has the ability to manage Office 365 client updates by using the Software Update management workflow.
Office 365 updates when deployed to client computers are first downloaded in local client cache. Since Office 365 client updates are huge, ensure that you configure the cache settings prior to deployment. Starting with SCCM 1606, you can specify the cache folder size using client settings in the Configuration Manager console.
Step-by-Step Guide to Deploy Office 365 Updates Using SCCM
To deploy Office 365 updates using SCCM, you need to configure some basic steps. Once you configure these steps, you can quickly deploy Office 365 updates using configuration manager.
Step 1 – Verify the Requirements
To deploy Office 365 updates ensure you meet the below requirements.
- Your setup must have at least SCCM 1606 or later version of SCCM running.
- An Office 365 client and Supported channel version for Office 365 client.
- Windows Server Update Services (WSUS) 4.0
If you have met all the above requirements, you can proceed to step 2.
Step 2 – Configure Software Update Points
I am sure you would have configured software update point because that is required to deploy updates. However if you not configured your software update point, then you can follow this post.
Under Software Update Point component properties, click Classifications tab. Ensure that Updates classification is checked. In addition to this, if you make any other changes, remember to synchronize software updates once.
Go to software update point properties and click Products tab. Under Office product, select Office 365 client. Click OK and close SUP properties window.
Synchronize the software updates again and open wsyncmgr.log file. You should now see some synchronizations related to Office 365. Wait for the synchronization to complete.
Once the sync is complete, look for Office 365 updates. Click Software Library > Overview > Office 365 client management. Click Office 365 updates and you will see all the Office 365 updates. Proceed to Step 3 now.
Step 3 – Enable Office 365 clients to receive updates from SCCM
With Configuration Manager version 1606 and above, you can easily manage Office 365 client agent. This setting is part of Configuration Manager client settings. Once you configure this setting, the SCCM client agent talks to Office 365 client agent to download the updates from a distribution point and install them.
In SCCM console, navigate to Administration > Overview > Client Settings. Right click default client settings and click Software Updates. Look for option “Enable management of the Office 365 client agent“. Click the drop-down and click Yes. Click OK. So by enabling this option you can now manage Office 365 client agents using SCCM.
Step 4 – Deploy Office 365 updates to clients
To deploy Office 365 updates to clients using SCCM, you need to perform some more steps. There are two ways to deploy Office 365 updates.
- Manually deploy software updates – We will use this method in this post.
- Automatically deploy software updates – Using automatic deployment rule (ADR).
In step 2 we configured SUP to include Office 365 updates. We will now go through the steps to deploy Office 365 updates using SCCM.
After running software updates sync, i have got some more Office 365 updates. All these updates won’t be deployed. Looking at my Office 365 client edition, the current build is 9126.2275. Out of all the updates, I use search criteria to filter out the updates. In the below screenshot, i have set to filter updates that aren’t expired and date release is less than or somewhere between 10 days. The basic idea is to deploy updates that are released recently.
Step 4.1 – Download Office 365 Updates
In some organizations you will find both x64 and x86 versions of Office 365 client deployed. If you have got only Office 365 x86 client deployed, you can select only x86 client based edition updates and proceed. In this example, I am selecting both x64 and x86 edition Office 365 client update – Semi-Annual channel version 1803 updates. Select the updates, right click and click Download.
Create a new deployment package. Specify name and path to store the updates. Click Next.
Select distribution points that you want to distribute the updates. Click Next on Distribution Point settings page.
Select Download software updates from the internet. Click Next.
On the progress page you will find the updates being downloaded.
The Office 365 updates are downloaded. On completion page click Close.
Step 4.2 – Deploy Office 365 Updates
We will now deploy Office 365 updates using SCCM. In the above steps, we got the 2 updates downloaded. So select and right click those updates and click Deploy.
Specify deployment name. Click Browse and select the device collection to which you want to deploy the updates.
Under deployment settings, you can either choose to deploy updates as required or make it available to client machines. Choose the option based on your requirement. Click Next.
Schedule the deployment appropriately and click Next.
Click Next.
Click Next.
On completion page, click Close.
On one of the client machine, i got this software center notification.
The Office client update is installing. Nice to see that.
I would also want to show you that the build number changes once the update is installed. The current Office 365 client build number is 9126.2275.
Notice that build number is now 9126.2282.
You can also get the Office 365 client version right from Office 365 client management dashboard.
Hi,
I followed the exact same procedure, but the update is not showing up in Software Centre. Tried both required and available mode.
What could I be missing, as rest all applications get showed up immediately once I deploy.
Please advise.
