Microsoft 365 Apps: Setup, Policies, and Admin Configuration Guide 2026
Why Microsoft 365 Apps Configuration Goes Wrong
I've spent years watching IT admins walk into Microsoft 365 Apps deployments with the best intentions , and walk out with activation errors, broken update channels, and users calling the helpdesk at 9 AM on a Monday because Word just stopped working. It's not because they're bad at their jobs. It's because Microsoft 365 Apps looks familiar on the surface (it's still Excel, still Outlook, still the apps you've always known) but behaves in fundamentally different ways under the hood compared to every version of Office that came before it.
The first thing that trips people up is the installation technology. Microsoft 365 Apps uses Click-to-Run , not the old Windows Installer (MSI) engine that admins managed for over a decade. That one change ripples out into how you deploy, how you patch, how you push updates, and how activation is verified. If you're still thinking in MSI terms, you're going to hit walls constantly.
The second big source of pain is licensing. Microsoft 365 Apps is subscription-based, which means the apps will enter reduced functionality mode if a user's license is removed, if their Microsoft 365 account is deleted, or, and this catches people off guard, if their device can't connect to the internet to verify the subscription for more than 30 consecutive days. I've seen this bite companies with air-gapped machines and employees on extended leave. The apps don't crash. They just quietly stop letting users edit files, which generates a wave of confused tickets that say things like "Word is broken and I can't type."
The third issue is update channels. Unlike traditional Office, Microsoft 365 Apps is updated regularly, sometimes as often as monthly, with new features. Out of the box it will try to pull those updates directly from Microsoft's Office Content Delivery Network on the internet. In a managed enterprise environment, that's often not what you want. Without deliberate configuration, you end up with some machines on one version, some on another, and troubleshooting becomes a nightmare.
And then there's the 64-bit vs. 32-bit decision, Arm-device compatibility, Group Policy scope, language packs, and the question of whether you're excluding apps like Access or Publisher from the installation package. Every one of these is a decision point where a misconfiguration creates real user pain.
I know this is a lot to absorb, especially when the error messages you get back, things like activation dialogs or vague "something went wrong" prompts, give you almost no useful direction. That's why this guide exists. Let's fix it, step by step. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If users are already deployed and hitting activation or "reduced functionality mode" problems right now, here's what to try before anything else.
Step 1: Confirm the license is actually assigned. Open the Microsoft 365 admin center at admin.microsoft.com, go to Users > Active users, click the affected user, and check the Licenses and apps tab. If no Microsoft 365 Apps license is shown as assigned, that's your entire problem. Assign the correct license and give it 15–30 minutes to propagate.
Step 2: Force an activation check on the client machine. Open any Microsoft 365 app, Word, Excel, Outlook, anything. Go to File > Account. Under Product Information you'll see the subscription status. If it shows "Subscription Product" with the user's account, activation is fine. If it shows "Microsoft 365 Apps, Unlicensed Product" or a banner saying features are limited, click Sign In or Reactivate and have the user sign in with their Microsoft 365 credentials.
Step 3: If sign-in fails or loops, run the Office Sign-in Fix. Open an elevated Command Prompt and run:
cd "C:\Program Files\Common Files\Microsoft Shared\ClickToRun"
OfficeC2RClient.exe /update user updatepromptuser=false forceappshutdown=true displaylevel=falseThis forces a Click-to-Run update check and re-validates the activation state. After it completes, reopen any Office app and check File > Account again.
Step 4: Run a Quick Repair if the above doesn't resolve it. Go to Settings > Apps > Installed apps, find Microsoft 365 Apps, click the three dots, select Modify, then choose Quick Repair. This takes 5–10 minutes and fixes most corrupted Click-to-Run states without requiring an internet connection.
If none of these restore functionality, the problem is deeper, likely a deployment configuration issue or a Group Policy conflict. Keep reading.
account.microsoft.com/devices and sign out of unused devices.
The single biggest mistake I see IT admins make with Microsoft 365 Apps is skipping the assessment phase. You'll save yourself enormous pain by answering a handful of questions before you download the Office Deployment Tool (ODT) or open the Office Customization Tool.
