Troubleshooting Office Cloud Policy Service (OCPS)

Troubleshooting Office Cloud Policy Service (OCPS)

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office 365 ProPlus on a user’s device.  The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.  As end users become increasingly mobile, IT Pros need a single approach to secure Office 365 ProPlus for traditional on-premises domain devices, Azure AD registered devices, Azure AD Joined, and Hybrid Azure AD joined devices.  OCPS applies to all scenarios above without the need to download and replicate any content such as Administrative Template files (ADMX/ADML) on-premises.  The goal of this blog is to provide some transparency of how the service works to help IT Pros during their validation phase and to encourage transition from classic domain-based policy to OCPS service for Office 365 ProPlus.

 

Requirements of OCPS

1. At least Version 1808 (August 2018) of Office 365 ProPlus
2. User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD based account.
3. Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
4. To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.
5. Connectivity to addresses below. Microsoft recommends proxy bypasswhitelist for these URLs
*.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443

 

Steps to perform proof of concept and validation
1. Create a test user, ours will be “Kasper Graf”, kgraf@contoso.com.
2. Create security group “OCPS Service Validation” and add user to group within Active Directory Users and Computers.
3. Allow AAD Connect to synchronize user and group to Azure AD. (lunch break 🙂 or force synchronization via commands below)

(optional) From AAD Connect Server and elevated PowerShell, run the following commands:
PS C:WINDOWSsystem32>import-module adsync
PS C:WINDOWSsystem32>Set-ADSyncScheduler -NextSyncCyclePolicyType Delta
PS C:WINDOWSsystem32>Start-ADSyncSyncCycle

Browse Azure AD portal and explore Users – All Users, select Kasper Graf and then Groups. Verify that group “OCPS Service Validation” has been assigned and source says, “Windows Server AD”. This confirms user and group were synced into Azure AD successfully and we can proceed to next steps.
4.  Create your first OCPS policy and select “Create” button:

Create1.png

5. Complete input fields, when selecting assigned security group input “OCPS” and service should filter results to “OCPS Service Validation” group.  Next, define a policy.  For the demo, I chose policy “VBA Macro Notification Settings”, “Enabled” where VBA Macro Notification Settings are set to “Disable all with notification”.   Once selections have been made “Create” or “Save”.

Create4.png

Create3.png

6. From Policy Management, we can now see our policy exists.

Create2.png

So, we’ve got a policy, we’ve assigned it to a security group containing our test user, our next step is to validate. My test machine happens to be classic on-premises domain joined machine. My user, Kasper Graf, is signed in with his normal Active Directory credentials which is displayed in upper right hand corner of Word.

signin.png

Traditional Group Policy uses Client-Side Extensions in Windows to apply policy every 90 minutes.  IT Pros can force policy by using command line “gpupdate /force” and inspectverify registry as well as application behavior prior to broad deployment.  OCPS checks for policy upon initial Office application launch, calls into cloud service endpoints listed above, determines policy applicability based on group membership and priority assignment and registry keys are populated. 

 

Specifically, there are two locations of interest in registry.

1. HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy
This will contain information about FetchInterval, 90 minutes is default, as well as record of Last Fetch Time and Last Payload Hash.

2. HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloud. This key will contain path to registry keys representing the policy assignment. For example, ours will be HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0wordsecurity
Vbawarnings = 2 (DWORD)

 

IT Pros can achieve the same behavior of gpupdate by simply deleting the key HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy, close Office application and relaunch to fetch policy.  I typically use tools like Process Monitor to help trustverify operations of this type with filters such as “Path” contains “CloudPolicy” or where Operation is “RegSetValue” etc.  Opening a Word document containing a Macro displaying warning with notification as expected.

Warning.png

FAQ:
How does conflict resolution work if the same policy is set via traditional domain-based policy as well as OCPS?
OCPS takes priority if there are any conflicts with traditional domain-based policies.

 

Currently policies are limited to user settings. Are there plans on adding machine settings?
Yes. This has been accepted and currently is in our backlog. We hope to have this available next year.

 

Group Policy provides a view of all policies on the device or for the specified user. Does OCPS support this?
Currently OCPS does not provide a list of all Office policies applied to a specific user or device. This is on our backlog and we hope to have this available next year.

 

Will OCPS support other platforms such as MacOS, Android and iOS?
Yes, OCPS in the future will also support additional platforms such as MacOS, Android and iOS. We will create additional blog postings per platform once features are generally available.

 

Are there any environments where OCPS is not available?

The Office cloud policy service isn’t available to customers who have the following plans: Office 365 operated by 21Vianet, Office 365 Germany, Office 365 GCC, or Office 365 GCC High and DoD.

 

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Introducing – and Managing – Microsoft Search in Bing through Office 365 ProPlus

Introducing – and Managing – Microsoft Search in Bing through Office 365 ProPlus

Customers tell us they want easier ways to manage their environments while delivering more productivity value to their employees. This includes helping people quickly find the information they need, a potentially frustrating prospect given the sheer and constantly growing volume of content within an organization. To help IT solve this — and to do so in a way that is easy for you to manage — we are offering the Microsoft Search in Bing extension to Office 365 ProPlus customers starting at the end of February.1,2 To help you prepare, we want to share guidance on how you can configure Office 365 ProPlus updates to best meet your organization’s search needs.  

 

Microsoft Search in Bing

 

Bing is a gateway to Microsoft Search, a unified enterprise search solution that provides contextual work-related information using data sources in Office 365 including SharePoint, Microsoft OneDrive for Business, and Exchange. Microsoft Search delivers personalized results surfaced by the Microsoft Graph to make search in your organization more effective, increase productivity, and save everyone time.

