User Activity based Expiration Policy for Office 365 groups is now generally available!

User Activity based Expiration Policy for Office 365 groups is now generally available!

O365 Groups power collaboration across Office 365 

Collaboration is a key ingredient for the success of any organization. Office 365 groups, of the most used collaboration features in Microsoft 365 today, power the collaboration features across apps, including Outlook, Teams, Yammer, and SharePoint. Employees can create groups quickly and start collaborating with co-workers by sharing group documents, emails, and calendars.


The twin problems of Groups Life cycle Management 

As the number of Office 365 groups increases, an organization needs to strike a balance between cleaning up unused groups and ensuring any valuable groups do not get deleted unintentionally, causing data loss. Many of you have shared feedback about these challenges in groups lifecycle management.


You say, we listen and act

We heard your feedback, and we’ve made some changes! We are excited to announce the new version of expiration policy which ensures any group being actively used continues to be available, circumventing expiration. This feature makes life easier for users, including admins, group owners and members, by automating the expiration and renewal process by tracking groups for user activity across different apps, like Teams, SharePoint, Outlook, tied to the group.


The new expiration policy puts group life cycle management on autopilot 

The current Expiration policy allows you to set an expiration time frame for selected or all Office 365 groups . After the defined group lifetime, owners are asked to renew them if they are still needed. With this newly added intelligence, groups which are being actively used will be automagically renewed. This preempts the need for any manual action on the part of the group owners. This is based on user activity in groups across Office 365 apps like Outlook, SharePoint, Teams, Yammer, and others.


Example:  At Contoso, the administrator has configured the Group lifetime to be 180 days. Megan is the owner of the Contoso Marketing O365 Group, with Enrico and Alex as its members. Her group is set to expire in 45 days. If an owner or a member performs actions like uploading a document in SharePoint, visiting Teams channel or sending an email to the group in Outlook, the group is automatically renewed for another 180 days, and she does not get any expiry notifications.

Image 1.png


Manual Controls: Group owners will continue to have the manual “delete”, “renew” option for granular control.


Soft Delete: Like before, groups which aren’t renewed (either automatically based on activity or manually) will be soft deleted. Groups in “Soft-delete” state can still be restored within 30 days, after which the content is deleted permanently.


Image 2.png


User actions for group auto-renewal: The following user actions will lead to automatic renewal of groups

  • SharePoint – View, Edit, Download, Move, Share, Upload Files
  • Outlook – Join group, Read/write group message from group space, Like a message (OWA)
  • Teams – Visit a Teams channels

We will continue to update this list to fine tune group auto-renewal experience.


Auditing and reporting: Administrators can get a list of auto-renewed groups from audit logs on the azure portal.

Image 3_2.png



Here are some quick steps to get you started.


Getting started

Office 365 groups expiration policy can be configured from the Azure Active Directory portal, as well as programmatically via Azure Active Directory PowerShell. Please note you need an Azure AD Premium license. Below is a quick tutorial on how to get started with the functionality in the new Azure portal experience.


1. Create Expiration Policy: Sign into the Azure portal, select Azure Active Directory, go to the Groups tab and select Expiration under Settings. (More details here) .Image 4.png


2. Set Group Life cycle: Specify the group lifetime in days and select which groups you want the expiration settings to apply to.

Group owners will receive a renewal notification 30 days before the expiration date, and from that notification they can renew their group with a single click!


If there is no user activity in the group (and the owners don’t manually renew their group) within the required time frame, their group will expire. Upon expiry it will stay in a “soft deleted” state for 30 days. Owners of deleted groups will receive a notification letting them know their group has been deleted and giving them the opportunity to restore their group within 30 days after its deletion date. The Group will be permanently deleted after 30 days.


3. Auto-renewal based on user activity: No explicit action is required to enable activity-based auto-renewal. If an the expiration policy is set for Office 365 groups, auto-renewal will be enabled by default.

Learn more about how you can restore you group to recover all its content, including SharePoint, Planner, and Outlook – how to restore deleted Office 365 groups.


Note: The new version of Office 365 groups expiration feature is available in private preview today for select Azure AD Premium customers. Please reach out to your TAMs/CSMs regarding enrollment in private preview.


Let us know what you think!

We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment below. We’re always looking for ways to improve.


User Voice: Add security groups to Office 365 groups

Support & feedback:



Best regards,


Salil Kakkar                                                               Yuan Karppanen

Program Manager                                                    Program Manager

Office 365 Groups                                                    Azure Active Directory

twitter-3.png  @salil_kakkar


Microsoft Ignite 2019 Guide to Office 365 ProPlus Deployment

If you’re an Office IT Admin, get ready to learn the latest and greatest about Microsoft Office 365 ProPlus deployment at Ignite starting November 4. We’re very excited to announce the following sessions, workshops, speakers, and other learning opportunities to help you make your Office 365 ProPlus deployment and management success. Here is what we have lined up for you:

Best practices for deploying and managing Microsoft Office 365 ProPlus (BRK3087). Amesh Mansukhani, a Principal Program Manager focused on helping enterprise organizations efficiently manage Office 365 ProPlus deployments, shares what’s new from the Office engineering team on how to best deploy and manage Office 365 ProPlus within your environment. He’ll also walk through the deployment tools and discuss the best options to suit your environment.

What’s new in the Office Customization Tool (THR 30309). Learn what’s new in the Office Customization Tool for Office 365 ProPlus from Chris Hopkins, a Senior Program Manager on the Office Enterprise Lifecycle team responsible for the deployment and management experience for Office across Office 365, System Center Configuration Manager, and Microsoft Intune.