Is anyone else seeing this setting being ignored since July 2022? We have our updates set to Semi-Annual Channel and managed by SCCM. Since July 2022, the clients are all getting updated from the cloud and going to the Current Channel. No one at Microsoft seems to know why :/
Hi there,
We’re been experiencing a lot of issues with the Monthly Channel updates and ‘new features’ so we’d like some assistance to finding the easiest and least intrusive roll back path to the Semi-Annual Channel.
Ideally we’d like to avoid having to do a full uninstall and re-install (we’ve had to do this in the past, for example removing Skype for Business). We need a least intrusive resolution to bring us back to the semi-annual cadence as well as including the preventive measures to avoid us getting to this point again in the future.
Note that we have all the polices in place to prevent/bock the current channel updates, but it’s being ignored, and the updates are getting pushed through to our environment.
In few server, error is showing as access denied with error code 0X80070005. Please help
Hi Prajwal, in the first thank you for your tutorials.
I try to resolve the problem (more or less cosmetic) with language in Software Center. We deploy czech version of Office 2019, but in Software Center I see the Office 2019 updates writed in germany language. Updates are installed correctly and the Office stays in czech language. Do you know why, please? In the ADR I selected cz and en language. Thank you 🙂
Have an interesting scenario going on with our Office365 Apps updates and SCCM. Inherited an SCCM environment (ver.2103) with clients running an out-of-date Office build (version 1705) and attempting to update them via SCCM. Able to download SemiAnnual Channel Update version 2008 (Build 13127.21736) and deploy to test clients (over 50). Had to halt testing and deployment for period of time due to other issues in environment. Came back to resume deployment of Office365 build 2008 and all updates now show as no longer downloaded. All previous deployments removed. Deployment package shows having no members. Package source for deployment package has even been removed from local server. Basically, any and all traces of that update has been completely removed from the environment. This is the second time this has happened and I don’t want it to happen again right in the middle of trying to update our clients. If the update had been superseded it still should not have deleted the download from all sources entirely to prevent rollout. I can re-download and recreate everything but I should not have to. Any ideas?
Hi There,
We are currently patching our Windows 10 machines running Office 2019 with SCCM and everything is working perfectly.
We are also patch our Windows Servers (2012 R2, 2016 and 2019) including domain controllers and servers running SQL with SCCM perfectly.
However, a single SharePoint 2019 server has been installed in our environment. All of the Windows Server patches are being installed but none of the “SharePoint” patches are being detected or installed.
I have investigated this problem and have verified the following:
a) The “SharePoint Server 2019/Office Online Server” product is configured for download in the Software Update Point.
b) All classifications are configured for download in Software Update Point.
c) The “Enable management of the Office 365 Client Agent” is turned on the Client settings being applied to the server.
d) The WSUS database associated with SCCM does contain the updates I am expecting to detect and install but the SCCM console does not show them.
From the understanding I have, Office 2019 installs the “Microsoft Office Click-to-Run Service” and the SCCM client interacts with this to provide the updates. I don’t see an equivalent service on the Windows SharePoint server. Note: Office 2019 is not installed on this server only SharePoint 2019.
Are you able to provide a link to an article explaining how to configure a SharePoint server to be patched via SCCM? Any assistance would be greatly appreciated.
How can we rollback updates?
Try this – https://www.prajwaldesai.com/how-to-rollback-a-patch-using-configuration-manager/
I am deploying o365 updates from sccm. The behaviour is like it fails if i keep as required and when i try to retry from software centre it asks to close the office files.
For o365 updates as well office apps needs to close..
Great guide. Thanks!
Before I set about it, can you tell if the client needs to installed with a particular update branch on the XML. i.e if I choose to install semi-annual updates on a client that was install with the branch of Monthly – will it still work?
Hi ,
I’m facing an issue to download the Semi annual updates , as per your article all the settings are available already . While download we are getting below error. Also all other updates are working fine, we dont see any error in patch download logs.
Software updates that will be downloaded from the internet
Error: Microsoft 365 Apps Update – Semi-Annual Enterprise Channel Version 2002 for x86 based Edition (Build 12527.21330)
Errors
Failed to download content id 17138252. Error: Invalid certificate signature
Microsoft 365 Apps Update – Semi-Annual Enterprise Channel Version 2002 for x64 based Edition (Build 12527.21330)
Download and install the Configurator Endpoint Manaer 2006 Hotfix. Administration > Updates and Servicing.
HI Prajwal,
I too get the same error while creating deployment package for the new SUG group.
Error: Failed to download content id 17017653. Error: Invalid certificate signature
Kindly help us to solve the same.
Thanks,
Abdul Rahman AR
What’s the configmgr version ?.