 

Employees can search for colleagues by typing the title, team name, or even office location into the address bar. They can also search for office location and get answers that show floor plans for directions. They can even get definitions for company acronyms.

 

As part of Microsoft 365, Microsoft Search is on by default for all Microsoft apps that support it.  This update is designed to enable an accessible and familiar entry point for your users: a search engine.

 

 

Deploy Microsoft Search through Office 365 ProPlus

You have told us that you want a single tool to deploy all desktop components of Office 365. To simplify the process of deploying Microsoft Search, we’re making the Microsoft Search in Bing extension available through Office 365 ProPlus with version 2002, alongside Word, Excel, PowerPoint, Outlook, OneDrive, and Teams. This extension will be installed with new installations of Office 365 ProPlus and when existing installations are updated. If Bing is already the default search engine, the extension will not get installed. 

If you don’t want to deploy the extension to your users, you can exclude it by using the Office Deployment Tool or Group Policy. There are also ways to exclude it if you’re using Microsoft Endpoint Configuration Manager (current branch) or Microsoft Intune. For more information about how to manage the extension, read this article. 

 

Honor your users’ search preferences

Even if you deploy the Microsoft Search in Bing extension with Office 365 ProPlus, users will still have an opportunity to choose their search engine. The first time your users open Google Chrome after the extension for Microsoft Search in Bing is installed, they will have an option to change back their search preferences by taking a few simple steps.

 

Mockup.pngMockup of the search toggle in Chrome browsers (subject to change).

 

Learn more about the user benefits of this change by downloading the Microsoft Search in Bing Adoption Kit (zip file) and this user adoption guide. As always, please visit our Tech Community page to learn more about Office 365 ProPlus, and share your feedback and insights

 

Footnotes

  1. This change is enabled for new and existing Office 365 ProPlus installations in Australia, Canada, France, Germany, India, the United Kingdom, and the United States. As we add locations, we will notify admins through the Message Center.
  2. The extension will be released to the Monthly Channel in late February 2020. Release for the Semi-Annual Channel (Targeted) and Semi-Annual Channel are coming soon.

 

Streamline deployment and management of Microsoft Teams with Office 365 ProPlus

As more and more Office 365 customers adopt Microsoft Teams, we’ve heard from many of you that you want to deploy and manage Teams the same way you deploy and manage other Office 365 apps. To streamline that process, we made Teams available through Office 365 ProPlus alongside Word, Excel, PowerPoint, Outlook, and OneDrive. We first provided this option to customers on the monthly channel several months ago. Starting on January 14, 2020, customers on the semi-annual channel will start to receive Teams through Office 365 ProPlus as well. With that date approaching, we want to remind you how to configure Office 365 ProPlus and Teams updates to meet the needs of your organization.   

Deploy and manage Teams through Office 365 ProPlus 

If you are an existing Office 365 ProPlus (or Office 365 Business) customer on the semi-annual channel, Teams will be included in your organization’s next update starting on January 14, 2020, as a part of the normal update process. 

If you’re ready for Teams to be deployed on your users’ machines, you don’t need to take any action. You can learn more how to adopt Teams in this article. If Teams is already installed on a user’s machine, there will be no impact when the semi-annual update rolls out.  

Learn more about how Teams updates, after it is installed.  

Customize Teams deployment as a part of Office 365 ProPlus 

While the number of customers using Teams continues to grow, we recognize that not all customers are ready for Teams to be automatically deployed on their users’ machines. You can manage your preferences and configure each Office 365 ProPlus app using the Group Policy or the Office Deployment Tool. Learn more about how to deploy and manage or exclude Teams in your Office 365 ProPlus updates in this articleDeploy Microsoft Teams with Office 365 ProPlus 

Send us your feedback 

Every innovation we make with Microsoft 365, the world’s productivity cloud, is designed to help you and your organization unlock new forms of productivity to achieve more. Thank you for being our customers and we look forward to your feedback and insights. 

Visit our Tech Community page to learn more about Office 365 ProPlus.

Troubleshooting Office Client Policy Service (OCPS)

Troubleshooting Office Client Policy Service (OCPS)

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office 365 ProPlus on a user’s device.  The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.  As end users become increasingly mobile, IT Pros need a single approach to secure Office 365 ProPlus for traditional on-premises domain devices, Azure AD registered devices, Azure AD Joined, and Hybrid Azure AD joined devices.  OCPS applies to all scenarios above without the need to download and replicate any content such as Administrative Template files (ADMX/ADML) on-premises.  The goal of this blog is to provide some transparency of how the service works to help IT Pros during their validation phase and to encourage transition from classic domain-based policy to OCPS service for Office 365 ProPlus.

 

Requirements of OCPS

1. At least Version 1808 (August 2018) of Office 365 ProPlus
2. User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD based account.
3. Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
4. To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.
5. Connectivity to addresses below. Microsoft recommends proxy bypasswhitelist for these URLs
*.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443

 

Steps to perform proof of concept and validation
1. Create a test user, ours will be “Gottlieb Daimler”, gdaimler@contoso.com.
2. Create security group “OCPS Service Validation” and add user to group within Active Directory Users and Computers.
3. Allow AAD Connect to synchronize user and group to Azure AD. (lunch break 🙂 or force synchronization via commands below)

(optional) From AAD Connect Server and elevated PowerShell, run the following commands:
PS C:WINDOWSsystem32>import-module adsync
PS C:WINDOWSsystem32>Set-ADSyncScheduler -NextSyncCyclePolicyType Delta
PS C:WINDOWSsystem32>Start-ADSyncSyncCycle

Browse Azure AD portal and explore Users – All Users, select Gottlieb Daimler and then Groups. Verify that group “OCPS Service Validation” has been assigned and source says, “Windows Server AD”. This confirms user and group were synced into Azure AD successfully and we can proceed to next steps.
4.  Create your first OCPS policy and select “Create” button:

Create1.png

5. Complete input fields, when selecting assigned security group input “OCPS” and service should filter results to “OCPS Service Validation” group.  Next, define a policy.  For the demo, I chose policy “VBA Macro Notification Settings”, “Enabled” where VBA Macro Notification Settings are set to “Disable all with notification”.   Once selections have been made “Create” or “Save”.