Best practices for compatibility assessment and Office 365 ProPlus upgrades using Office Readiness in Configuration Manager (BRK3090). In this session, Tara Hanratty, a Senior Program Manager in Microsoft Ireland who focuses on helping enterprises address compatibility concerns, will discuss best practices for upgrading to Office 365 ProPlus, including:

  • Evaluating Office readiness
  • Using the Readiness Toolkit for advanced VBA readiness
  • Discovering and remediating issues
  • Deploying to “ready devices” with the right settings
  • Identifying optimal pilots to unblock more devices
  • Viewing health on deployed devices
  • Viewing unblocked devices
  • Advanced plug-in reports (accessibility)

Get to know the new Office Cloud Policy Service (THR3038)
. If you are still managing Office policies using Group Policy Manager, but you want to move the cloud, come learn about the new Office Cloud Policy Service. Chris Hopkins will explain how you can use the Office Cloud Policy Service to manage policies for Microsoft Office 365 ProPlus on Windows, Mac, and Office on the web. He’ll also show you how to use built-in intelligence to provide security policy recommendations and baselines for simplifying management and compliance.

Deploying and managing Microsoft Office 365 ProPlus (WRK3019). In this workshop, Matt Philipenko, Senior Premier Field Engineer for Office Deployment, Servicing, and Activation and ProPlus Ranger, will cover deploying and managing Office 365 ProPlus using Configuration Manager and Intune. He will walk through creating an Office 365 ProPlus deployment, managing updates, configuring cloud policies, and monitoring your current deployment status, and also share Microsoft best practices and common customer implementations.

Microsoft Office privacy controls and Diagnostic Data (BRK3088). Office uses the power of the Microsoft Cloud to deliver exciting new capabilities to individuals and organizations. Diagnostic data helps Microsoft keep Office and these experiences secure, up to date, and performing as customers expect. Some organizations have wondered what happens to this data, how it’s used, and how they might control the flow. Revolutionary change in product transparency over the past year means commercial customer IT departments can now control this data. In this session, you’ll gain a deep understanding about diagnostic data, identify the benefits of diagnostic data to your organization, learn about you can view and manage this data, and hear from a customer that has implemented the controls. This session is presented by Brian Albrecht and Steve Conn. Brian runs the Microsoft Office Data, Privacy, and Insights PM Team and is responsible for diagnostic data privacy and compliance with GDPR and next generation privacy regulations across the Office 365 client experiences. Steve has worked on Office and Windows in various marketing and engineering roles for 12 years.

The future of Office: The insiders view and how we’re making it easier for IT admins and organizations to deploy and use Office 365 ProPlus (BRK3298). Are you interested in what’s being developed for Office 365 ProPlus deployment? In this panel, moderated by Amesh Mansukhani, Microsoft CVPs Aleš Holeček and Tara Roth dive deep into what we’re bringing in the coming year to IT Admins and organizations around Office 365 ProPlus deployment. We also talk about the Office Insider program and why it’s a necessary component to successful deployments. And, we’ll get some real-world feedback from several customers, including Thuy Mesina from Chevron and Jason Meyers from Mars, about their recent experiences with ProPlus deployment and the Office Insider program.

Moving to Windows 10 and Office 365 ProPlus? FastTrack is here to help! (BRK2177) Learn from the FastTrack experts Sean McLaren and Bryan Allen as they share deployment best practices and learnings from experience with customers moving to Windows 10 and Office 365 ProPlus. The clock is ticking on end of support for Windows 7, with the January 14, 2020 deadline quickly approaching. Learn how FastTrack can help you accelerate your upgrade to Windows 10 with Desktop Analytics and leverage your existing investments in System Center Configuration Manager. You’ll also learn how we can help you deploy Office 365 ProPlus, mitigate application compatibility issues with Desktop App Assure, and keep your devices up to date. FastTrack for Microsoft 365 is your advisor to help deploy Windows 10 and Office 365 ProPlus, and leverage the value of Office in the cloud at no additional cost.

We look forward to seeing you at Ignite in Orlando, Florida starting November 4! Come talk with us at the Hubb. Our experts are easiest to find in the following booths: Office 365 ProPlus Deployment, Office Insiders Program, and FastTrack. For those not joining Ignite in person, you can watch livestream keynotes and some select sessions on-demand. As always, visit out Docs page to see what’s new in Office 365 ProPlus, watch our YouTube Deployment channel, and join the Office Insider program.

You may also find the following additional resources useful:

Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

In supporting customers in the field, we receive many questions about Office 365 ProPlus update process. The objective of this blog is to provide context around end user behavior during update scenario and clarify when and how Office updates are applied. 


Office ProPlus was designed to be a cloud first product…. What does that mean?  It means that by default, Microsoft recommends you update Office 365 ProPlus directly from Microsoft Content Delivery Network (CDN).  While IT Pros are always in control,  Office 365 ProPlus is automatically kept up-to-date via evergreen model.  IT Pros can offload servicing aspect of Office 365 ProPlus to Microsoft so they can focus on other duties removing repetitive tasks.  At present, while we lead with CDN as our recommendation, the vast majority of Enterprise customers I work with prefer to manage updates from System Center Configuration Manager (SCCM) for a variety of reasons. (too many to list here such as network, governing process or political etc.)

Let’s compare and contrast both scenarios below to see which approach is best to address your business requirements.  Regardless, the goal is to ensure Office 365 ProPlus is serviced every month to address security and deliver features based on cadence suitable for our customers.


