Troubleshooting Office Cloud Policy Service (OCPS)

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office 365 ProPlus on a user’s device.  The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.  As end users become increasingly mobile, IT Pros need a single approach to secure Office 365 ProPlus for traditional on-premises domain devices, Azure AD registered devices, Azure AD Joined, and Hybrid Azure AD joined devices.  OCPS applies to all scenarios above without the need to download and replicate any content such as Administrative Template files (ADMX/ADML) on-premises.  The goal of this blog is to provide some transparency of how the service works to help IT Pros during their validation phase and to encourage transition from classic domain-based policy to OCPS service for Office 365 ProPlus.

Requirements of OCPS

1. At least Version 1808 (August 2018) of Office 365 ProPlus
2. User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD based account.
3. Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
4. To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.
5. Connectivity to addresses below. Microsoft recommends proxy bypasswhitelist for these URLs
*.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443

Steps to perform proof of concept and validation
1. Create a test user, ours will be “Kasper Graf”, kgraf@contoso.com.
2. Create security group “OCPS Service Validation” and add user to group within Active Directory Users and Computers.
3. Allow AAD Connect to synchronize user and group to Azure AD. (lunch break 🙂 or force synchronization via commands below)

(optional) From AAD Connect Server and elevated PowerShell, run the following commands:
PS C:WINDOWSsystem32>import-module adsync
PS C:WINDOWSsystem32>Set-ADSyncScheduler -NextSyncCyclePolicyType Delta
PS C:WINDOWSsystem32>Start-ADSyncSyncCycle

Browse Azure AD portal and explore Users – All Users, select Kasper Graf and then Groups. Verify that group “OCPS Service Validation” has been assigned and source says, “Windows Server AD”. This confirms user and group were synced into Azure AD successfully and we can proceed to next steps.
4.  Create your first OCPS policy and select “Create” button:

5. Complete input fields, when selecting assigned security group input “OCPS” and service should filter results to “OCPS Service Validation” group.  Next, define a policy.  For the demo, I chose policy “VBA Macro Notification Settings”, “Enabled” where VBA Macro Notification Settings are set to “Disable all with notification”.   Once selections have been made “Create” or “Save”.

6. From Policy Management, we can now see our policy exists.

So, we’ve got a policy, we’ve assigned it to a security group containing our test user, our next step is to validate. My test machine happens to be classic on-premises domain joined machine. My user, Kasper Graf, is signed in with his normal Active Directory credentials which is displayed in upper right hand corner of Word.

Traditional Group Policy uses Client-Side Extensions in Windows to apply policy every 90 minutes.  IT Pros can force policy by using command line “gpupdate /force” and inspectverify registry as well as application behavior prior to broad deployment.  OCPS checks for policy upon initial Office application launch, calls into cloud service endpoints listed above, determines policy applicability based on group membership and priority assignment and registry keys are populated. 

Specifically, there are two locations of interest in registry.

1. HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy
This will contain information about FetchInterval, 90 minutes is default, as well as record of Last Fetch Time and Last Payload Hash.

2. HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloud. This key will contain path to registry keys representing the policy assignment. For example, ours will be HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0wordsecurity
Vbawarnings = 2 (DWORD)

IT Pros can achieve the same behavior of gpupdate by simply deleting the key HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy, close Office application and relaunch to fetch policy.  I typically use tools like Process Monitor to help trustverify operations of this type with filters such as “Path” contains “CloudPolicy” or where Operation is “RegSetValue” etc.  Opening a Word document containing a Macro displaying warning with notification as expected.

FAQ:
How does conflict resolution work if the same policy is set via traditional domain-based policy as well as OCPS?
OCPS takes priority if there are any conflicts with traditional domain-based policies.

Currently policies are limited to user settings. Are there plans on adding machine settings?
Yes. This has been accepted and currently is in our backlog. We hope to have this available next year.

Group Policy provides a view of all policies on the device or for the specified user. Does OCPS support this?
Currently OCPS does not provide a list of all Office policies applied to a specific user or device. This is on our backlog and we hope to have this available next year.

Will OCPS support other platforms such as MacOS, Android and iOS?
Yes, OCPS in the future will also support additional platforms such as MacOS, Android and iOS. We will create additional blog postings per platform once features are generally available.

Are there any environments where OCPS is not available?

The Office cloud policy service isn’t available to customers who have the following plans: Office 365 operated by 21Vianet, Office 365 Germany, Office 365 GCC, or Office 365 GCC High and DoD.