Create4.png

Create3.png

6. From Policy Management, we can now see our policy exists.

Create2.png

So, we’ve got a policy, we’ve assigned it to a security group containing our test user, our next step is to validate. My test machine happens to be classic on-premises domain joined machine. My user, Gottlieb Daimler, is signed in with his normal Active Directory credentials which is displayed in upper right hand corner of Word.

Create5.png

Traditional Group Policy uses Client-Side Extensions in Windows to apply policy every 90 minutes.  IT Pros can force policy by using command line “gpupdate /force” and inspectverify registry as well as application behavior prior to broad deployment.  OCPS checks for policy upon initial Office application launch, calls into cloud service endpoints listed above, determines policy applicability based on group membership and priority assignment and registry keys are populated. 

 

Specifically, there are two locations of interest in registry.

1. HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy
This will contain information about FetchInterval, 90 minutes is default, as well as record of Last Fetch Time and Last Payload Hash.

2. HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloud. This key will contain path to registry keys representing the policy assignment. For example, ours will be HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0wordsecurity
Vbawarnings = 2 (DWORD)

 

IT Pros can achieve the same behavior of gpupdate by simply deleting the key HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy, close Office application and relaunch to fetch policy.  I typically use tools like Process Monitor to help trustverify operations of this type with filters such as “Path” contains “CloudPolicy” or where Operation is “RegSetValue” etc.  Opening a Word document containing a Macro displaying warning with notification as expected.

Proof.png

FAQ:
How does conflict resolution work if the same policy is set via traditional domain-based policy as well as OCPS?
OCPS takes priority if there are any conflicts with traditional domain-based policies.

 

Currently policies are limited to user settings. Are there plans on adding machine settings?
Yes. This has been accepted and currently is in our backlog. We hope to have this available next year.

 

Group Policy provides a view of all policies on the device or for the specified user. Does OCPS support this?
Currently OCPS does not provide a list of all Office policies applied to a specific user or device. This is on our backlog and we hope to have this available next year.

 

Will OCPS support other platforms such as MacOS, Android and iOS?
Yes, OCPS in the future will also support additional platforms such as MacOS, Android and iOS. We will create additional blog postings per platform once features are generally available.

 

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Building dynamic, lean & universal packages for Office 365 ProPlus

Building dynamic, lean & universal packages for Office 365 ProPlus

As an admin, you might have been tasked with the deployment of Office 365 ProPlus to your organization. But such a deployment is more than just Office. After the initial migration to ProPlus, you might have to provide ways for your users to acquire automated installs of additional Language Packs, Proofing Tools, products like Visio and Project or other components.
This blog post will walk your through a concept of building dynamic, lean & universal packages for Office 365 ProPlus, greatly reducing long-term maintenance costs and effort needed in managed environments.
Grab a coffee, it’s a long post. Let’s roll.
 

The challenge

When you plan your upgrade to Office 365 ProPlus, the actual upgrade from a legacy version to the always-current Office 365 ProPlus is front and center. But looking beyond the initial deployment, there are other scenarios you’ll need to cover as an admin. After you upgraded your users, they might need one of the following components going forward:
 
  • Additional Language Packs
  • Proofing Tools
  • Visio
  • Project

So in managed environments each of the above would require a dedicated installation package in order to allow an automated and controlled way to e.g. install additional languages for a user. Usually, for each of the above components, an admin would combine the necessary source files (~2.5 gigabyte), a copy of the Office Deployment Tool (ODT) together with a configuration file into a package.

But, especially in larger organizations, you often do not run a single installation of Office 365 ProPlus. You might have a mix of update channels (often SAC and SAC-T) and maybe you are currently transitioning from 32 bit to 64 bit, and for quite some time you will have to support both architectures.

So at the end, we would not have one package per component, but rather four, covering each possible permutation of SAC/SAC-T and x86/x64.
The end result would be:

 

  • High number of packages, the four listed components would result in 16 or more packages.
  • High bandwidth consumption, as a client might get the full 2.5 GB package pushed down before install
  • High maintenance costs to keep embedded source files current.
  • High user impact, if you haven’t kept the source files current and installing a component will perform a downgrade, just to perform an update to the current version soon after.
  • Low user satisfaction when having to pick the matching package out of a bunch of options.

 

While the initial upgrade to Office 365 ProPlus is a one-time activity, the above scenarios will be applicable over a longer period as users might need additional components days, weeks or even years after the initial deployment.
So, how do we build packages which are less costly to maintain over a long time frame and avoid the above downsides?

 

The solution: Dynamic, lean and universal packages

Good news: There is a way to resolve all of the above issues by implementing self-adjusting, small and universal package. I will give you the “meat and potatoes” of the concept before we dive into sample scenarios:
Build dynamic packages where you don’t hard-code anything. Leverage features of the Office Deployment Tool (ODT) to allow the packages to self-adjust to the requirements:
  • Use Version=MatchInstalled to prevent unexpected updates and stay in control of the version installed on a client. No hard-coding of a build number (which gets outdated quickly) required.
  • Use Language=MatchInstalled to instruct e.g. Visio or Project to install with the very same languages which are already installed for Office. No need to list them or build a script which injects the required languages.

