M365 Apps Deployment via ODT

Why Not the Built-In M365 Apps Policy?

Intune includes a pre-built Microsoft 365 Apps for Windows app type that appears to be the obvious choice. In practice, it is the most common source of deployment failures in Intune environments. Its limitations:

Limitation	Impact
Cloud-streamed install	Requires uninterrupted connectivity to the Office CDN for the full install duration. Any interruption fails the deployment silently.
No app exclusions	Installs the full suite including Access, Publisher, and Skype for Business — apps most organizations do not want.
No update channel control	Cannot reliably target Monthly Enterprise Channel or Semi-Annual Enterprise Channel at deploy time.
Weak detection logic	Uses a simple file-presence check; does not validate version, channel, or activation state.
No retry granularity	Failures surface as generic 0x80070005 errors with no actionable log path for the end user or helpdesk.
Conflicts with existing Office	Does not handle the uninstall of prior Office versions; installs on top and produces licensing conflicts.

The Office Deployment Tool (ODT) approach packages the install as a Win32 app, giving full control over app selection, update channel, architecture, and detection — and leverages the Intune Management Extension's retry and logging engine.

---

ODT Prerequisites

Tool	Source
Office Deployment Tool (setup.exe)	Microsoft Download Center — Office Deployment Tool
IntuneWinAppUtil.exe	GitHub — microsoft/Microsoft-Win32-Content-Prep-Tool — download the "Source code" zip from the latest release; despite the label, it contains the compiled binary
Office Customization Tool (web)	config.office.com — generates the configuration.xml

A workstation with internet access and local administrator rights is sufficient. No SCCM infrastructure is required.

---

Step 1: Create the Configuration XML

Use the Office Customization Tool at config.office.com to generate a configuration.xml tailored to the organization. Key decisions:

Suite and Apps

• Select only the apps the organization needs. For most organizations: Word, Excel, PowerPoint, Outlook, Teams, OneNote. Explicitly exclude Access, Publisher, Groove, Lync, and Skype for Business.

Update Channel

• Monthly Enterprise Channel — updates once per month on a predictable schedule. Recommended for most organizations requiring stability without a 6-month lag.
• Semi-Annual Enterprise Channel — maximum stability, updates in January and July. Required by some compliance programs.
• Avoid "Current Channel" for managed corporate devices; it updates multiple times per month with no predictability.

Architecture

• Always select 64-bit. 32-bit Office is only warranted for legacy COM add-ins; new deployments have no reason to use it.

Language

• Set a primary language matching the OS locale. Include MatchPreviousMatch as a fallback if re-deploying to existing machines with mixed language installs.

Remove existing versions

• Enable Remove all MSI versions of Office if any users have Office 2016/2019 MSI still installed. This runs an automated uninstall before the new install begins.

Shared Computer Activation

• Enable for AVD session hosts and any shared workstation scenario. Do not enable for personal assigned devices.

A minimal example targeting Monthly Enterprise Channel, 64-bit, core apps only:

<Configuration>
  <Add OfficeClientEdition="64" Channel="MonthlyEnterprise" AllowCdnFallback="TRUE">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
      <ExcludeApp ID="Access" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
      <ExcludeApp ID="Publisher" />
      <ExcludeApp ID="Bing" />
    </Product>
  </Add>
  <Updates Enabled="TRUE" Channel="MonthlyEnterprise" />
  <RemoveMSI />
  <Display Level="None" AcceptEULA="TRUE" />
  <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
</Configuration>

AllowCdnFallback

AllowCdnFallback="TRUE" allows the installer to pull from the Office CDN if a local source is not available. This is appropriate for cloud-native deployments. Remove it only if you are sourcing from an on-premises file share.

Save the file as configuration.xml.

---

Step 2: Build the Package Folder

Create a clean working folder — for example, C:\ODT-Package\ — and place the following inside it:

C:\ODT-Package\
├── setup.exe          ← the Office Deployment Tool binary
└── configuration.xml  ← your config from Step 1

Do not pre-download the Office source files into this folder. The installer will stream from the CDN at install time on each target device. Pre-downloading (~4 GB) is only necessary for fully air-gapped environments.

---

Step 3: Package as a Win32 App (.intunewin)

Run IntuneWinAppUtil.exe to wrap the package folder into an .intunewin file:

IntuneWinAppUtil.exe -c "C:\ODT-Package" -s setup.exe -o "C:\Output"

Flag	Value
-c	Source folder containing all package files
-s	The setup file that Intune will execute (always setup.exe for ODT)
-o	Output folder for the resulting .intunewin file

This produces setup.intunewin in C:\Output\. The file is AES-256 encrypted and ready for upload.

