Office CSP vs Win32App: Dawn of Justice

This blog will show you how to make sure the Microsoft 365 apps are installed during Autopilot by converting the Microsoft 365 Apps setup to a Win32App instead of using the built-in Office 365 CSP option.

I will divide this blog into multiple parts, describing all the options you have!

  1. Introduction
  2. The “Built-in/CSP” option
  3. Important knowledge about the CSP Option
  4. The “Win32App” option
  5. The “PowerShell Script” option
  6. What the Win32app of the Office 365 apps setup doesn’t fix!

1. Introduction

I decided to update/rewrite this whole blog after reading the Tweet from Bruce

When you start using Intune and start deploying the Microsoft 365 apps to your devices you will probably be using the built-in option in Intune. With this built-in option, you could easily make sure the Microsoft 365 Apps are deployed to your devices.

Some time ago I wrote a blog about how you could make sure you can make sure each group who needs the x64 version will get it and who needs the x86 would also get it installed.

In the blog I mentioned above, I showed you which options you have to deploy the Microsoft 365 apps. One of these options was using the built-in Microsoft 365 Apps in Intune. It looks great because you only need to configure some basic stuff as shown below and you are good to go

Graphical user interface  Description automatically generated

Let’s take a closer look at this built-in option!

2. The “Built-in/CSP Option”

Before I am going to show you the “New way” let’s take a look at how the Microsoft 365 Apps are deployed when using the built-in option in Intune.

This Built-in Microsoft 365 application is using the Office *CSP. “The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT)”

*A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device

A picture containing table  Description automatically generated

The CSP will download the Office 365 Click2Run setup.exe, the configure.xml. With these 2 files, it will start downloading the necessary Microsoft Installations files from the Office CDN (Content Delivery Network) with the Office CDNBaseUrl

When using Firewall rules, please make sure you are allowing traffic to this OfficeCDN Microsoft endpoint!

Of course, everyone is using delivery optimization so these files will first be downloaded in the C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\cache folder

After Delivery optimization did its perfect job these files will be moved to the C:\Program Files\Microsoft Office\Updates\Download\PackageFiles folder.

After it finished downloading all the required installations files, it will start installing the Microsoft 365 apps on the device by triggering the OfficeClickToRun.exe

After a while, if the installation is finished successfully with the status code (70) you will end up with the Microsoft 365 Apps installed! Isn’t that nice?

3. Important knowledge about the Office CSP Option

I will try to point out some “fun” facts about the CSP option in this section

  • Normally a CSP is used to deploy an Intune configuration policy to your device but when deploying Microsoft 365 apps, a CSP is used to deploy the Microsoft 365 apps to your device. I guess that’s the main difference between a normal Win32app and the built-in/CSP option in Intune to deploy Microsoft 365 apps.
  • The built-in CSP option in Intune to deploy Microsoft 365 apps is just a POLICY, not an Application!
Break Policy GIFs - Get the best GIF on GIPHY
  • Looking at this picture below (added some stuff 🙂 ) because this option IS NOT AN Win32App some important configuration items are missing. Comparing the built-in option with a Win32 app, you will notice the CSP option is missing the possibility to configure some, Requirements, Dependencies, Detection rules, and supersedence. These wonderful options could really come in handy but unfortunately, they aren’t available when using the CSP option.
  • The Office CSP XML and the FinalStatus code are stored in this registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeCSP\a7226049-b2b4-4a1b-9b3d-50dc78f2e816



  • When the Microsoft 365 Apps are being installed with the CSP option, it will first check if the FinalStatus key exists. If it does it will make sure the FinalStatus key will be deleted first. When the installation exits with a specific status, this FinalStatus key will be created with the corresponding status code.
  • Status = 0: 70 (succeeded)
  • Status = 0: 60 (failed)
  • Status = 0: 997 (Installation in Progress)

Please Note: This exit code/status could give you some weird issues during Autopilot because sometimes it will give you a nice random status code or the status code 997. I guess we all know what happens when “the installer gets tired & then takes a nap” during Autopilot?