 

Build lean packages by removing the source files from the packages. This has multiple benefits:

  • Package size is much smaller, from 2.5 GB down to less than 10 megabytes for the ODT and its configuration file.
  • Instead of pushing a 2.5 GB install package to clients, we allow clients to pull what it needs on demand from Office CDN which saves bandwidth:
    • When adding Project to an existing Office 365 ProPlus install, we need to download less than 50 megabytes as Office shared components are already installed.
    • Visio installs are typically between 100-200 megabytes, based and the number of languages as the templates/stencils are a substantial part of the download.
    • Installing Proofing Tools is typically between 30-50 megabytes versus a full Language Pack is somewhere between 200 to 300 megabyte.
  • A 2nd install scenario is often less frequent, which lowers the burden on the internet traffic ultimately reducing the impact.
  • You don’t have to update the source files every time when Microsoft releases new features, security and quality fixes.
 
Build universal packages by not hard-coding things like the architecture or update channel. ODT will dynamically match the existing install ; so your packages work across all update channels and architectures. Instead of having e.g. four packages to install Visio, you will have a single, universal package which will work across all permutations of update channels and architectures.
  • Leaving out OfficeClientEdition makes your package universal for mixed x86/x64 environments.
  • Leaving out Channel makes your package universal across update channels, even ones you don’t support :smile:.

 

How to and benefit of building dynamic, lean & universal packages

The idea behind this concept is to not hard-coding everything in the configuration file, but rather leverage the cleverness of the Office Deployment Tool (ODT) as much as possible. Let’s have a look at a “classic” package, built to add Project to an existing install of Office 365 ProPlus. We have the source files (~2.5 gigabyte in size) and a configuration file which explicitly states what we want to achieve:
Lean5-Pic1.jpg
<Configuration>
<Add OfficeClientEdition=”64″ Channel=”Broad”>
<Product ID=”ProjectProRetail”>
<Language ID=”en-us” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>
 
When applying  the concepts of dynamic, lean, universal packages, the result would look like this:
 Lean5-Pic2.jpg<Configuration>
<Add Version=”MatchInstalled”>
<Product ID=”ProjectProRetail”>
<Language ID=”MatchInstalled” TargetProduct=”O365ProPlusRetail” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>

 

So what have we changed and what are the benefits of doing so?

  • Removed OfficeClientEdition-attribute, as the ODT will automatically match the installed version.
    • Benefit: Configuration file now work for both x86 and x64 scenarios.
  • Remove Channel, same reason, ODT will automatically match the already assigned update channel.
    • Benefit I: Package works for all update channels (Monthly, Semi-Annual, SAC-T, you name it)
    • Benefit II: It will also work for update channels you don’t offer as central IT. Some users are running Monthly, some are on Insider builds? Don’t worry, it just works!
  • Added Version=MatchInstalled which will ensure that ODT will install the exact same version which is already installed.
    • Benefit: You are in control of versions deployed, no unexpected updates.
  • Added Language ID=”MatchInstalled”  and TargetProduct  designed to match the currently installed language(s), replacing a hard-coded list of languages to install.
    • Benefit I: User will have the same languages in Project as already installed for Office.
    • Benefit II: No need to re-request Language Pack installs.
    • Benefit III: Will also work for rarely used languages which you as central IT admin don’t offer, leading to happier users.
  • Removed the source files, the ODT will fetch the correct set of source files from the Office CDN just-in-time.
    • Benefit I: Package never gets old. No maintenance of source files needed.
    • Benefit II: Download is ~50 megabyte instead of pushing 2.5 GB around.

 

Another example: Adding Language Packs and Proofing Tools the dynamic, lean & universal way

Let’s have a brief look at other scenarios as well, like adding Language Packs and Proofing Tools. The classic configuration file to install the German Language Pack might look like this:
 
<Configuration>
<Add OfficeClientEdition=”64″ Channel=”Broad”>
<Product ID=”LanguagePack”>
<Language ID=”de-de” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>
If you’re running SAC as well as SAC-T and have a x86/x64 mixed environment, you would need three additional files to cover the remaining permutations of configurations. Or you just go the dynamic, lean and universal way:
 
<Configuration>
<Add Version=”MatchInstalled”>
<Product ID=”LanguagePack”>
<Language ID=”de-de” />
</Product>
</Add>
<Display Level=”None” />
</Configuration>
 
This single configuration file will work across x86/x64 and all update channels (Insider Fast, Monthly Targeted, Monthly, SAC-T, SAC, and so on). So if you want to offer 5 additional languages in your environment, just build 5 of these “config file + ODT” packages and you’re good to go. For Proofing Tools you just change the ProductID to “ProofingTools”.
 

Prerequisites

I hope this new concept helps you to build dynamic, lean and universal packages and reduce the overall effort of managing Office 365 client Apps.
There are some prerequisites you must meet to make this concept work in your environment:
  • Use Office Deployment Tool 16.0.11615.33602 or newer to enable Version=MatchInstalled to work.
  • The ODT must be able to locate the matching source files on the Office CDN.
  • Ensure that the context your using for running the install can traverse the proxy. Check out our Office 365 ProPlus Deployment and Proxy Server Guidance  for a deep-dive on this.
  • Make sure, that the account (user or SYSTEM) used to install the apps is able to connect to the internet.