What OS are your client machines running? Microsoft 365 Apps requires a supported operating system. Arm-based devices, increasingly common as organizations pick up Surface Pro X, Surface Pro 9 with 5G, or Apple Silicon running Windows via virtualization, require Windows 11 or later. The 32-bit version of Microsoft 365 Apps is not supported on Arm architecture at all. If you push a 32-bit package to an Arm machine, you'll get installation errors that look confusing until you know the root cause.
Do you still have MSI versions of Office on any machines? If users are on Office 2016, 2019, or any volume-licensed MSI edition, you need to remove those before deploying Microsoft 365 Apps. Click-to-Run and MSI Office cannot coexist on the same machine. Microsoft provides a RemoveMSI setting in the ODT configuration file specifically for this, which I'll cover in Step 2. Don't skip it.
Which apps do your users actually need? Microsoft 365 Apps installs as a single package by default, Access, Excel, OneDrive, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Teams, and Word all come along. But you can and should exclude applications your organization doesn't need. Access in particular is a common one to exclude in organizations that don't use it, since it adds installation size with no benefit.
What's your network situation? If you have a fast, reliable internet connection to all client machines, deploying directly from Microsoft's cloud CDN is the simplest path. If you have branch offices with slow WAN links, you'll want to deploy from a local network share to prevent a massive CDN download from saturating your uplink. Make this call before you configure anything.
Once you have answers to these, you're ready to move to the actual deployment configuration. You should see a clear picture of your target environment before writing a single line of configuration XML.
Microsoft provides the Office Customization Tool (OCT) at config.office.com, use it. Don't hand-write your configuration XML from scratch unless you genuinely enjoy debugging angle brackets. The OCT gives you a visual interface that generates a validated configuration.xml file you can feed directly to the Office Deployment Tool.
In the OCT, the decisions that matter most are:
Architecture: Choose 64-bit unless you have a specific reason for 32-bit. Legacy COM add-ins and some older third-party software still require 32-bit Office, but if you don't have that constraint, 64-bit handles large Excel files and memory-intensive workloads better. On Arm-based devices, only select 64-bit, the 64-bit installer automatically includes Arm-optimized components on those machines.
Update channel: This is where most enterprise admins should deviate from the default. The default channel pulls updates frequently. For a managed environment, consider Monthly Enterprise Channel, which delivers updates once a month on the second Tuesday, predictable, testable, and aligned with Patch Tuesday. If you want even more stability, Semi-Annual Enterprise Channel delivers updates in January and July (also on the second Tuesday). Pick one deliberately. Don't let it default.
Excluding apps: In the OCT under Products and releases > Apps, uncheck any applications your org doesn't need. Common exclusions include Access, Publisher, and Skype for Business.
Removing existing MSI Office: In the OCT under Installation, enable Remove all MSI versions of Office, including Visio and Project. This maps to the RemoveMSI attribute in the XML and handles cleanup automatically during deployment.
Export your configuration XML, drop it in the same folder as your ODT executable (setup.exe), and you're ready to run the download and install phases. If it worked correctly, you'll see Microsoft 365 Apps appear in Settings > Apps with the version number matching your selected channel.
Update channel management is where a lot of organizations hit friction, not during the initial deployment, but three months later when machines are running different builds and you can't reproduce a bug because two users on "the same setup" are actually running different versions.
Microsoft 365 Apps supports several update channels. Here's how I think about them for different org types:
Current Channel: Users get new features as soon as they're ready, potentially multiple times a month. Good for small teams that want the latest capabilities and can tolerate occasional feature surprises. Not ideal for regulated industries or environments with extensive add-in testing requirements.
Monthly Enterprise Channel: Updates ship once per month on the second Tuesday. This is the sweet spot for most mid-size enterprises. Predictable, still relatively current, and gives your IT team a consistent window for validation before users get new features.
Semi-Annual Enterprise Channel: Feature updates arrive twice a year, January and July, always on the second Tuesday. Security updates still come monthly. This is the right call for organizations in finance, healthcare, legal, or any sector where software changes need formal change management approval cycles.