Quick refresher of Office ProPlus channel cadence –Simplified 


Monthly: Provide users with the newest features of Office as soon as they’re available.  This could be three or four builds per Month. (Updates should be delivered by CDN)

Semi-Annual Channel (Targeted): Provide pilot users and application compatibility testers the opportunity to test the next Semi-Annual Channel.  Featuresfixes delivered every six months, in March and September (Updates can use CDN or SCCM)

Semi-Annual Channel: Provide users with new features of Office only a few times a year. Featuresfixes delivered every six months, in January and July (Updates can use CDN or SCCM)


(Official Link is here Overview of update channels)


note.pngNote about PREVIEW feature using Delivery Optimization for Office 365 ProPlus installupdates


The point of the channels is to define the timing when those cumulative builds include features and fixes in addition to security. If you would like more information about channel management please see my other posting for more information called How to manage Office 365 ProPlus Channels for IT Pros


*This blog will focus primarily on update process.  Deployment of Office 365 ProPlus is out of scope and will assume Office 365 ProPlus is already installed on the machine.


Update from CDN


  • Automatic Updates is by default Enabled (equivalent GPO is “Enabled Automatic Updates”). If disabled, Office 365 ProPlus will never update.


  • Admins don’t have to spend time developing processes to duplicate CDN content on-premises.
  • Admins don’t have to build processes to target software updates to collections. Each machine will pull updates on it’s own.
  • Aligns with “Modern Desktop” motion where machines are increasingly managed by Mobile device management (MDM) rather than on-premises solutions without requirement for any infrastructure.
  • CDN supports a variety of advanced policies to control updates at granular level such as “delay downloading and installing updates for Office”, “prioritize BITS”, “Target Version”, “Update Channel”, “Update Deadline”. IT Pros can control updates effectively without the need for on-premises software.
  • Leverages inbox task scheduler MicrosoftOfficeOffice Automatic Updates 2.0 to perform updates based on trigger mechanism (Weekly, At log on, On idle)

Note: On idle is very interesting trigger condition in that it can check for criteria such as user absence and lack of resource consumption to determine opportunistic time to retry updates (no reboots required when Office applications are closed).


Reference Links for next section: Update history for Office 365 ProPlus (listed by date) and Download sizes for updates to Office 365 ProPlus


User Experience when updating from CDN

Let’s imagine Office 365 ProPlus has June 2019 build installed which is Version 1808 (Build 10730.20348).  “Patch Tuesday” rolls around and on July 9th 2019 July build is released which is Version 1902 (Build 11328.20368).  Based on the trigger assigned the scheduled task “Office Automatic Updates 2.0” will detect a newer build applicable.  Upon initial release to CDN, a new build is temporary throttled until signals are received ensuring highest quality release have been verified.  As a result, IT Pros may observe updates may not occur on Day 0 to all machines but rather over a period of days.  Alternatively, IT Pros can intervene and enable policy “delay downloading and installing updates for Office” and simply define installing update based on number of days.   This mirrors servicing plans feature in SCCM for delivering Windows Feature Updates and makes it easy to build rings.


Since the build installed is most recent version we can leverage a feature called binary delta compression to help reduce the size of the files further.  Therefore, keeping Office ProPlus up-to-date is friendlier on network.  Office will download deltas and will stage in C:Program FilesMicrosoft OfficeUpdatesDownload.  After download Office Automatic Updates 2.0 will attempt to update Office 365 ProPlus.  If no Office applications are open, it will update.  If Office applications were open at the time of update request a series of notifications will occur of period of days. (Officially documented here)


Specifically, If, after four days, the updates still aren’t applied, a message appears in the notification area in Windows, telling the user that updates are available.


If, after six days, the updates still aren’t applied, a message appears in any newly opened Office document, reminding the user that updates are available.  We refer to this as the “BusBar” which allows user to drive change when convenient. 


Clicking “Update now” when Office applications are open will result in sample dialogue below.  Clicking continue will save work, update and reopen applications.


The Office backstage also offers a “Update now” selection driven by the user which will check for updates and download build resulting in same prompt above.



IT Pros can also configure policy “Update Deadline” to set a deadline by when updates for Office must be applied.  Users are given notifications leading up to the deadline. For example, within seventy-two hours of the deadline, users see a message, in any newly opened Office document, that updates are blocked.


Additional reminders will appear leading up to deadline notifying user update is mandatory.  This message appears every two hours. It’ll also be shown 60 minutes, 30 minutes, 15 minutes, and 5 minutes before the deadline.


If the deadline arrives and the updates still aren’t applied, users see a dialog box that warns them that they have 15 minutes before the updates are applied.



User Experience when updating from SCCM



  • SCCM Current Branch with Windows Server Update Services (WSUS) 4.0, you can’t use WSUS by itself to deploy these updates. You need to use WSUS in conjunction with Configuration Manager
  • The hierarchy’s top level WSUS server and the top level Configuration Manager site server must have access to the following URLs: *, *, *, *, *,,
  • Office 365 Client product must be selected from products tab under Software Update Point Component Properties and synchronize software updates after change. Once complete, you should see Office 365 Client Updates populate the Office 365 Updates node under Office 365 Client Management within Software Library tab in SCCM Console.
  • Office 365 Client Management must be enabled on the client. This can be configured in multiple ways such as adding OfficeMgmtCOM=”TRUE” in configuration.xml during installation, enable domain policy “Office 365 Client Management” and finally by toggling “Enable management of the Office 365 Client Agent” to Yes from within SCCM Client settings under Software Updates.  You can verify by launching dcomcnfg.exe on the client computer and confirming OfficeC2RCom application is registered.  Only one is required, where policy overrides and take priority over all other methods.  The purpose of the COM application is to allow Office 365 ProPlus to interop with SCCM to pull updates from distribution points rather than CDN

OfficeC2R.pngExample of running dcomcnfg.exe

note.pngNote about PREVIEW feature using Delivery Optimization for Office 365 ProPlus installupdates

Overwhelming majority of enterprise customers use SCCM to deliver Office 365 Client updates for compliance and distribute content from Distribution Points.  Microsoft is always working hard to provide customers additional options including the new feature Delivery Optimization and Office 365 ProPlus which is now in (Preview).  Please read article for full details but one-liner is customers will be able to install AND update Office 365 ProPlus sourcing content from peers without infrastructure requirements which we’re super excited about. (no more “thick packages” or distributing loads of content to support a simple language pack).  If you enabled OfficeMgmtCom for SCCM integration, this action must be reversed in order to use Delivery Optimization (DO). The Microsoft Office Click-to-Run Service is responsible for registering and unregistering OfficeC2RCom (OfficeMgmtCOM) application during service startup.  Changing domain policy or SCCM client settings for Office 365 Client Management from ‘Enabled’ to ‘Not configured’ is not enough.  Domain Policy or SCCM Client settings require explicit ‘Disable’ selection for OfficeC2RCom to be successfully deregistered and restore default configuration. Further, any custom update path configuration must also be removed.