 

The Author

This blog post is brought to you by , a ProPlus Ranger and senior ProPlus deployment expert at Microsoft. Feel free to share your questions and feedback in the comments below.
How to manage Office 365 ProPlus Channels for IT Pros

How to manage Office 365 ProPlus Channels for IT Pros

**12/5/2019 We’ve updated this guidance and published it as an article on docs.microsoft.com: Change the Office 365 ProPlus update channel for devices in your organization. We recommend that you follow the steps in that article to change channels.”

 

Microsoft recommends enterprise customers include validation as a part of their Office 365 ProPlus deployment processes. Microsoft provides “channels” which control the rate of change in terms of features and quality fixes. For most customer deployments this means a minimum of two channels such as Semi-Annual Channel and Semi-Annual Channel (Targeted). Many IT Pros broadly deploy a single channel (usually Semi-Annual Channel) and leverage group policy to assign validation computers to faster channel such as Semi-Annual Channel (Targeted). In this way, IT Pros can preview what’s coming four months prior to production release.

 

The goal of the blog is to provide clarification around the mechanics on how Office 365 ProPlus processes channel change requests.

 

note.pngTip: New Semi-Annual Channel versions are released in JanuaryJuly and Semi-Annual Channel (Targeted) versions are released in MarchSeptember. All channels will receive a minimum of one build per month which contain security and critical customer escalated fixes. (The latter has very high bar)

To read more about Channels please see Overview of update channels for Office 365 ProPlus

 

Ideally, minimizing the number of Office 365 ProPlus packages reduces overall cost of ownership. Therefore, the next step is to develop a process where machines receive standard package placing them on Semi-Annual Channel but dynamically move validation machines to faster channel such as Semi-Annual Channel (Targeted).

 

Step 1: Deploy your standard Office 365 ProPlus package based on Semi-Annual Channel

 

Step 2: Assign GPO to validation machine(s) or add policy registry key specifying Semi-Annual Channel (Targeted)

 

Using Office ADMX files, use Update Channel GPO to set Semi-Annual Channel (Targeted)

GPO.png

* Group Policy refreshes in the background every 90 minutes by default.  Use gpupdate /force to expedite.  Alternatively, add registry key manually to policy key

             HKLMSOFTWAREPoliciesMicrosoftoffice16.0commonofficeupdate “updatebranch”=”FirstReleaseDeferred”

Step 3: Allow MicrosoftOfficeOffice Automatic Updates 2.0 scheduled task to run

Group Policy will set registry keys, that’s all. Office 365 ProPlus uniquely leverages a scheduled task named Office Automatic Updates to maintain product configuration including channel management. The name itself “Automatic Updates” can cause confusion for IT Pros in enterprise environments where System Center Configuration (SCCM) is used to deploy updates. When OfficeMgmtCom (COM) is enabled, updates will be delivered only from SCCM. The Office Automatic Updates scheduled task will fire based on default set of triggers, regardless if COM is enabled or not, or by manually running task you can compress time frame to validate change.

 

Warning.pngMicrosoft recommends Automatic Updates remain Enabled (default configuration) in all update scenarios. This task does more than name implies. By disabling task, you may observe diminished experience in terms of channel management and disable feature to apply updates when SYSTEM is IDLE.

See 2:00 in Managing Office with SCCM (2019) video for more information, applicable for CDN update workflow.

 

note.pngTip: List of Channels and respective URL identifiers

CDNBaseUrl represents the channel where product was installed. If no channel was defined in unattend, Semi-Annual Channel is default selection.

Monthly Channel 
(formerly Current Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60

Semi-Annual Channel 
(formerly Deferred Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114

Monthly Channel (Targeted)
(formerly First Release for Current Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be

Semi-Annual Channel (Targeted) 
(formerly First Release for Deferred Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf

note.pngTip: IT Pros can monitor several registry keys to validate change has occurred after scheduled task has completed. Registry keys of interest when monitoring can be found under the following key: HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration. Editing key(s) should not be done directly and can lead to unintended consequences. Rather, monitor keys for desired outcome.                                                                                                         

UpdateChannel: This is the channel configuration “winner”.  This is dynamically managed by the Automatic Updates scheduled task and should not be edited directly.

 

In our example where we are using GPO to move Office 365 ProPlus to Semi-Annual Channel (Targeted), Office Automatic Updates scheduled task will discover policy key and then will flip UpdateChannel to new value, in this case from http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 (SAC) to http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf (SAC-T). Additionally, UpdateChannelChanged will be set to True. Upon next successful Office 365 Client update, UpdateChannelChanged will reset to False. The product can only accept one channel change request at a time with successful update as a prerequisite prior to accepting another change.

 

If you have completed steps above and channel change is still not being reflected, you may be blocked by temporary “Discovery Period.” Generally, updates will not happen within the Discovery Period which can last up to 24 hours after initial installation. IT Pros may encounter this scenario during compressed time validation in lab scenarios.

 

After UpdateChannel has successfully changed, Office 365 Clients pointing to CDN will download latest build from faster channel. Office 365 Clients which have COM enabled for SCCM integration will download newer build next time Software Updates Deployment Evaluation cycle runs based on configuration of Software Deployment within SCCM. IT Pros can expedite testing channel migration by deploying desired build to validation collection (should be a build from Semi-Annual Channel (Targeted), use the Configuration Manager applet from control panel to perform Machine Policy Retrieval followed by Software Updates Deployment Evaluation Cycle.

 

Applet.png

 

note.pngTip: Office 365 ProPlus behavior – slow to fast vs fast to slow

Slower -> Faster (Example: Semi-Annual Channel to Semi-Annual Channel Targeted)

  • Client will always gracefully move forward when now available build number is higher.  For example, a client on June 2019 Semi-Annual Channel with build version 1808 (Build 10730.20348) will move to Semi-Annual Channel Targeted with build Version 1902 (Build 11328.20318).  No other Administrative intervention is required, normal update processworkflow applies the change.