To change the update channel for devices already deployed, you have three options. The cleanest for enterprise environments is Group Policy. Navigate to:
Computer Configuration > Administrative Templates > Microsoft Office 2016 (Machine)
> Updates > Update ChannelSet it to the channel you want using the channel branch name. Alternatively, you can change it via the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
Value name: updatebranch
Value data: MonthlyEnterprise (or SemiAnnual, or Current)Or use the ODT with a configuration XML that specifies Channel="MonthlyEnterprise" in the Add element and run setup.exe /configure configuration.xml against existing installations. The channel change takes effect at the next update check. You can force it immediately with the OfficeC2RClient command shown in the Quick Fix section.
Licensing in Microsoft 365 Apps is the area where the difference from traditional Office is most felt in day-to-day support. Traditional perpetual Office: activate once, done forever. Microsoft 365 Apps: it checks in with Microsoft's licensing servers periodically, and if it can't reach them for 30 consecutive days, it drops into reduced functionality mode.
In reduced functionality mode, users can open and view existing Office files, but they can't create new documents, edit existing ones, or use the bulk of the apps' features. It looks broken. Users panic. The fix is usually just getting the device back online and letting it verify the subscription, after that, full functionality is restored automatically.
For devices that are intentionally air-gapped or that travel with users into low-connectivity environments, plan ahead. Users who take laptops off the corporate network for extended periods should connect through VPN periodically to ensure the 30-day clock doesn't run out. Document this in your user onboarding materials, don't let it be a surprise.
For shared computers, kiosk machines, training lab workstations, shared terminals, standard per-user licensing doesn't fit well. Microsoft 365 Apps supports Shared Computer Activation for these scenarios. With Shared Computer Activation enabled, each user's license is verified when they sign in to the machine, and a temporary activation token is cached. This is the right model for any device used by more than one person. You enable it via Group Policy:
Computer Configuration > Administrative Templates > Microsoft Office 2016 (Machine)
> Licensing Settings > Use shared computer activationOr via registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
Value name: SharedComputerLicensing
Value data: 1If this is set correctly on a kiosk machine, each user who signs into Windows and opens an Office app will be prompted to sign in with their Microsoft 365 credentials, and their personal license is applied for that session only.
One of the genuine advantages of Microsoft 365 Apps in enterprise environments is that you can manage it with the same Group Policy infrastructure you've been using for years. The same ADMX-based policy templates work here, and you have access to thousands of settings covering everything from macro security to update behavior to privacy controls.
First, get the latest administrative templates. Download the Microsoft 365 Apps Group Policy Administrative Template files (ADMX/ADML) from the Microsoft Download Center. Extract them and copy the ADMX files to C:\Windows\PolicyDefinitions\ on your domain controller (or your central store at \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\). Copy the ADML language files to the appropriate language subfolder (e.g., en-US\).
After that, open the Group Policy Management Console and create or edit a GPO linked to your target OU. The Microsoft 365 Apps settings live under:
User Configuration > Administrative Templates > Microsoft Office 2016
Computer Configuration > Administrative Templates > Microsoft Office 2016 (Machine)Key policies to configure in most enterprise environments:
/* Block self-service installs from Office.com */
User Configuration > Microsoft Office 2016 > Miscellaneous
> "Block signing in to Office", set to Org ID only
/* Prevent users from changing update channels */
Computer Configuration > Microsoft Office 2016 (Machine) > Updates
> "Hide option to enable or disable updates", Enabled
> "Update channel", set to your chosen channel
/* Control macro security */
User Configuration > Microsoft Office 2016 > Security Settings
> "VBA Macro Notification Settings", Enabled, set to "Disable all with notification"
/* Disable optional connected experiences */
User Configuration > Microsoft Office 2016 > Privacy > Trust Center
> "Allow the use of connected experiences in Office", Disabled (if required by policy)After applying the GPO, run gpupdate /force on a test machine and then open an Office app and check File > Options > Trust Center to confirm the settings are applied. If a policy is applied correctly, the corresponding UI option is usually grayed out, that's your visual confirmation it's being enforced.
Advanced Troubleshooting for Microsoft 365 Apps
Once you've handled the standard deployment and licensing path, you'll eventually run into edge cases. Here's how I approach the ones that come up most often in enterprise environments.