Hi,
I have successfully followed your guide – everything looks fine – except that I have a LOT(around 90%) of clients with status “unknown” instead of required, not required or compliant. Why does this happen?
same here
Do we have to Enable Management of the O365 client in the Client Settings? I just don’t want these computers automatically updating O365 (M365) applications on their own. I still want to be able to push out the updates on a schedule within SCCM.
Enabling them from client setting would not allow them to automatically download it from internet. SCCM client will take control of it and the updates would still go on the basis of policies client machine is receiving from SCCM.
Hi Prajwal Desai, can I deploy O365 deployment to any specific client?
Yes , while deploying the deployment package, you just have to select the collection that contains the device or devices you want to target.
can we install click to run update silently with commands like /s
Great work!
Great walk through. Thanks Prajwal!
Hello everyone.
I have a different builds of office 365 in our environment, i am newbie in the update process.
We have Semi-annual Channel clients in builds 1803 and 1808.
Can I made a only Software Update Group with the different updates to the builds and deploy this update group to all clients? or must create different Software Update Group and different collections for each build?
Best regards
Prajwal,
So, if I my O365 build is the monthly one, then I’d want to download the monthly updates, correct?
I am having trouble downloading the updates using the wizard. It fails with “Error: failed to download content id 16872757. Error: Incorrect function”
Hi, can oyu give a tipp on this?
my Client have the version 1803 9126.2259 and I am trying to update to 9126.2382 wihtout success (Client already Compliant).
Intresting is that any update under Office 365 Updates is requiered, i get a lot of installed, compliant, but any are requiered…..
what I am missing hier?
note: management of the Office 365 client agent, is enable.
BR
Mela
I have an issue with the Update, SCCM is not pushing the updates if 1) you have both installation and update in same SCCM package, or if i created a separate package.
hello together, is it possible to reject individual security updates as before by SCCM or to uninstall after an installation because of problems (eg Outlook archive can not be searched anymore)
I’m not interested in the assignment of feature updates that has been well explained, I really want to know if I have a system that every 6 months a new feature update may receive if I still monthly allow the individual security updates or reject?
With Office 2016 or older, it is possible to allow or reject individual KBs, is this also possible in Office 365?
Have a nice evening and thank you
Hi. Has anyone come across an issue where the base version doesn’t update? i.e. User has 1705 installed so only updates to 1705 are deployed. We need to update to 1808 and keep on latest versions as they are released. Has anyone figured out how to do this?
Yes, with my sccm I’ve got the same thing the version does not upgrade. My clients are stuck at 1708 their build gets updated but the client don’t see the 1902 update in software center through ADR.
In your O365 Automatic Deployment Rule, on the “Software Updates” tab, make sure you add “Title” in your search criteria. In the “Search Text” of the title criteria add the following:
The channel you require e.g. Semi-annual enterprise channel version
The version you require e.g. 1902
The version you require e.g. 1908
If you want to stop clients from going to a certain version, also include that with a “-” symbol in front e.g. -2002 (this will ignore any update for the 2002 version)
Using my example above, you should then see the following text next to “Title” in the search criteria box:
Semi-annual enterprise channel version OR 1902 OR 1908 OR -2002
Also, one other tip, when manually looking for the update you want your machines to get (via the “Office 365 Updates” node), make sure that you see some numbers in the “Required” column. If you see 500 there, that means that 500 of your machines require this update.
To see what updates are applicable to your fleet, simply sort by the “Required” column and you’ll see which ones are relevant. If you don’t see any numbers against any updates, then you need to look at what channel you are running. Take a look at the XML file you created with the office deployment tool and make sure everything you selected is correct for your requirements.
If your O365 Automatic Deployment Rule (ADR) is configured correctly, and the update you want makes it in to the software update group which is created by the ADR, then any machines which require it will install it.
What are the links needs to be allowed in Firewall to get the updates
for office 365 click to run below 3 url’s are need
cdn.office.net
officecdn.microsoft.com
officecdn.microsoft.com.edgesuite.net
Hi, you’ve deployed them manually, but I can you automate this? I’ve tried to deploy (available) multiple builds (even previous ones) to a pc and it showed all the updates instead of just showing the newer ones for that channel, which I think should have been the behavior.
Thks
Hi , great article. Would have been good if there was an article How to Troubleshoot Office365 Software Updates and how the files download from the cloud. 😉
Hi There,
I need to deploy O365 Semi-Annual Channel Update to all PC’s (2500) via SCCM for our clients.
Currently they most of them are in 16.0.8431.2236 and i tried to upgrade to 16.0.9126.2259. Tried them on few test machines and i am facing a weird issue. It shows complaint in SCCM but the office version still remains the same(old version). have rebooted, ran the machine policies but no luck. Any leads please