Faster -> Slower (Example: SAC-T to SAC)

  • In SCCM managed environment where COM is enabled, Office will not auto downgrade when channel is changed.  It will only move forward once build advertised is greater than what’s currently installed.  For example, Office ProPlus client on Semi-Annual Targeted build June 2019 Version 1902 (Build 11328.20318) will have to wait until Semi-Annual Channel build number is greater to move forward such as July 2019 Version 1902 (Build 11328.20368).  Supported downgrade method is to re-run Office Deployment Tool (ODT) with desired build and channel.  Keep in mind during waiting period, Office 365 Client will not receive any updates including security.
  • In non COM managed environment such as default configuration CDN, we will downgrade your new version to match the Group Policy assigned.  

*Since we can’t do binary delta compression (BDC) the download will be larger.  As a result, network considerations should be considered when downgrading from CDN.

 

FAQ:

How does channel management work when Office 2019 is installed and GPO “Upgrade Office 2019 to Office 365 ProPlus” is enabled?

Some customers may have a need to have one factory image of Windows which includes Office 2019 and later upgrade a subset of machines to Office 365 ProPlus.  The steps outlined above still apply in terms of mechanics and how channel chnages are processed.  The only difference is Office 2019 will initially have CDNBaseURL and UpdateChannel will reflect http://officecdn.microsoft.com/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208.  First, the GPO above will set policy key.  Second, The Office Automatic Updates 2.0 scheduled task will flip the UpdateChannel to Semi-Annual Channel (3114) by default and dynamically convert the product to Semi-Annual Channel.  In short, Office 2019 is just an older version of Office 365 ProPlus, so differences in content between the two products will download from CDN or from SCCM Distribution Point depending on your configuration. (Size will be significant for one-time conversion).  For CDN, this process is automatic.  For SCCM, IT Pro only needs to deploy latest Semi-Annual Channel build software update to collection, just like any monthly “Patch Tuesday” process.  SCCM will find build applicable and upgrade like any other Office update.  LicensingActivation will switch from volume activation (KMS) to subscription based (Office Licensing Service).

 

Why does this guidance differ from SCCM page Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager?

Microsoft recommends customers leverage Group Policy to change Office 365 ProPlus channels because its easier for IT Pros. Group Policy sets registry key under policy hive and Office Automatic Updates scheduled task to processes channel change.  The link above references CDNBaseURL.  Notice from the list below this is the 4th item evaluated for priority by the scheduled task.  As a result, if the first three priorities listed are not configured and CDNBaseURL doesn’t match UpdateChannel, scheduled task will align them resulting in channel change.  This blog posting leads with Group Policy where link above requires a direct registry change through Group Policy Preferences or Compliance Item in SCCM.

 

1st Priority : GPO "UpdatePath" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="ServerShare" HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration
4th Priority : CDNBaseURL - HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationCDNBaseUrl

I hope this blog post helps provide additional context for how Office ProPlus Channel Management works “under the hood”.

 

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Office 365 Groups @ Ignite – Recap

Office 365 Groups @ Ignite – Recap

Office 365 Groups is the membership service that drives teamwork and powers collaboration across Microsoft 365. With Office 365 Groups, a group of people can access and share a collection of collaboration resources, such as a shared Outlook inbox, calendar, SharePoint document library, a Planner, a Team, and more.

 

Recently, at Microsoft Ignite 2019 in Orlando, FL, the Office 365 Groups team delivered several session that included announcements of enhancements and new innovations for Office 365 Groups, such as new user activity-based expiration policy for Office 365 Groups, and the Groups Admin role, and best practices, such as creating a governance plan, enabling self-service, and leveraging analytics to understand usage.

 

The Office 365 Groups breakout sessions highlighted innovations across Outlook Mobile, Outlook Desktop, Outlook on the Web, Microsoft Teams, Microsoft 365 admin center, SharePoint Site URL Rename, Identity Governance, Yammer, and more. In case you missed it, you can view the Office 365 Groups sessions on-demand, and download the slide decks, as well.

 

Session Code Description
ADM20 Addressing top management issues with users and groups
BRK2052 What’s new and what’s next: SharePoint and OneDrive administration
BRK2056 Embrace Office 365 Groups: What’s new and what’s next
BRK2058 Deploy Office 365 groups at scale to power Microsoft Teams, Outlook, Yammer, and SharePoint
BRK2210 Finding your collaboration sweet spot with Office 365 Groups, SharePoint, Teams, and Yammer
BRK2233 The future of Yammer: Share knowledge, engage leaders, and build communities in Microsoft 365
BRK3264 Transform collaboration and fight shadow IT with Office 365 groups
THR2091 Master sharing and permissions of Office 365 in 20 minutes
THR2251 How Microsoft empowers employees through self-service collaboration while still protecting the company in Office 365
THR3043 Microsoft Teams and Office 365 Groups PowerShell MasterClass
THR3083 Office 365 Groups: Ask us anything

 

We’re also taking the learning path session for Office 365 Groups (Embrace Office 365 Groups: What’s new and what’s next) on the Microsoft Ignite The Tour, so if you would like to see it live, and interact with Office 365 Groups experts, register now for a city near you.

 

clipboard_image_0.png

 

–The Office 365 Groups Team

clipboard_image_1.jpeg

New functionality to make it easier to customize, manage, and secure Office 365 ProPlus

At Microsoft, we’re committed to protecting your data and helping your organization stay current and secure in today’s fast-moving, complex technology environment. And we’ve designed new innovations for Office 365 ProPlus to do just that. As announced at Microsoft Ignite 2019 last week, we introduced:

  • An update to the Office cloud policy service.
  • Deeper integration for managing Office 365 for Mac using Jamf Pro.
  • New tools for Configuration Manager to better plan Office deployment projects.
  • New security features for the Office client.
  • New Group Policy setting to enable users to install Insider builds.