  • Office 365 ProPlus updates can easily be included in the same software deployment as monthly Windows patch process. As a result, all existing business processes and change control can be aligned in the same manner as legacy MSI Office products.
  • Clients will only pull down what’s needed to update themselves from Distribution Point.
  • SCCM Administrators can download cumulative build one time from the internet and than deploy to all distribution points so clients pull updates from intranet sources.
  • Administrators can make deployment Available (optional where user is notified update)
  • Administrators can make deployment Available for a period of time prior to Installation Deadline. In this scenario, Office 365 Client using OfficeMgmtCOM will pull deltas from distribution point prior to Installation Deadline and give user a chance to “Update now” via BizBar discussed above at a time which is convenient for them.  This is especially important in a ever mobile world where machines are mobile and not powered on all the time.  Further, IT Pros can get some early production validation as some subset of their population will update prior to Installation Deadline giving them advanced notification of any problems prior to broad deployment.
  • Administrators can make deployment Available time and Installation Deadline the same time. SCCM will ensure update is downloaded and installed at Deadline. (additional details on user experience below)
  • Administrators can enable SCCM features such as Peer Cache so clients can share content among themselves further reducing network WAN traffic. (Peer cache for Configuration Manager clients)


User Experience when updating from SCCM

note.pngFrequency of toast notifications from SCCM are configurable within “Client Settings” under “Computer Agent”. This configuration is applicable to all software deployments not just Office 365 Client

Notifications.pngCan be found within SCCM console under client settings


SCCM Deployment Scenarios


Scenario 1 – Available only

If the deployment is Available only, the user will only see a toast notification in the system tray for a few seconds, Office update will never be deployed automatically.  The problem is this notification isn’t context sensitive so it simply takes end user to Software Center and it also doesn’t ensure security compliance.  Therefore, approach isn’t used often in my experience.


Scenario 2 – Available with future Installation Deadline

This scenario is a good fit for customers who desire faster compliance, no reboots for Office 365 ProPlus updates and are comfortable with additional Office 365 ProPlus end user toast notifications, also in app notifications as well as Office 365 ProPlus countdown dialog leading up to deadline.  If the SCCM deployment is Available with future Installation Deadline, Office 365 ProPlus working with OfficeC2RCom application will download the necessary Office build pieces (not the entire build) and stage for installation pulling content from Distribution Point.  When COM is enabled and new build is staged, restart of Windows will not result in installation of update.  Immediately after the newer build is staged, any Office 365 ProPlus application which is reopened will immediately see the “BusBar” with end user option to drive change through “Update now” button.  This is a subtle difference compared to CDN scenario where banner shows only after a number of days.  Clicking the button results in same workflow as defined in CDN section.  When content is prestaged, there are a number of potential notifications, please review bullet items in blue from page Manage Office 365 ProPlus with Configuration Manager to review all details as there are many.

For example:


bizbar.pngBusiness Bar

Once build is staged, a toast notification might not display until the user clicks the icon in the notification area which is easy to miss. 

SystrayReminder.png“Basic notification” which sometimes be hidden under task bar chevron  SystrayReminder2.png


7.5 hours prior to deadline, Office will show ‘Enforced Toast’ which will present above “Office Updates Available” toast to foreground.  If user doesn’t click “Update now”, end user will potentially receive three additional notifications with countdown.  If no decision is made to postpone, Office applications will be forced closed and updates prior to deadline defined in SCCM.

minu.pngMinute countdown sec.pngSecond countdowninstalled.pngUpdates Installed

If user postponed update by clicking ‘Postpone’ and deadline is eventually reached, standard SCCM restart window will be displayed with countdown.  Additionally, Office may also raise additional notification with 30 minute countdown.  Important to note, countdown from SCCM and Office countdown are not synchronized in any way, they work on separate timers.


SCCMRestartWindow.png  prestage and deadline has passed.png

Scenario 3 – Available and Required Installation Deadline have same date

This scenario is best for IT Pros who want to minimize notifications to end user unless deadline has been reached.(Office content is not prestaged)  If the software deployment Available time and Installation Deadline have the same date, SCCM Client will determine that deadline has been missed and therefore make the deployment immediate.  Typical notification workflow will be presented to user.  


In this case since deadline has passed, download will begin automatically.


Once content has been downloaded, SCCM will immediately initiate Office update with following logic:  

  • If all Office applications are closed, update will occur with no reboot. 
  • If any Office application are open standard SCCM reboot workflow occurs.


The end user will begin to see SCCM “Restart Window” below which shows countdown until restart is forced.  The countdown frequency of notification are controlled solely by SCCM Client and can be configured within Client Settings node within SCCM Console.



Is there a simple way to hide all notifications in Office such as the “Biz Bar” with button “Update Now?”

Yes. Use “Hide Update Notifications” GPO or registry


Warning.pngThis registry setting doesn’t apply to deadline notifications such as the large white splash screen with countdown.



Is there an Microsoft official page which talks about this topic?