I Love Sleep GIFs | Tenor

When the installer is taking a nap when deploying the Microsoft 365 apps you could stumble upon some weird behavior during Autopilot and weird behavior during Autopilot is something we don’t want! I guess we don’t want to end up with the installation exceeding the time limit message!

If you are interested in all of the status codes, please visit this MS-Doc: Office CSP – Windows Client Management | Microsoft Docs

  • Because this option uses a CSP, the Enrollment Status Page (ESP) could have a hard time tracking this! I am also describing it in this blog below!

Please Note: I am not saying it can’t be tracked but only it could give you some issues when the Microsoft 365 apps are stuck in the Install in progress state. Support Tip: Office C2R installation is now tracked during ESP – Microsoft Tech Community

4. The Win32App Option

As told in the first part, the built-in option is using a CSP to deploy the Microsoft 365 apps. Let’s create our own Win32App with the ODT instead!

To do so we also need the Office Deployment Tool. This tool is nothing more than a command-like tool you could use to download and deploy Click-to-Run versions of the Microsoft 365 apps.

Please download it below

Text  Description automatically generated

When looking at the official Microsoft documentation about the Office Deployment Tool, you could be tempted to use the “sourcepath” to download the files first with the /download parameter.

After you have downloaded you could wrap the whole folder with the office files in it.

Graphical user interface, application  Description automatically generated with medium confidence

But when converting it to a Win32App you will stumble upon some red flags! So don’t use the SourcePath!.

Text  Description automatically generated

Even when this “stupid” idea would succeed, you will end up with a Win32App you need to update regularly to make sure a new device isn’t going to receive a very old Office build. Also, the ESP issue we could encounter is not as much about the download itself but as we read earlier, it’s more about “something” else triggering the installation instead of the Intune Management Extension (IME)

Let’s move on shall we? The only things we need to make sure we don’t run into issues during Autopilot are the Office Deployment tool itself and 2 XML Files as shown below.


In this example below, I am of course using the

*The Current 64 bits Channel version of the Microsoft Apps


“When installing languages, the ODT looks first for source files in the location specified in the SourcePath attribute. If the language pack isn’t available at that location and the AllowCdnFallback setting is set to True, then the ODT will use source files from the Office CDN.”


Migrate Office 365 Apps from 64 to 32 Bits with MigrateArch (

<Add OfficeClientEdition="64" Channel="Current" AllowCdnFallback="True" MigrateArch="TRUE">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
    <Product ID="ProjectProRetail">
      <Language ID="en-us" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
    <Product ID="VisioProRetail">
      <Language ID="en-us" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
  <Updates Enabled="TRUE" />
  <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
  <RemoveMSI />
    <User Key="software\microsoft\office\16.0\excel\options" Name="defaultformat" Value="51" Type="REG_DWORD" App="excel16" Id="L_SaveExcelfilesas" />
    <User Key="software\microsoft\office\16.0\powerpoint\options" Name="defaultformat" Value="27" Type="REG_DWORD" App="ppt16" Id="L_SavePowerPointfilesas" />
    <User Key="software\microsoft\office\16.0\word\options" Name="defaultformat" Value="" Type="REG_SZ" App="word16" Id="L_SaveWordfilesas" />
   <Display Level="None" AcceptEULA="TRUE" />


Of course, we also need an uninstall XML to make sure there is a possibility to remove the Microsoft 365 Apps

<Display Level="None" AcceptEULA="True" />
<Property Name="FORCEAPPSHUTDOWN" Value="True" />
<Product ID="O365ProPlusRetail">

When you don’t want to create the XML files yourself, here is the download link

Packaging the Files

After we have created the install and uninstall XML files, let’s proceed with packaging the app by running the IntuneWinApputil.exe

Text  Description automatically generated

When we have our own Intunewin file, let’s create a new Win32App in Intune and select this file. After choosing the IntuneWin file you just created, you will need to configure some additional parameters:

Install Parameters

Setup.exe /configure install.xml

Setup.exe /configure uninstall.xml

Graphical user interface, text, application, chat or text message  Description automatically generated

Detection Rules

Detection Rules are always important, to make sure you have the right registry path, open the register and choose your option!

