Intune Automation: Disabling Office Online Repair with a PowerShell Script

How to Disable Office Online Repair Using Intune and PowerShell

In this blog post, I will walk you through the process of disabling Office Online Repair using a PowerShell script deployed via Microsoft Intune. Disabling this feature is crucial for organizations that need to prevent users from modifying or reinstalling Microsoft Office without IT approval.

By default, Office Online Repair can reset application settings and remove custom configurations, potentially causing disruptions in managed environments. Restricting access to this option allows IT administrators to maintain better control over Office deployments, ensuring consistency across all managed devices.

This configuration is implemented by modifying the Windows registry to disable the repair option, preventing end-users from initiating an online repair. Deploying this change via Microsoft Intune with a PowerShell script ensures that all managed devices receive the update automatically, eliminating the need for manual intervention.

With Intune, administrators can:

? Automate the deployment of the restriction policy across all enrolled devices.

? Enforce compliance by ensuring that users cannot bypass the restriction.

? Monitor script execution to verify successful implementation.

This approach streamlines IT management, minimizes troubleshooting caused by unauthorized Office repairs, and enhances overall security. If needed, IT teams can still perform repairs using approved methods, ensuring that Office remains fully functional while maintaining strict control over its configuration.

Reasons to Disable Office Online Repair

There are several key reasons why disabling the Office Online Repair option is beneficial in production environments. The table below provides a detailed overview of its impact and advantages.

Creating a PowerShell Script to Disable Office Online Repair via Intune

Follow the steps below to disable the Office Online Repair option using a PowerShell script deployed through Intune. This method ensures that the configuration is applied consistently across all managed devices.

1. Log in to the Microsoft Intune Admin Center using your administrator credentials.
2. Navigate to Devices > Windows Devices.
3. Select Scripts and Remediations > Platform Scripts > Add.
4. Proceed with configuring and deploying the PowerShell script to enforce the policy.

Configuring Basic Details for the PowerShell Script

In the Basics section, provide the necessary details for the PowerShell script:

1. Name: Enter a clear and descriptive name, such as "Disable Office Online Repair", to make it easily identifiable in the Intune portal.
2. Description (Optional): If needed, add a brief explanation of the script’s function. For example, "Adding Registry Key to Disable Office Repair Option."
3. Click Next to proceed to the script configuration settings.

Providing a clear name and description ensures better organization and easier management of scripts within Intune.

Creating a PowerShell Script to Disable Office Online Repair with Intune

To disable Office Online Repair via Intune, we need to create a PowerShell script that modifies the Windows Registry. This script will add a registry key to restrict users from accessing the Office Online Repair feature.

Step 1: Create the PowerShell Script

1. Open a text editor such as Notepad or VS Code.
2. Copy and paste the following command into the file:

This command adds a registry key to disable the Office Online Repair option:

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate” -Name “onlinerepair” -Value “0” -PropertyType DWord        

3. Save the file as Disable_OfficeOnlineRepair.ps1.

Configuring Script Settings in Intune

In the Script Settings pane, you can configure the deployment options according to your organization's requirements. The first step is mandatory: you must browse and select the saved PowerShell script.

Required Script Configuration:

• Script Location: Click Browse and select the saved script Disable_OfficeOnlineRepair.ps1.
• Run this script using the logged-on credentials: Select No (this ensures the script runs with system-level permissions).
• Enforce script signature check: Select No (unless your organization requires signed scripts).
• Run script in 64-bit PowerShell Host: Select Yes to ensure compatibility with 64-bit systems.

Once these settings are configured, proceed to the next step to finalize and deploy the script across managed devices.

On the next page,?leave the?scope tags?default; if any?custom scope?tag is available based on your requirement, you can also select it?for this script deployment.

Assigning the Script to Devices

After configuring the script settings, click Next to proceed with the assignment.

1. In the Assignments section, click Add groups.
2. Under Included groups, select the device group Test_ISOLTech_Policy to ensure the script is deployed to the intended managed devices.
3. Review your selections and click Next to finalize the assignment.

By assigning the script to the correct group, you ensure that only targeted devices receive the configuration, maintaining control over Office Online Repair restrictions.

Final Review and Deployment

In the Review + Add pane, take a moment to carefully review all the settings configured for the Disable Office Online Repair PowerShell script deployment. Verify that the script, assignments, and execution settings align with your intended deployment strategy.

Once you have confirmed that all details are correct:

1. Double-check the script selection, assignment groups, and execution parameters to ensure accuracy.
2. If any adjustments are needed, use the Previous button to modify the settings.
3. When everything is correctly configured, click Add to finalize and deploy the script across the selected devices.

This step ensures that the configuration is successfully applied, allowing IT administrators to maintain control over Office Online Repair while enforcing consistency across the organization.

Monitoring the Deployment of the "Disable Office Online Repair" PowerShell Script

Once the Disable Office Online Repair PowerShell script is deployed to the Test_ISOLTech_Policy device group in Microsoft Intune, the policy will take effect as soon as the targeted devices complete a sync with Intune.

To monitor the deployment status, follow these steps in the Intune Admin Center:

1. Navigate to Devices > Windows > Scripts and Remediations > Platform Scripts.
2. In the search bar, look for "Disable Office Online Repair".
3. Select the script to view its deployment details.
4. Under the Overview tab, check the Deployment Status to verify if the script has been successfully applied.

The Device Status and User Status sections will indicate whether the script has been executed successfully across assigned devices. If any failures occur, you can troubleshoot by checking logs and ensuring devices are properly syncing with Intune.

End-User Experience: Verifying Office Online Repair is Disabled

To confirm that the Intune PowerShell Script has successfully disabled the Office Online Repair option, follow these steps on a policy-targeted device:

1. Log in to a device where the policy has been applied.
2. Open the Registry Editor:Press Win + R, type regedit, and press Enter.
3. Navigate to the following registry path:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common

Once inside this registry location, look for the newly created "onlinerepair" key. If it exists and its value is set to "0", this confirms that the script deployment was successful and Office Online Repair is now disabled.

This validation ensures that the policy is correctly applied across all targeted devices, maintaining the intended restriction.

More Information

For additional guidance on disabling the Office Online Repair option using Microsoft Intune and PowerShell, refer to the following resources on Microsoft Learn:

• Collect diagnostics from a managed device with Intune This article provides instructions on collecting logs and diagnostics from managed devices, which can be useful for monitoring script deployment. https://learn.microsoft.com/en-us/mem/intune/remote-actions/collect-diagnostics
• Windows Update settings you can manage with Intune update ring policies This article details the Windows Update settings that can be managed through Intune, helping IT administrators control updates and system maintenance. https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-settings

These resources provide comprehensive instructions on configuring, managing, and optimizing device settings with Microsoft Intune, ensuring that Office repair options are properly controlled in your organizational environment.

?

Thank you!

??? Ricardo Barbosa

?? MCT Microsoft Certified Trainer | ?? Cloud Architect

?? Technology Director - https://altelix.com