Yes. Manage Office 365 ProPlus with Configuration Manager


If the download is supposed to only contain deltas and stage to C:Program FilesMicrosoft OfficeUpdatesDownload, why in my environment is it staged in C:Windowsccmcache and full build? (~2GB)

This means SCCM “Peer Cache” feature is enabled and content is available to be shared with other peers.  Windows is leveraging a NTFS feature called “Sparse Files”.  Looking closely at size on disk details, you can compare the differences between the full data and the one on the right using peer cache. (Peer cache really only downloaded 80 MB.)


I’ve done everything I can think of and OfficeC2RCom application never shows within MMC console.  In fact, when I browse COM applications from within dcomconfg.exe, My Computer has a red down arrow?

This means COM, part of .NET may be corrupted on machine.  Office cannot register application as COM itself is broken.  Typically this is edge case and requires rebuild of Windows 🙁


You mentioned On idle update feature in CDN section but was omitted for SCCM, why?

“By design”, feature is enabled only for CDN scenario.


Users who launch Office immediately after logon receive message “Updating Office, please wait a moment”.  Why?


This means Office update was attempted while applications were open which cannot succeed.  Therefore, build was staged to retry update by Microsoft Office Click-to-Run Service on Windows startup.  In this edge case, the user was able to access desktop and launch a Office application while Office update process is in progress.  If easily reproducible, this is often a reflection of slow boot process and Windows startup performance.  Best to troubleshoot by removing 3rd party filter drivers and or startup items.


I’ve tried everything and Software Center never shows Office 365 Client build applicable to my machine?

Review how Office 365 ProPlus determines priority:


1st Priority : GPO "UpdatePath" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="ServerShare" under HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration
4th Priority : "CDNBaseURL" - HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationCDNBaseUrl

Reflecting on priority list above, have you intentionally or unintentionally set a GPO “UpdatePath” – HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath or included an element inside configuration.xml during initial installation for UpdatePath HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationUpdatePath=”ServerShare”? This in effect breaks native updates via SCCM as they take precedence.  To resolve, remove these values and reset HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration UpdateChannelChanged to False, run Automatic Updates 2.0 scheduled task manually (or be patient and allow it to run) and then perform Software Updates Deployment Evaluation Cycle from SCCM Control Panel Applet.


You didn’t mention updating from on-premises file share, why?

Updating Office 365 ProPlus from File Shares has been deemphasized as a strategy.  Initially Office 365 ProPlus didn’t support update workflows such as SCCM or Delivery Optimization and therefore customers used this approach.  However, this is resolved with SCCM Current Branch and modern versions of Windows 10 this is no longer necessary. (still supported just less adopted)


The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Office 365 ProPlus Deployment and Proxy Server Guidance

Office 365 ProPlus Deployment and Proxy Server Guidance

By far, the most important prerequisite for successful Office 365 ProPlus deployment is network configuration. 


Unlike older versions of Office, Office 365 ProPlus was designed from the ground up to work with cloud services such as Microsoft Content Delivery Network (CDN).  Microsoft recommends IT Pros “Bypass or white list endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection and content filtering” when accessing Microsoft Office 365 service endpoints.  


We often find customers apply “legacy” network configurations for on-premises only products to Office 365 ProPlus which can lead to slower product adoption, poor product performance, and higher cost of ownership.  The network requirements are documented in Office 365 URLs and IP address ranges document.


The goal of this blog is to clarify how IT Pros can optimize Office 365 ProPlus deployments with a proxy server in order to leverage a new concept called Hybrid or “Lean Installs”.


In terms of Office 365 ProPlus general deployment, we have several broad approaches. We’re going to focus on the 3rd option, “SCCM with Office CDN fallback” or “Lean Install”.


  • On-premises only – download and mirror all content from CDN on-premises. Enterprise customers have a variety of install packages (Base Office, Visio, Project, Visio + Project, second installs for languages).  All Office 365 ProPlus builds are cumulative and are updated monthly which can make this cumbersome and difficult to maintain as each permutation requires refreshed content.
  • Cloud only – installations from the Office portal and update workflow occur using CDN. End users in the enterprise are normally not Administrators so self-service installations from are blocked.  Further, installation from CDN doesn’t currently support custom configuration files to exclude applications and so forth.
  • SCCM with Office CDN fallback or “Lean Install” – IT Pros use SCCM (which has elevated permissions and allows custom configuration.xml files) to deploy Office 365 ProPlus but can either omit all or portions of the installation source and use CDN content.

note.pngSCCM is not a requirement to adopt “Lean Install” approach. If you are using 3rd party deployment tool, identify user context of process using process monitor and adopt proxy strategy below.

Lean install examples:

1st Install

SCCM package contains all Office 365 ProPlus content and only subset of languages. You support 12 languages but only include two primary languages in the application source to minimize content and include AllowCdnFallback as Enabled within configuration.xml.  During the Office 365 ProPlus installation process, the Office Deployment Tool (ODT) looks first for source files in local working directory. If the language pack files required aren’t available in local source location and the AllowCdnFallback setting within configuration.xml is set to True, then the ODT will leverage the Office CDN for the missing ones.


2nd Install

Office may need to be reconfigured to make changes to Office deployments without changing the version, like adding a language or Project/Visio. In this case, we only want the required bits to perform the change and nothing else.


All example scenarios above depend on the CDN to fetch content when embracing these new “Lean Install” approaches.  The primary reason we want to lean on the CDN is because it allows Office 365 ProPlus to only download the bits it requires for the change request resulting in the smallest network payload possible. 


Exploring 2nd Install Scenario in detail in terms of content size:

IT Pro wants to perform a 2nd install to add Project to an existing Office 365 ProPlus installation on one machine. 