Together, these new functionalities help you more efficiently adopt, deploy, and manage Office 365 ProPlus—regardless of the size of your organization and the platform you choose.

Cross-platform support* for the Office cloud policy service

The Office cloud policy service—initially announced for Windows earlier this year—is a cloud-based service that enables IT admins to enforce policy settings for Office 365 ProPlus users. The settings are enforced across devices, whether domain-joined, Azure Active Directory (AAD)-joined, or completely unmanaged. In short, the policy settings roam with the user.

Today, we’re introducing an update to add cross-platform support for Office on the web, Android, Mac*, and iOS* devices, giving administrators the ability to manage Office policies from a single portal for all their Office users. To learn more, read this article

 

Easier Office 365 for Mac management using Jamf Pro

Today, we’re announcing deeper integration for managing Office 365 using Jamf Pro. Our integration with the new Application and Custom Settings experience, which was demonstrated at the Jamf Nation User Conference (JNUC), allows IT admins to easily set Office 365 policies using a familiar forms-based interface. Mac administrators can centrally configure security, privacy, and update policies to deliver the very best Office 365 experience to their users, including:

  • Enabling friction-free sign-on to Office 365
  • Controlling privacy and telemetry options
  • Reducing the attack surface for sensitive devices
  • Increasing compliance levels through feature enablement
  • Lowering support costs by implementing desired update workflows

 

Pilot health and inventory tools to deploy faster

We’ve brought a pair of updates to the Microsoft System Center Configuration Manager—you probably know it as Config Manager—to help IT admins streamline parts of the device upgrade process. The first of these shows the health of pilot devices as it relates to a forthcoming upgrade. Pilots are a subset of devices you’ve selected to validate before deploying. With this update, that subset will also show the upgraded health of selected devices, including which are ready to upgrade right now. For those not ready, you can see what issues are blocking the upgrade and remediate those for faster deployment.

 

The second update, which enhances your existing inventory tools, leverages device telemetry to determine which devices running Office 365 ProPlus are ready to update to newer release. This update also provides insight into issues that are blocking an immediate upgrade, giving you the information needed to remediate problem areas.

 

Pilot health and enhanced inventory tools are just the beginning. With 80% of Office 365 ProPlus admins using Config Manager, we’re continuing to prioritize upgrades for the Config Manager console—including features like recommended configurations.

 

Safe Documents and Application Guard for enhanced file protection

On Tuesday, we shared Safe Documents, a new capability that brings the power of Microsoft Defender Advanced Threat Protection (ATP) to Office 365 ProPlus.  When a user has a document in Protected View and wants to consider that document “trusted”, the field will be automatically checked against the ATP threat cloud before release. Admins will have advanced visibility and response capabilities, including alerts, logs, and visibility into similar threats across the enterprise.

 

We also showed an early, live demo of Application Guard capabilities integrated with Office 365 ProPlus. When available in mid-2020, Microsoft 365 customers will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container instead of Protected View. From there, users will be able to view, print, edit, and save changes to untrusted Office documents—all while benefiting from hardware-level security. If the untrusted file is malicious, the attack is confined to the isolated container and the host machine is untouched. Users will be able to leverage Safe Documents to “trust” a document securely, and full reporting and audit trails will be available through ATP.

 

Group Policy to allow users to experience Office Insider builds  

Enabling your users to self-select into the Office Insiders program is as simple as delivering a policy.  This can be done by using the Office Cloud Policy service which is available in config.office.com and via group policy. This policy makes it easy for you to enable which users can self-select their device to receive the Office Insider builds as they become available in order to try new features. Read more in this article.

Microsoft Teams deployed with Office 365 ProPlus

As a quick reminder, when you update to Version 1908 of Office 365 ProPlus in January, Microsoft Teams will be rolled out to existing installations on the Semi-Annual Channel. Learn more about deploying Teams as part of Office 365 ProPlus in this article.

Office 2010 End of Support

Finally, support for Office 2010 is ending in October 2020—but with Office 365 ProPlus, you can continue to stay current with the latest Office tools and security features, like the ones we described above. Read more in this blog.

 

Catch up on all other Office 365 ProPlus deployment content recorded at Ignite by following this guide. As always, learn what’s new in Office 365 ProPlus, watch our YouTube Deployment Insider channel, and join Office Insider Program.

You may also find the following additional resources useful:

*Office cloud policy service support for Mac and iOS devices is expected to roll out soon.

Your OneNote

From your flashes of inspiration at 2:00 AM to the list of funny things your children say, or that brilliant idea you had in the conference room, and your ever-growing list of household chores  OneNote holds the notes to your life to track all the things you need to keep in mind, but simply don’t have room for in your overworked brain. 

 

We enjoy the privilege of serving millions of customers like you, who each have unique needs and who use OneNote in unique waysOver the past year, we’ve been listening to your passionate feedback and are humbled by your consistent love for OneNote. We hear you loud and clear — you want to keep your notes your way! 

 

With that in mind, we’re pleased to announce that we are continuing mainstream support for OneNote 2016 beyond October 2020, so that you can continue using the version of OneNote that works best for you. New support dates for OneNote 2016 now align with Office 2019 (October 10, 2023 for mainstream support and October 14, 2025 for extended support). We also want to make deployment and installation easier for organizations and individuals, so for Windows users, starting in March 2020, when you deploy or install Office 365 subscriptions that include the Office desktop apps or Office 2019, the OneNote desktop app will be installed by default alongside Word, Excel, and PowerPoint. If you’d like to install OneNote 2016 earlier, you can get it here: aka.ms/InstallOneNote. 