Diagnosing Activation Failures with Event Viewer
When activation silently fails and the File > Account screen gives you nothing useful, Event Viewer is your first stop. Open Event Viewer (eventvwr.msc) and navigate to:
Applications and Services Logs > Microsoft Office AlertsThis log captures Office-specific errors with Event IDs that actually tell you something. Event ID 2011 typically indicates a license checkout failure. Event ID 2013 points to an account authentication problem. Event ID 5023 shows up when the Click-to-Run service itself has failed to start. Cross-reference these with the Application log for any ClickToRun entries.
Fixing Click-to-Run Service Failures
The Click-to-Run service (ClickToRunSvc) is the engine behind Microsoft 365 Apps updates and activation. If it's stopped or stuck, everything breaks. Check its status:
Get-Service -Name ClickToRunSvc | Select-Object Status, StartTypeIt should be Running with StartType Automatic. If it's stopped, start it:
Start-Service -Name ClickToRunSvcIf it fails to start, check the service dependencies and look for errors under Event ID 7000 or 7001 in the System event log.
Registry Conflicts from Old Group Policy or Third-Party Management Tools
I've seen this multiple times: an organization migrates from a third-party software management platform to Microsoft Configuration Manager, but the old platform left registry keys behind that now conflict with ODT-managed settings. If your update channel policy isn't taking effect even after a gpupdate /force, check for competing values at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdatePolicy values under the Policies hive take precedence. If you see conflicting values in the Configuration hive from a previous management tool, clean them out.
Deploying to Remote Desktop Services Environments
If your organization uses Remote Desktop Services (RDS), Terminal Server, Remote App, VDI, you need Shared Computer Activation enabled as described in Step 4, and you need to deploy Microsoft 365 Apps specifically for RDS use. When running the ODT against an RDS host, include the SharedComputerLicensing="1" attribute in your configuration XML. Without it, the RDS deployment will either fail to activate or consume individual per-seat licenses incorrectly.
Managing Updates with Microsoft Configuration Manager
For organizations already running Microsoft Configuration Manager (current branch), you can offload Microsoft 365 Apps update management entirely to ConfigMgr. Enable the Office 365 Client Management Dashboard in ConfigMgr and use Software Update Point to serve Microsoft 365 Apps updates from your internal WSUS infrastructure. This keeps update traffic internal and gives you full deployment ring control, test group first, then broad production rollout. The key setting in your ODT XML to redirect updates away from the CDN is OfficeMgmtCOM="True" in the Updates element, which tells Click-to-Run to defer to ConfigMgr.
If you've worked through this entire guide and you're still seeing activation failures, if your Click-to-Run service crashes repeatedly with no recoverable error in the logs, or if you're dealing with a large-scale deployment failure affecting hundreds of machines, it's time to escalate. Collect the %temp%\OfficeC2RClient.log and %windir%\Temp\OfficeLogs\ folder contents before you call, as support will ask for these immediately. Reach out to Microsoft Support with your tenant ID, affected build numbers, and Event Viewer exports ready to go.
Prevention & Best Practices for Microsoft 365 Apps
The vast majority of Microsoft 365 Apps problems I see are preventable. Not through luck, but through disciplined process at deployment time and a few ongoing habits that keep the environment healthy.
Standardize on one update channel per user segment, and document it. The moment you have machines on different channels without a deliberate reason, you lose the ability to reproduce issues, test fixes, or make meaningful comparisons between builds. Decide before you deploy: which channel maps to which group of users. Write it down. Enforce it via Group Policy so users and other admins can't accidentally change it.
Test your add-ins against the new channel before you roll it out broadly. Third-party COM add-ins and in-house Excel or Outlook add-ins are the single most common source of post-update breakage. Set up a small pilot group, 5 to 10 power users across different departments, on Current Channel, and give them 2 to 4 weeks before you push any update to the wider organization. Issues surface fast when real users are actually working.
Plan for the 30-day connectivity requirement explicitly. Don't let users discover reduced functionality mode by accident. For field workers, executives who travel extensively, or anyone who regularly disconnects from the corporate network, document the requirement and set a reminder. A quick VPN connection once a month is all it takes to reset the clock.
Keep your ODT configuration XML in version control. Your configuration.xml file is an infrastructure artifact. Treat it like code. Store it in Git or whatever version control system your team uses. When something breaks after a deployment, you want to be able to diff today's config against last month's config and immediately see what changed.