If we use SCCM on-premises only strategy:

SCCM will download full Office content from CDN ~2GB.  SCCM will then copy this content to all distribution points to support scenario.  Let’s assume an enterprise customer has 50 distribution points, 2 GB * 50 = 100 GB per month every month (build needs to be up to date as to not downgrade client introducing security concerns).  Office 365 ProPlus builds are cumulative, irrespective of channel, so this content changes each month.


If we use SCCM with Office CDN fallback:

SCCM calls ODT Setup.exe /configure to add Project, only ~41 MB will be downloaded from CDN. 

note.pngMake sure to use MatchInstalled parameter in your XML

We expect most customers will download and cache all Office 365 ProPlus content one time to existing machines to perform an upgrade to Office 365 ProPlus but once installed we recommend to leverage the lean technique going forward.

note.pngHaving “lean” applications in SCCM also means they rarely need to be updated. An occasional refresh of the Office Deployment Tool (ODT) is good idea. (Less than 10 MB)

Tip: There are several ODT features which can benefit from approach (FallbacktoCDN, MatchPreviousMSI, MatchInstalled, MatchOS)


Proxy Challenge

To be clear, even if the lean installation is triggered by an admin user, it still requires the computer (System account) to be able to access the internet in order to support all installation scenarios.  Most of the customers we visit in the field prohibit computers from accessing the internet directly.  Typically, only Users can access the internet through a proxy server or via PAC file.  These User settings are defined as WinINET proxy setting you’ll find in Internet Explorer. 

WinINET.pngStandard proxy configuration in Internet Explorer

So, what about the local SYSTEM account needed by SCCM?  If customers follow guidance to allow users and computers direct access to Office 365 endpoints, everything “just works”.  However, often we find customers only configure network proxy for Users and therefore the “lean install” scenarios fail. (Installation will hang as Office Deployment Tool running as SYSTEM process will fail when attempting to access Office CDN)


OK, what can we do to solve problem?  Configure additional proxy settings using Microsoft Windows HTTP Services (WinHTTP) and Background Intelligent Transfer Service (BITS) for System Account.   


Recommended actions

  1. Configure WinINET Proxy for SYSTEM
  2. Sync configuration from WinINET to WinHTTP

*In this way, we ensure one proxy configuration is set for WinINET and WinHTTP regardless of application caller and network API used.

note.pngIn my lab I use PSEXEC.EXE to accelerate testing.

From elevated command prompt, run PSEXEC.EXE -s -i cmd.exe.  This will launch cmd.exe process in the SYSTEM context to simulate SCCM package etc.  Type whoami from command line to verify.

nt authoritysystem

Sample commands to set WinINET and import into WinHTTP:

C:WindowsSystem32>bitsadmin /util /setieproxy localsystem MANUAL_PROXY ";*"
C:WindowsSystem32>netsh.exe winhttp import proxy source=ie

Sample commands to reset:

C:windowssystem32>bitsadmin /util /setieproxy localsystem RESET
C:windowssystem32>netsh winhttp reset proxy

The proxy servernetwork team should only allow computer access to internet URLs as defined by Office 365 URLs and IP address ranges document as well as any other URLs that they want to explicitly allow the Computer account to access.


In summary, configuring a SYSTEM proxy enables adopting a “lean” Office 365 ProPlus deployment strategy which can greatly reduce complexity and cost of ownership to operate Office 365 ProPlus. 


Additional Reference Documentation on proxy configuration for Windows

Use Group Policy to apply WinHTTP proxy settings to Windows clients

bitsadmin util and setieproxy

Office 365 system requirements changes for Office client connectivity

Editor’s note:

Changes have been made to the Office 365 system requirements. Go here to see the September 6, 2018 update and announcement:


Today on the Office blog, we announced changes to Office 365 system requirements for Office client connectivity and how we will make it easier for enterprises to deploy and manage Office 365 ProPlus. In this post, we are sharing some more detail on what the system requirement changes mean for IT between now and 2020 and why we’ve decided to make this change.


As technology evolves, system requirements need to change

The new system requirements provide clarity and predictability for client connectivity to Office 365 services. When customers connect to Office 365 with a legacy version of Office, they’re not enjoying all that the service has to offer – The IT security and reliability benefits and end user experiences in the apps is limited to the features shipped at a point in time.


When we release new on-premises apps and servers, we use that opportunity to update the system requirements. But there is not yet a common convention on when to update system requirements for a multitenanted cloud service that is always up to date. In absence of that, we are sharing these system requirement changes as early as possible and as part of a larger discussion of the Office 365 ProPlus roadmap for deployment and management capabilities.


As we get closer to 2020, we will share more details about implementation and the user experience for affected desktop clients. The updated Office 365 system requirements for Business Enterprise and Government plans state:


Effective October 13th, 2020, Office 365 will only support client connectivity from subscription clients (Office 365 ProPlus) or Office perpetual clients within mainstream support (Office 2016 and Office 2019). (Please refer to the Microsoft support lifecycle site for Office mainstream support dates.)


Here is a high level summary of  the implications for client connectivity in 2020, depending on how you use Office 365:


 Connectivity to Office 365

Impact of change

Technical implications

Recommended actions

Office 365 ProPlus or Office clients in mainstream support (Office 2016 and Office 2019)

No change

Plan for regular updates to stay within support window

No action required

Office clients outside mainstream support

Client connectivity no longer supported

Office desktop client applications, such as Outlook, OneDrive for Business and Skype for Business clients will not connect to Office 365 services

Upgrade to current version of ProPlus or mainstream Office clients or use browser or mobile apps

browser and mobile apps

No change

No change

No action required

Office desktop clients outside mainstream support not using Office 365

No change

Set your own desktop upgrade timeline, in line with your on-premises server upgrades. When planning to move to Office 365 services, an Office client upgrade will be required

No action required



2020 may sound like a long way away, but your feedback to us has been consistent on the more advanced notice for Office 365 changes, the better. Providing over 3 years advance notice for this change to Office 365 system requirements for client connectivity gives you time to review your long-term desktop strategy, budget and plan for any change to your environment.