Option 1:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail – en-us

Graphical user interface, application  Description automatically generated

Option 2:

Another possibility would be to use the ClickToRun registry key itself instead of the uninstall key


When you have selected the option you want to use when configuring the detection rules. please make sure you configure the detection rule as shown below.

Graphical user interface, text, application  Description automatically generated

Please Note: When you have messed up the detection rule, you will be prompted with the 0x81036502 error during the ESP Device Phase

Graphical user interface, text, application  Description automatically generated

When you need to troubleshoot this 0x81036502 error, as always the IME will show you the stuff you need. As shown below: Exitcode is defined as success but it actually failed according to detection result

Graphical user interface  Description automatically generated with medium confidence

If you want to make sure this nice new Win32App will be installed during Autopilot, please don’t forget to add it to the required apps during ESP. When adding the custom-made Win32App or the built-in Microsoft 365 apps as required apps during ESP, you can be certain the device is ready to go when the user logs in!

Changing the ESP

Please! Make sure you assign the Microsoft 365 Apps as required in the Enrollment Status Page configuration.

Graphical user interface, application  Description automatically generated

Of course, you want the Microsoft 365 Apps deployed to your device before the user logs in but did you ever thought about the Windows 10 (NOT 11!!) start menu layout? (thanx Bruce for bringing it up!)

As shown above, when you are requiring the Microsoft 365 apps to be installed during the ESP, you will end up with a very nice Start Menu layout when using Windows 10!

Customize the Start layout | Microsoft Docs

5. The PowerShell Script Option

Besides using a Win32App with the ClicktoRun in it to download and configure the Microsoft 365 apps on the device, you could also choose the PowerShell option!

On this GitHub page above, you will find all the information required to start using this option

Why choose this option? Because this PowerShell script will first download the latest ODT before installing the Microsoft 365 Apps.

This nice PowerShell script could also be converted to a Win32App and just like with the Win32App option, you could assign it as required during the ESP.

6. What the Win32app version of the Office 365 setup doesn’t fix!

Of course, there are days when just everything breaks, even the Office 365 Apps Win32app version is going to give you errors. As shown below, when requiring the Office 365 apps during ESP (Intune built-in Option or the Office 365 apps) you could end up with the error: 0x81036502 Installation Timed Out

What could be causing this? We switched to a Win32App so we are all good right? I guess not because as mentioned earlier when running setup.exe /configure configuration.xml it will download the required files from the Office CDN. (

Determining on your Office 365 Click to Run configuration.xml it will fetch the right build

Normally this shouldn’t be an issue BUT sometimes there are issues with a specific Office 365 build. When there are issues with an Office 365 build, you need to switch to another channel/version(or wait until Microsoft fixed the issue with the Office 365 build) otherwise your Autopilot deployments will keep timing out!

When using the built-in option to deploy the Office 365 apps with Intune, you will also need to change some settings. As shown below, I switched from the latest version to be installed to a specific version. A version that is not giving you headaches!


If you ever run into weird app installation issues during ESP out of the blue, please have a reminder of this blog. Because maybe the Microsoft 365 apps CSP option or the Office CDN is giving you some headaches!

Tate finding dory mine 2 GIF on GIFER - by Karan

2 thoughts on “Office CSP vs Win32App: Dawn of Justice

  1. Loved the Article, and it is good to see a ‘formal’ write up of the approach we have been using for a while. We started using Win32 for the office deployment when we found that the ‘native’ Office install in Intune wasn’t updating the Office that shipped on the OEM preload for Dell and Microsoft devices.
    I just wanted to ask about the detection side of things. We have found that when using the registry keys to check the uninstall values as ‘evidence’ we get a very hit and miss experience. It’s almost like the IME is checking too soon. Using a PowerShell script to check for these values (and doing a greater than or equal to check on the version number) is returning a much more consistent experience.

    1. Hi .thanx!… I indeed noticed the same thing… and indeed not every time but after testing it multiple times it didn’t detect the installation at that time. A powershell script would be indeed a better option

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  25  =  28