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Introducing – and Managing – Microsoft Search in Bing through Office 365 ProPlus

Customers tell us they want easier ways to manage their environments while delivering more productivity value to their employees. This includes helping people quickly find the information they need, a potentially frustrating prospect given the sheer and constantly growing volume of content within an organization. To help IT solve this — and to do so in a way that is easy for you to manage — we are offering the Microsoft Search in Bing extension to Office 365 ProPlus customers starting at the end of February.^1,2 To help you prepare, we want to share guidance on how you can configure Office 365 ProPlus updates to best meet your organization’s search needs.  

Microsoft Search in Bing

Bing is a gateway to Microsoft Search, a unified enterprise search solution that provides contextual work-related information using data sources in Office 365 including SharePoint, Microsoft OneDrive for Business, and Exchange. Microsoft Search delivers personalized results surfaced by the Microsoft Graph to make search in your organization more effective, increase productivity, and save everyone time.

Employees can search for colleagues by typing the title, team name, or even office location into the address bar. They can also search for office location and get answers that show floor plans for directions. They can even get definitions for company acronyms.

As part of Microsoft 365, Microsoft Search is on by default for all Microsoft apps that support it.  This update is designed to enable an accessible and familiar entry point for your users: a search engine.

Deploy Microsoft Search through Office 365 ProPlus

You have told us that you want a single tool to deploy all desktop components of Office 365. To simplify the process of deploying Microsoft Search, we’re making the Microsoft Search in Bing extension available through Office 365 ProPlus with version 2002, alongside Word, Excel, PowerPoint, Outlook, OneDrive, and Teams. This extension will be installed with new installations of Office 365 ProPlus and when existing installations are updated. If Bing is already the default search engine, the extension will not get installed. 

If you don’t want to deploy the extension to your users, you can exclude it by using the Office Deployment Tool or Group Policy. There are also ways to exclude it if you’re using Microsoft Endpoint Configuration Manager (current branch) or Microsoft Intune. For more information about how to manage the extension, read this article. 

Honor your users’ search preferences

Even if you deploy the Microsoft Search in Bing extension with Office 365 ProPlus, users will still have an opportunity to choose their search engine. The first time your users open Google Chrome after the extension for Microsoft Search in Bing is installed, they will have an option to change back their search preferences by taking a few simple steps.

Mockup of the search toggle in Chrome browsers (subject to change).

Learn more about the user benefits of this change by downloading the Microsoft Search in Bing Adoption Kit (zip file) and this user adoption guide. As always, please visit our Tech Community page to learn more about Office 365 ProPlus, and share your feedback and insights. 

Footnotes

1. This change is enabled for new and existing Office 365 ProPlus installations in Australia, Canada, France, Germany, India, the United Kingdom, and the United States. As we add locations, we will notify admins through the Message Center.
2. The extension will be released to the Monthly Channel in late February 2020. Release for the Semi-Annual Channel (Targeted) and Semi-Annual Channel are coming soon.

Streamline deployment and management of Microsoft Teams with Office 365 ProPlus

As more and more Office 365 customers adopt Microsoft Teams, we’ve heard from many of you that you want to deploy and manage Teams the same way you deploy and manage other Office 365 apps. To streamline that process, we made Teams available through Office 365 ProPlus alongside Word, Excel, PowerPoint, Outlook, and OneDrive. We first provided this option to customers on the monthly channel several months ago. Starting on January 14, 2020, customers on the semi-annual channel will start to receive Teams through Office 365 ProPlus as well. With that date approaching, we want to remind you how to configure Office 365 ProPlus and Teams updates to meet the needs of your organization.   

Deploy and manage Teams through Office 365 ProPlus 

If you are an existing Office 365 ProPlus (or Office 365 Business) customer on the semi-annual channel, Teams will be included in your organization’s next update starting on January 14, 2020, as a part of the normal update process. 

If you’re ready for Teams to be deployed on your users’ machines, you don’t need to take any action. You can learn more how to adopt Teams in this article. If Teams is already installed on a user’s machine, there will be no impact when the semi-annual update rolls out.  

Learn more about how Teams updates, after it is installed.  

Customize Teams deployment as a part of Office 365 ProPlus 

While the number of customers using Teams continues to grow, we recognize that not all customers are ready for Teams to be automatically deployed on their users’ machines. You can manage your preferences and configure each Office 365 ProPlus app using the Group Policy or the Office Deployment Tool. Learn more about how to deploy and manage or exclude Teams in your Office 365 ProPlus updates in this article: Deploy Microsoft Teams with Office 365 ProPlus.  

Send us your feedback 

Every innovation we make with Microsoft 365, the world’s productivity cloud, is designed to help you and your organization unlock new forms of productivity to achieve more. Thank you for being our customers and we look forward to your feedback and insights. 

Visit our Tech Community page to learn more about Office 365 ProPlus.