For now, the key takeaway is: Office 365 ProPlus is our recommended Office client for Office 365 users. This is the Office client that stays up to date with frequent feature releases and ensures the best service experience.


Here are some resources to help you plan for a ProPlus upgrade:


Thank you!


New feature: Make changes to Office deployments without changing the version

New feature: Make changes to Office deployments without changing the version

With the most recent release of the Office Deployment Tool (ODT) we have implemented a new feature based on customer’s feedback. Starting with version 16.0.11615.33602 it is possible to make changes to an existing installation of Office 365 ProPlus while keeping the installed version as is, even when a newer one is available on the Office CDN or in your network share/local folder.



Let’s assume that you want to add e.g. a Language Pack to an installation of Office 365 ProPlus on a certain device in an automated fashion. We also assume, that the device is not on the most recent build of their update channel, e.g. the device is still on SAC 1803. Maybe there is still some testing to be done before SAC 1808 can be deployed across the organization.

The updated “version” handling allows you to add e.g. Language Packs, Proofing Tools, additional products (like Visio or Project) or apps without updating the installed build, even when a newer build is available in the source location (Office CDN or the specified source path).

In the past the ODT automatically updated the installation to the latest build while installing the specified product, Language Pack or Proofing Tool.





How to use

The usage of the new feature is straight forward. Instead of specifying a build number (like 16.0.9126.2356), you just specify “MatchInstalled”. This instructs the ODT to keep whatever build version is already installed.



In the past we saw different workaround in order to pin the version. These ranged from manually updating the configuation.xml with the correct build number every time to custom scripts which injected the build number into the configuration.xml on the fly. The new feature allows you to retire such workarounds and use a consistent method across update channels and versions.


Sample XMLs

The following XML is an implementation example of the “dynamic, lean and universal packaging” concept, which greatly reduces effort and maintenance costs of install packages. The configuration file will install Project, match the languages to already installed Office products and keep everything else (architecture (x86/x64), update channel and version) as is:


	<Add Version="MatchInstalled">
		<Product ID="ProjectProRetail">
<Language ID="MatchInstalled" TargetProduct="All" /> </Product> </Add> </Configuration>


The following XML will add the German Language Pack and keep the architecture (x86/x64), update channel and version as is:


	<Add Version="MatchInstalled">
		<Product ID="LanguagePack">
			<Language ID="de-de"/>



In order to use the new feature, the following prerequisites apply:

  • Use Office Deployment Tool 16.0.11615.33602 or newer
  • The feature is intended to be used when an existing installation is modified or something added to it. If no installation is present, “MatchInstalled” for “Version” will be ignored and the ODT will go through normal detection to install proper version. No hard error in such case.
  • If you are not using the Office CDN as an installation source, make sure to have the matching source files in your specified source path. We recommend to leverage the Office CDN.


The Authors

This blog post is brought to you by   and , two ProPlus Rangers at Microsoft. We’re looking forward to your questions and feedback in the comments below.

Microsoft wants your ideas on end user adoption & engagement with Microsoft 365 & Office 365

Microsoft wants your ideas on end user adoption & engagement with Microsoft 365 & Office 365

new image resaved.jpg


Edit: Survey results as of August 6, 2019: Thank you to all who participated in the survey! Here are the top 5 takeaways from your responses:

  • Who: Admins and adoption/change management teams start with support from decision-makers and leverage power-users.
  • Challenges: Lack of time, executive support/budget, metrics, training resources, and the complexity of newer apps.
  • Needs: Adoption statistics and product roadmaps to help plan, plus training in the form of business scenarios and short, guided tutorials and videos.
  • MS Comms: It’s ok for Microsoft to communicate to end users only if admins/adoption teams can control/customize frequency and content.
  • Portal: Admins/adoption teams want all content centrally stored and navigable for easy referral and use.


Survey request as of June 12, 2019: Microsoft is looking for IT professionals like you to provide feedback on end user adoption and engagement for Microsoft 365 / Office 365 through a brief survey. Topics include key challenges in your role, end-user adoption and engagement practices, and preferred communications from Microsoft. Your feedback will help drive the types of content Microsoft develops for you and your end-users.


To qualify for this survey, you must meet the following criteria:


  • Your role involves end-user training / change management / adoption of Microsoft 365 & Office 365 applications
  • You are not in government or education sectors
  • Your organization has at least 150 employees / seats on Microsoft 365 & Office 365 subscription
Dynamically convert MSI versions of Project and Visio to Click-to-Run

Dynamically convert MSI versions of Project and Visio to Click-to-Run

With the latest release of the Office Deployment Tool (ODT) we have implemented a new feature based on customer feedback. It is now possible to make the installation of a C2R product dependent on the previous presence of an MSI-based product. As it works for all products, it is especially helpful when deploying Project and/or Visio to users which had it previously. The feature is known as MSI Condition.


In order to use the new feature, the following prerequisites apply:
• Office Deployment Tool 16.0.11901.20022 or newer
• The feature is intended to be used when an Admin wants to migrate the user from Office/Project/Visio in one pass with one XML.
• If you are not using the Office CDN as an installation source, make sure to have the matching source files in your specified source path.
• MSI Condition will detect 2010/2013/2016 MSI products.


Since the release of RemoveMSI we’ve had the capability for your “first install” to match the MSI version of Office and replace with Office 365 ProPlus. MSI Condition allows an admin to specify a list of MSI Product ID’s along with a Product ID for a Click-to-Run install such as Subscription, Standard Perpetual and Professional Perpetual.


