Co-Management of Office Click-to-Run apps Workload

This post is about co-managing the Office click-to-run apps workload between Configuration Manager and Intune.

A co-managed device gives you the flexibility to use the solution that works best for your organization by allowing it to be managed concurrently with both Configuration Manager and Intune.

Lean more about co-management here:


When we talk about co-managing Office click-to-run apps workload, there are primarily two scenarios:

  • Installation of O365 suite
  • Update Management of O365 suite

1.      Installation of O365 suite

For on-premise machines, you may like to deploy O365 suite directly from ConfigMgr by leveraging DP and cache mechanisms to save the bandwidths.

Refer instructions for deploying O365 suite via ConfigMgr here:

Internet facing devices are a good candidate to receive the Intune O365 suite directly from Office CDN (Content Delivery Network) over the internet. Autopilot deployments is a great example here.

Refer instructions for deploying the O365 suite installer via Intune here:

On a Co-Managed device missing Office 365 suite, when you move the Office Click to Run Apps Workload, you can no longer install the ConfigMgr version of O365 installers.


Typically, the ConfigMgr Application Deployment Evaluation Cycle hides the Office 365 Apps from Software center, but you may catch it before the evaluation and see the error above.

This behavior is due to a Global Conditon which blocks the installer on Co-Managed devices with O365 workload moved to Intune/Pilot.


Now if you launch Company Portal to install the Intune O365 suite, it won't be available either. You will see the message below.


This is an expected behavior, on an Intune managed device with ConfigMgr agent, you need to additionally move the Client Apps workload to view the Intune Apps via Company Portal.

The client apps workload is a pre-release feature. To enable it, see Pre-release features.


Now the Company Portal will list the available apps for install.


Starting ConfigMgr 1906, you can now configure different pilot collections for each of the co-management workloads. Using different pilot collections allows you to take a more granular approach when shifting workloads.


This ability works great for moving the O365 workloads based on scenarios where client originating from Internet will deploy O365 workloads from Intune and the one's which are expected to remain on-premises can be pushed via ConfigMgr.

2.      Update Management of O365 suite

Now that we have deployed O365 suite, the next requirement is to ensure its managed with the desired tool meeting company requirements.

Typically, O365 suite deployed via ConfigMgr is managed and updated by ConfigMgr itself and the one deployed via Intune is managed and updated directly over the Internet via Office CDN (Content Delivery ).

This is controlled by OfficeMgmtCOM which is configured and set to True for ConfigMgr installs.

There could be scenario's where you may have pushed O365 suite via ConfigMgr and would now like the O365 update's management via Intune over Office CDN. Another scenario could be where you deployed Office 365 via Autopilot as a Hybrid scenario where the device is domain joined and your requirement is the updates management is controlled on-premises via ConfigMgr.

Let's see achieve the requirements from the two scenarios above:

2.1      Switching O365 Updates management from ConfigMgr to Intune (Office CDN over Internet)

In this scenario you deployed the Office 365 suite from ConfigMgr and would like the updates management to be handled by Intune which will leverage the Office CDN over Internet instead of using on-premises infrastructure.

While IT Pros are always in control, Office 365 ProPlus is automatically kept up-to-date via evergreen model.  IT Pros can offload servicing aspect of Office 365 ProPlus to Microsoft so they can focus on other duties removing repetitive tasks.


  • Admins don't have to spend time developing processes to duplicate CDN content on-premises.
  • Admins don't have to build processes to target software updates to collections. Each machine will pull updates on it's own.
  • Aligns with “Modern Desktop” motion where machines are increasingly managed by Mobile device management (MDM) rather than on-premises solutions without requirement for any infrastructure.
  • CDN supports a variety of advanced policies to control updates at granular level such as “delay downloading and installing updates for Office”, “prioritize BITS”, “Target Version”, “Update Channel”, “Update Deadline”. IT Pros can control updates effectively without the need for on-premises software.
  • Leverages inbox task scheduler MicrosoftOfficeOffice Automatic Updates 2.0 to perform updates based on trigger mechanism (Weekly, At log on, On idle)

Benefits reference:


All you need is to move the Co-Management slider for Office Click-to-Run Apps. Starting 1906, if you have controlled this behavior to a subset of collection, you need to add the device to the respective collection.


Once the policies are processed, you may need a restart of the “Microsoft Office Click-to-Run Service” service. You will notice Office is no longer managed by ConfigMgr which clears the yellow background.
It is now updated via Office CDN.


On the device registry, it sets the OfficeMgmtCOM value to 0 in the following registry keys:



2.2      Switching O365 Updates management from Intune (Office CDN over Internet) to ConfigMgr

In this scenario, you deployed the Office 365 suite from Intune and would now like the updates management to be handled by ConfigMgr.


  • Office 365 ProPlus updates can easily be included in the same software deployment as monthly Windows patch process. As a result, all existing business processes and change control can be aligned in the same manner as legacy MSI Office products.
  • Clients will only pull down what's needed to update themselves from Distribution Point.
  • SCCM Administrators can download cumulative build one time from the internet and then deploy to all distribution points so clients pull updates from intranet sources.
  • Administrators can make deployment Available (optional where user is notified update)
  • Administrators can make deployment Available for a period of time prior to Installation Deadline. In this scenario, Office 365 Client using OfficeMgmtCOM will pull deltas from distribution point prior to Installation Deadline and give user a chance to “Update now” via BizBar discussed above at a time which is convenient for them. This is especially important in a ever mobile world where machines are mobile and not powered on all the time.  Further, IT Pros can get some early production validation as some subset of their population will update prior to Installation Deadline giving them advanced notification of any problems prior to broad deployment.
  • Administrators can make deployment Available time and Installation Deadline the same time. SCCM will ensure update is downloaded and installed at Deadline. (additional details on user experience below)
  • Administrators can enable SCCM features such as Peer Cache so clients can share content among themselves further reducing WAN traffic. (Peer cache for Configuration Manager clients)

Benefits reference:


Create a Device Configuration Profile to configure Office 365 Client Management.

  • From the Intune console, go to Device Configuration > Profiles
  • image.png
  • Create a new profile
  • Give a Name and choose Windows 10 and Later under Platform
  • Choose Administrative Templates under Profile Type.image.png
  • Click Create
  • Under Settings > Search for “Office 365 Client Managementimage.png
  • Click to open Office 365 Client Management
  • Toggle the setting to Enabledimage.png
  • Click OK to save the changes.
  • image.png
  • Click Assignment Tab and deploy this to a Device Group matching the Setting Type above.

Note: To successfully apply this policy on a Co-Managed device, make sure you move the Device Configuration workload to Intune/Pilot.


  • From the Settings App you can verify the device received and applied the policy successfully.


The policy is written to this registry location: HKEY_LOCAL_MACHINESOFTWAREMicrosoftMDMWinsdevicesoftware/policies/microsoft/office/16.0/common/officeupdateofficemgmtcom

Additionally, you can validate it by launching any Office apps and by clicking File > Account the yellow bar with text “Updates are managed by your system administrator


Another alternative to this approach of switching from Intune to ConfigMgr for O365 updates management is while creating the O365 Suite from Intune. Instead of using the wizard you can use your own Configuration.XML which includes OfficeMgmtCOM=TRUE


Happy Co-Managing O365 Click-to-Run apps with Intune and ConfigMgr 🙂


Arnab Mitra


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.