---

Step 4: Upload to Intune

1. Navigate to Intune > Apps > Windows > Add
2. Select App type: Windows app (Win32)
3. Upload setup.intunewin

App Information

Field	Value
Name	Microsoft 365 Apps — Monthly Enterprise (or match your channel)
Publisher	Microsoft
Description	Brief description noting the channel and excluded apps
Logo	Download from Microsoft's brand portal

Program (Install / Uninstall Commands)

Install command:

setup.exe /configure configuration.xml

Uninstall command:

setup.exe /uninstall O365ProPlusRetail /config configuration.xml

• Install behavior: System
• Device restart behavior: App install may force restart — set to Determine behavior based on return codes
• Return codes: Accept defaults (0 = Success, 1707 = Success, 3010 = Soft reboot, 1641 = Hard reboot, 1618 = Retry)

Requirements

Setting	Value
Operating system architecture	64-bit
Minimum OS	Windows 10 21H2 or later

Detection Rule

Use a Registry detection rule — more reliable than a file-presence check.

Field	Value
Rule type	Registry
Key path	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
Value name	VersionToReport
Detection method	Key exists

Why registry and not file detection?

The VersionToReport key is written by the Office Click-to-Run service only after a successful activation. A file-presence check (winword.exe) can return a false positive if a prior broken install left files on disk. The registry key confirms the Click-to-Run service is healthy.

Dependencies and Supersedence

• Dependencies: None required if Company Portal is deployed separately (see below).
• Supersedence: If replacing an older version of this same app, configure supersedence here rather than deploying alongside it. Set the older app to Uninstall under supersedence behavior.

---

Step 5: Assign and Monitor

Assign the app to a device group (not a user group) using Required intent. Using a device group ensures installation occurs during the Enrollment Status Page (ESP) before the first user signs in.

Do not use Available intent for M365 Apps

"Available" intent publishes the app in Company Portal for self-service install. M365 Apps should be treated as a required baseline, not an optional user-initiated install. Users who accidentally uninstall from Company Portal will have the app reinstalled automatically on the next Intune sync if Required intent is set.

Monitoring: Navigate to Intune > Apps > Windows > [App Name] > Device install status. Common failure codes and their meaning:

Code	Meaning	Resolution
0x87D1041C	App not detected after install — detection rule mismatch	Verify registry key path and value name
0x80070005	Access denied during install	Confirm Install behavior is set to System, not User
0x80073D02	In-use files blocked the install	Set FORCEAPPSHUTDOWN to TRUE in configuration.xml
0x800704C7	Install cancelled by user	Install behavior must be System; user cannot cancel a system-context install

For detailed logs, review %ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log and C:\Windows\Temp\ODT-*.log on the target device.

---

Company Portal Deployment

The Company Portal app should be deployed before M365 Apps as part of the Enrollment Status Page (ESP) device phase.

Add Company Portal via Intune > Apps > Windows > Add > Microsoft Store app (new) and search for Company Portal. This uses the WinGet-based Microsoft Store integration and does not require manual package management.

If the Store integration is unavailable, download the Company Portal .appxbundle offline and sideload it via a Win32 wrapper using Add-AppxPackage. Alternatively, sync Company Portal as a built-in app under Tenant Administration > Customization > Company Portal.

ESP ordering

In the Enrollment Status Page profile, set Company Portal as a tracking app in the Device Setup phase. This ensures the device is not handed to the user until Company Portal is installed and the user has a consistent self-service experience from first login.

---

Update Channel Management Post-Deployment

After deployment, the update channel is governed by the Office Update policy in Intune, not by re-deploying the package. To change or enforce the channel:

1. In Intune, navigate to Apps > App configuration policies > Add > Managed devices
2. Target Windows 10/11 and select Microsoft 365 Apps
3. Set Channel under the Update settings group

Alternatively, use an Administrative Template (ADMX) policy:

• Path: User Configuration > Administrative Templates > Microsoft Office 2016 > Updates
• Setting: Update Channel → set to MonthlyEnterprise (or the appropriate channel GUID)

Do not rely on the configuration.xml channel setting to enforce updates post-install; it only applies at install time. The Intune policy or ADMX setting is what governs ongoing update behavior.