How to use
To use this feature simply add the MSICondition attribute to the Product node as shown in the example below. Once you have created the XML run setup.exe /configure like you would with any other installation process and that’s it


In the past customers created very complex scripting to detect and replace Office products, in some cases running the install up to three times based on the number of previous products detected. We have even seen customers simply ignore Project and Visio and remove everything, then wait for helpdesk to get a call and replace it with the version the end user requested. MSI Condition makes your migration from MSI to C2R flow smoothly with one XML for your deployment which dynamically adjusts to the task at hand.



Please note that the above picture shows a simplified XML(in the image) to just show the concept behind it. For a fully working XML, please refer to the next section.


Sample XML
The following XML will
• install Office 365 ProPlus from Monthly channel, and match the previously installed languages
• install Visio Pro on machines that already have any older MSI version of Visio Pro
• install Project Pro on machines that already have any older MSI version of Project Pro
• remove all older MSI versions of Office, Project and Visio




<Add Channel=”Monthly” OfficeClientEdition=”64″>

<Product ID=”O365ProPlusRetail”>
<Language ID=”en-us”/>
<Language ID=”MatchPreviousMSI”/>
<ExcludeApp ID=”Groove”/>
<ExcludeApp ID=”OneNote”/>

<Product ID=”VisioProRetail” MSICondition=”VisPro,VisProR”>
<Language ID=”en-us”/>
<Language ID=”MatchPreviousMSI”/>
<ExcludeApp ID=”Groove”/>

<Product ID=”ProjectProRetail” MSICondition=”PrjPro,PrjProR”>
<Language ID=”en-us”/>
<Language ID=”MatchPreviousMSI”/>
<ExcludeApp ID=”Groove”/>





Is this limited to Visio and Project?
No, it is not. The feature will accept any valid product ID for Click-To-Run and any MSI code as a condition. So, you can mix and match to your specific needs you could also build a deployment which installs e.g. Access Runtime for existing users of it:




<Product ID=”O365ProPlusRetail”>
<Language ID=”en-us”/>
<Language ID=”MatchPreviousMSI”/>
<ExcludeApp ID=”Access”/><
<Product ID=”AccessRuntimeRetail” MSICondition=”AccessRT”>
<Language ID=”en-us”/>
<Language ID=”MatchPreviousMSI”/>





The Authors
This blog post is brought to you by @Matt Philipenko (OFFICE PFE)  and @Martin Nothnagel , two senior ProPlus deployment experts at Microsoft from the Services organization. We’re looking forward to your questions, feedback and comments below.

Office 365 Home and Personal Licensing and Activation Improvements

Since launching Office 365 to consumers, we have heard feedback from customers about the challenges in installing and using their office subscription across multiple devices. The first step in addressing this issue happened in October 2018, increasing a single user’s device limits to five (meaning they can concurrently use five devices) for Office 365 Home and Office 365 Personal. Our next step in simplifying use across multiple devices will streamline the activation of a user’s device.


Beginning in May, we rolled out the following changes to customers on PCs, followed by Mac devices in July.


For customers, here’s what stays the same:


  • Sign in to activate Office: Users will continue to sign in to activate Office on their devices. When single sign-on is enabled, Office detects the user’s credentials and activates Office automatically.
  • Sign-in limits: Users will be able to install Office 365 on all their devices and be signed in to five at the same time. This includes any combination of PCs, Macs, tablets, or phones.


It’s important to stay signed in while you use Office on your device. This is what keeps your Office installation activated and ready to use.  


Here are the changes that you may notice:


  • No more prompts to deactivate: Users can install Office on a new device without being prompted to deactivate Office on another device.
  • Automatic sign-out: When a user reaches the sign-in limit (five devices), instead of being prompted to deactivate, the user will be automatically signed out of Office on the device where Office has been least recently used. The next time the user starts Office on that device, the user will be prompted to sign in to activate Office.


For more information on how sign-in works on devices where Office 365 is licensed, please visit this support article:


Office 365 Client Licensing and Activation Improvements

Edit: July 30, Availability dates updated to reflect schedule.


Over the years, we’ve heard feedback from customers and IT Admins about the difficulty in managing Office activation for subscription-based Office clients, such as Office 365 ProPlus. We’re excited to announce upcoming changes to Office that will help simplify activation management and streamline the Office activation experience for users.


In August, we’ll start slowly rolling out these changes to commercial customers on Monthly Channel. The roll-out will continue to Semi-Annual Channel (Targeted) in January 2020.


For your users, here’s what stays the same:


  • Sign in to activate Office: Users will continue to sign in to activate Office on their devices. When single sign-on is enabled, Office detects the user’s credentials and activates Office automatically.
  • Sign-in limits: Users can sign in to activate Office on five desktops, five tablets, and five mobile devices.


Here are the changes that your users may notice:


  • No more prompts to deactivate: Users can install Office on a new device without being prompted to deactivate Office on another device.
  • Automatic sign out: When a user reaches the sign-in limit, instead of being prompted to deactivate, the user will be automatically signed out of Office on the device where Office has been least recently used. The next time the user starts Office on that device, the user will be prompted to sign in to activate Office.


Here are the changes that you as an admin may notice when managing devices where Office is installed:

  • Improved device reallocation: Previously, users who received reallocated devices could receive an error if the previous user deactivated the device from the portal or if you removed the Office 365 license from the previous user. Going forward, users will not receive the error because the activation and deactivation is user specific.
  • Improved activation reporting: Previously, when one user activated Office on a device and a second user later signed on to that device, the second activation was not displayed in the Admin Center’s Activation Reports. Going forward, both activations will be identified and displayed in the Activation Report.


Keep an eye out for these improvements as we start to slowly roll them out for our commercial customers. No additional action is required on your part.