Due to the dynamic situation with COVID-19 many IT pros are being challenged to assess ways to configure Office 365 Client to update directly from Microsoft CDN. Today, the majority of customers I engage with manage updates using Configuration Manager (ConfigMgr), predominately on-premises. The objective of this posting is how to minimize internet egress through customer VPN network for Office updates.

 

Network considerations

There are an infinite number of ways customers configure network access, no two customers are identical in configuration.  Speaking generally, the VPN client needs to support split tunneling or be configured so network traffic destined for Office 365 are directed to internet and are not required to pass through VPN Server.  Microsoft provides a list of all Office 365 URLs and IP address ranges in the following document.  Some customers have VPN clients dynamically aware of Office 365 Services using Microsoft Graph API, some support URLs and others only support IP exclusions.  You’ll notice item(s) 90 and 92 which provide specific URLs used by the Office 365 Client to perform updates.

90

Default
Required

mrodevicemgr.officeapps.live.com (Description: Device Management Service (DMS) is used to advertise the C2R builds to the machines which are non-admin managed based on the meta data passed by the machine.)

TCP: 443

92

Default
Required

officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net (Description: Office CDN where content is downloaded)

TCP: 443, 80

Tip: Please review blog posting How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure

Tip: Please review blog posting Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

 

Background on how Office 365 Client works by default

Office 365 ProPlus is designed by default to update from CDN.  A scheduled task called “Office Automatic Updates 2.0” uses a trigger to routinely check for updates as advertised by DMS service.  The Office client will always move to the latest versionbuild available by assigned channel documented hereDocumentation around what to expect from a user experience when updates are delivered from CDN can be found here.  If ConfigMgr Office 365 Client Management integration is enabled by Configuration.xml during initial installation, ConfigMgr Client settings, or Domain Policy, the scheduled task will continue to execute but will only perform software updates from ConfigMgr. 

 

Options available to update from CDN

Option 1: Cloud managed

Steps:

  • Disable OfficeMgmtCOM (required if previously ConfigMgr managed)
    • On the next restart of Microsoft Office Click-to-Run Service, Office COM application will de-registered.  Allows Office Client to do its thing and get updates from the CDN.  
    • This can be done by changing client settings in ConfigMgr or by Group Policy.
  • Set UpdatesEnabled GPO to True (optional)
    • Allows the client to resume normal update checks from the CDN
  • UpdateDeadline GPO as an integer (optional) in days (ex. 12) to ensure the client is updated to ensure compliance.  Using an integer value allows the admin to not have to continually change the date to a future date/time for every update.

Option 2: SCCM managed but offload content distribution

Use normal deploy software updates wizard within ConfigMgr console selecting deploy option. When completing deployment package screen, it is important to select option “No deployment package”. In this way, clients will download content directly from CDN but keep existing controls and user experience during software update workflow.

Steps:

Deploy1.png

NoDeployPackage.png

FAQ:

How can I verify ConfigMgr integration is disabled?

Start -> Run ->dcomcnfg.exe and look for presence of OfficeC2Rcom application.

COMEnabled.png

COMDisabled.png

Where in the Office logs can I confirm Office updates are coming from CDN?

Use http://aka.ms/office365logcollector to collect Office logs or search for files in C:windowstemp which have your NetBIOS name like MININT-314VFT4-20200318-0857.log.  (There will be a bunch of them).  Use your favorite text editor to search for strings like ‘officecdn.microsoft.com’ or the build number you deployed.

 

Starting with version 1902, ‘Prefer cloud based sources over on-premise sources’ allows IT Pro to prioritize Cloud content.  Does this feature extendsupport Office 365 Client updates?

No, this appear to be a bug which is under investigation.  Workaround is to ensure Distribution Points used by VPN clients do not host Office 365 Client updates resulting in error 404.  If the software deployment has selection ‘If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates’, this should allow new location of CDN fallback to be used.  I will update this item with updates when available.

 

The Authors

This blog post is brought to you by Dave Guenthner and Martin Nothnagel, two ProPlus Rangers at Microsoft.  We’re looking forward to your questions and feedback in the comments below.