- Enable Shared Computer Activation on all shared or kiosk machines before deployment, not as a retrofit after activation errors start rolling in.
- Run the Office Readiness Toolkit on your environment before migrating from MSI Office, it scans for add-in compatibility issues and saves you from post-deployment surprises.
- Set up a Microsoft 365 Apps health dashboard in the Microsoft 365 admin center under Health > Product health so you get proactive alerts when Microsoft detects known issues affecting your tenant.
- Document which users have Microsoft 365 Apps installed on how many devices, review this quarterly, because users accumulate device activations over time and hit the 5-device limit without realizing it.
Frequently Asked Questions
What's actually different about Microsoft 365 Apps compared to regular Office?
The biggest practical differences are in how it's installed, updated, and licensed. Microsoft 365 Apps uses Click-to-Run instead of the Windows Installer engine, which changes how you deploy it and apply updates. It's subscription-based, so if the license is removed or the machine can't reach Microsoft's servers for 30 days, the apps drop into reduced functionality mode. And unlike traditional perpetual Office, it receives feature updates regularly, sometimes monthly, which means what your users have installed today looks slightly different six months from now. On the plus side, one license lets a user install it on up to 5 computers, 5 tablets, and 5 phones.
My users keep getting "Unlicensed Product" errors, what's causing it?
There are a few common culprits. First, check that the user's Microsoft 365 license is actually assigned in the admin center, it sounds obvious, but license assignments sometimes fall off after org-wide license changes. Second, check whether the user has hit the 5-device activation limit; if so, they need to sign out of an unused device at account.microsoft.com/devices. Third, if the machine has been offline for more than 30 days without connecting to verify the subscription, activation will have lapsed, get it online, open an Office app, and it will reactivate automatically. If none of those apply, run the Office Online Repair (Start > Settings > Apps, find Microsoft 365, Modify > Online Repair) to rebuild the activation state.
Can I still use Microsoft 365 Apps without an internet connection?
Yes, users do not need to be connected to the internet to use Microsoft 365 Apps day to day. It's a full, locally installed version of Office that runs entirely on the user's machine. The only internet requirement is a check-in every 30 days to verify the subscription status. After that 30-day window passes without a connection, the apps shift to reduced functionality mode. As long as your users connect at least once a month, even briefly through VPN, they'll have full access to all features regardless of connectivity the rest of the time.
Does Microsoft 365 Apps include Project and Visio?
No, it doesn't. Project and Visio are not part of Microsoft 365 Apps and are not included in standard Office 365 or Microsoft 365 subscription plans. They're available separately through their own subscription plans, Project Plan 1, 2, or 3 for Project; Visio Plan 1 or 2 for Visio. This is a common point of confusion when users expect a full Office suite and find those apps missing. You'll need to purchase and assign the appropriate separate licenses for any users who need them.
How do I stop Microsoft 365 Apps from updating automatically on user machines?
You have a couple of options. For organizations using Microsoft Configuration Manager, set the OfficeMgmtCOM="True" attribute in your ODT configuration XML, this hands update control entirely to ConfigMgr and prevents automatic CDN updates. If you're not using ConfigMgr, you can defer updates via Group Policy under Computer Configuration > Administrative Templates > Microsoft Office 2016 (Machine) > Updates > Enable Automatic Updates, set this to Disabled to pause automatic updates entirely, though note that this also pauses security patches, which is not something most organizations want long-term. The better approach for most environments is switching to Semi-Annual Enterprise Channel, which limits feature updates to twice a year while keeping security patching active.
What happens to Microsoft 365 Apps if we cancel our subscription?
When a Microsoft 365 subscription is cancelled or expires, Microsoft 365 Apps enters reduced functionality mode. In that state, users can still open and read existing Office documents, but they can't create new files, edit documents, or access most features. Think of it as a read-only viewer. The apps don't uninstall themselves, they just stop being fully functional. If you renew the subscription and the license is reassigned, full functionality comes back automatically the next time the machine verifies the subscription status online. If you're permanently moving off Microsoft 365, you'll want to plan a migration path for files and consider whether any users need a perpetual license version of Office instead.