 

And, of course, OneNote should look the way you want it to. That’s why this week we are rolling out Dark Mode for OneNote 2016This will be available for Office 365 subscribers and non-volume licensing Office 2019 customers. Dark Mode changes the app’s interface elements from light to dark. Using OneNote in this mode can improve readability in low light environments, increase legibility of the user interface as well as your notes, provide better contrast, and reduce eye strain. You might also use OneNote in Dark Mode simply as a personal preference. The choice is yours! 

 

We’re excited about today’s announcements and we’ll keep listening to your feedback to make your OneNote better and better! Please continue requesting features and telling us what you think via the in-app feedback. 

 

For more information check out our OneNote FAQ! 

User Activity based Expiration Policy for Office 365 groups is now in Private Preview!

User Activity based Expiration Policy for Office 365 groups is now in Private Preview!

Update: This feature has new updates. Please see the blog for details.

O365 Groups power collaboration across Office 365 

Collaboration is a key ingredient for the success of any organization. Office 365 groups, of the most used collaboration features in Microsoft 365 today, power the collaboration features across apps, including Outlook, Teams, Yammer, and SharePoint. Employees can create groups quickly and start collaborating with co-workers by sharing group documents, emails, and calendars.

 

The twin problems of Groups Life cycle Management 

As the number of Office 365 groups increases, an organization needs to strike a balance between cleaning up unused groups and ensuring any valuable groups do not get deleted unintentionally, causing data loss. Many of you have shared feedback about these challenges in groups lifecycle management.

 

You say, we listen and act

We heard your feedback, and we’ve made some changes! We are excited to announce the new version of expiration policy which ensures any group being actively used continues to be available, circumventing expiration. This feature makes life easier for users, including admins, group owners and members, by automating the expiration and renewal process by tracking groups for user activity across different apps, like Teams, SharePoint, Outlook, tied to the group.

 

The new expiration policy puts group life cycle management on autopilot 

The current Expiration policy allows you to set an expiration time frame for selected or all Office 365 groups . After the defined group lifetime, owners are asked to renew them if they are still needed. With this newly added intelligence, groups which are being actively used will be automagically renewed. This preempts the need for any manual action on the part of the group owners. This is based on user activity in groups across Office 365 apps like Outlook, SharePoint, Teams, Yammer, and others.

 

Example:  At Contoso, the administrator has configured the Group lifetime to be 180 days. Megan is the owner of the Contoso Marketing O365 Group, with Enrico and Alex as its members. Her group is set to expire in 45 days. If an owner or a member performs actions like uploading a document in SharePoint, visiting Teams channel or sending an email to the group in Outlook, the group is automatically renewed for another 180 days, and she does not get any expiry notifications.

Image 1.png

 

Manual Controls: Group owners will continue to have the manual “delete”, “renew” option for granular control.

 

Soft Delete: Like before, groups which aren’t renewed (either automatically based on activity or manually) will be soft deleted. Groups in “Soft-delete” state can still be restored within 30 days, after which the content is deleted permanently.

 

Image 2.png

 

User actions for group auto-renewal: The following user actions will lead to automatic renewal of groups

  • SharePoint – View, Edit, Download, Move, Share, Upload Files
  • Outlook – Join group, Read/write group message from group space, Like a message (OWA)
  • Teams – Visit a Teams channels

We will continue to update this list to fine tune group auto-renewal experience.

 

Auditing and reporting: Administrators can get a list of auto-renewed groups from audit logs on the azure portal.

Image 3_2.png

 

 

Here are some quick steps to get you started.

 

Getting started

Office 365 groups expiration policy can be configured from the Azure Active Directory portal, as well as programmatically via Azure Active Directory PowerShell. Please note you need an Azure AD Premium license. Below is a quick tutorial on how to get started with the functionality in the new Azure portal experience.

 

1. Create Expiration Policy: Sign into the Azure portal, select Azure Active Directory, go to the Groups tab and select Expiration under Settings. (More details here) .Image 4.png

 

2. Set Group Life cycle: Specify the group lifetime in days and select which groups you want the expiration settings to apply to.

Group owners will receive a renewal notification 30 days before the expiration date, and from that notification they can renew their group with a single click!

 

If there is no user activity in the group (and the owners don’t manually renew their group) within the required time frame, their group will expire. Upon expiry it will stay in a “soft deleted” state for 30 days. Owners of deleted groups will receive a notification letting them know their group has been deleted and giving them the opportunity to restore their group within 30 days after its deletion date. The Group will be permanently deleted after 30 days.

 

3. Auto-renewal based on user activity: No explicit action is required to enable activity-based auto-renewal. If an the expiration policy is set for Office 365 groups, auto-renewal will be enabled by default.

Learn more about how you can restore you group to recover all its content, including SharePoint, Planner, and Outlook – how to restore deleted Office 365 groups.

 

Note: The new version of Office 365 groups expiration feature is available in private preview today for select Azure AD Premium customers. Please reach out to your TAMs/CSMs regarding enrollment in private preview.

 

Let us know what you think!

We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment below. We’re always looking for ways to improve.

 

User Voice: Add security groups to Office 365 groups

Support & feedback: groupsarfeedback@microsoft.com

 

 

Best regards,

 

Salil Kakkar                                                               Yuan Karppanen

Program Manager                                                    Program Manager

Office 365 Groups                                                    Azure Active Directory

twitter-3.png  @salil_kakkar