Troubleshooting Office Client Policy Service (OCPS)

The Office cloud policy service (OCPS) is a cloud-based service that enables you to apply policy settings for Office 365 ProPlus on a user’s device.  The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.  As end users become increasingly mobile, IT Pros need a single approach to secure Office 365 ProPlus for traditional on-premises domain devices, Azure AD registered devices, Azure AD Joined, and Hybrid Azure AD joined devices.  OCPS applies to all scenarios above without the need to download and replicate any content such as Administrative Template files (ADMX/ADML) on-premises.  The goal of this blog is to provide some transparency of how the service works to help IT Pros during their validation phase and to encourage transition from classic domain-based policy to OCPS service for Office 365 ProPlus.

Requirements of OCPS

1. At least Version 1808 (August 2018) of Office 365 ProPlus
2. User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD based account.
3. Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
4. To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Office Apps Admin.
5. Connectivity to addresses below. Microsoft recommends proxy bypasswhitelist for these URLs
*.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com over 443

Steps to perform proof of concept and validation
1. Create a test user, ours will be “Gottlieb Daimler”, gdaimler@contoso.com.
2. Create security group “OCPS Service Validation” and add user to group within Active Directory Users and Computers.
3. Allow AAD Connect to synchronize user and group to Azure AD. (lunch break 🙂 or force synchronization via commands below)

(optional) From AAD Connect Server and elevated PowerShell, run the following commands:
PS C:WINDOWSsystem32>import-module adsync
PS C:WINDOWSsystem32>Set-ADSyncScheduler -NextSyncCyclePolicyType Delta
PS C:WINDOWSsystem32>Start-ADSyncSyncCycle

Browse Azure AD portal and explore Users – All Users, select Gottlieb Daimler and then Groups. Verify that group “OCPS Service Validation” has been assigned and source says, “Windows Server AD”. This confirms user and group were synced into Azure AD successfully and we can proceed to next steps.
4.  Create your first OCPS policy and select “Create” button:

5. Complete input fields, when selecting assigned security group input “OCPS” and service should filter results to “OCPS Service Validation” group.  Next, define a policy.  For the demo, I chose policy “VBA Macro Notification Settings”, “Enabled” where VBA Macro Notification Settings are set to “Disable all with notification”.   Once selections have been made “Create” or “Save”.

6. From Policy Management, we can now see our policy exists.

So, we’ve got a policy, we’ve assigned it to a security group containing our test user, our next step is to validate. My test machine happens to be classic on-premises domain joined machine. My user, Gottlieb Daimler, is signed in with his normal Active Directory credentials which is displayed in upper right hand corner of Word.

Traditional Group Policy uses Client-Side Extensions in Windows to apply policy every 90 minutes.  IT Pros can force policy by using command line “gpupdate /force” and inspectverify registry as well as application behavior prior to broad deployment.  OCPS checks for policy upon initial Office application launch, calls into cloud service endpoints listed above, determines policy applicability based on group membership and priority assignment and registry keys are populated. 

Specifically, there are two locations of interest in registry.

1. HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy
This will contain information about FetchInterval, 90 minutes is default, as well as record of Last Fetch Time and Last Payload Hash.

2. HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloud. This key will contain path to registry keys representing the policy assignment. For example, ours will be HKEY_CURRENT_USERSoftwarePoliciesMicrosoftCloudOffice16.0wordsecurity
Vbawarnings = 2 (DWORD)

IT Pros can achieve the same behavior of gpupdate by simply deleting the key HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonCloudPolicy, close Office application and relaunch to fetch policy.  I typically use tools like Process Monitor to help trustverify operations of this type with filters such as “Path” contains “CloudPolicy” or where Operation is “RegSetValue” etc.  Opening a Word document containing a Macro displaying warning with notification as expected.

FAQ:
How does conflict resolution work if the same policy is set via traditional domain-based policy as well as OCPS?
OCPS takes priority if there are any conflicts with traditional domain-based policies.

Currently policies are limited to user settings. Are there plans on adding machine settings?
Yes. This has been accepted and currently is in our backlog. We hope to have this available next year.

Group Policy provides a view of all policies on the device or for the specified user. Does OCPS support this?
Currently OCPS does not provide a list of all Office policies applied to a specific user or device. This is on our backlog and we hope to have this available next year.

Will OCPS support other platforms such as MacOS, Android and iOS?
Yes, OCPS in the future will also support additional platforms such as MacOS, Android and iOS. We will create additional blog postings per platform once features are generally available.

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Building dynamic, lean & universal packages for Office 365 ProPlus

The challenge

• Additional Language Packs
• Proofing Tools
• Visio
• Project

So in managed environments each of the above would require a dedicated installation package in order to allow an automated and controlled way to e.g. install additional languages for a user. Usually, for each of the above components, an admin would combine the necessary source files (~2.5 gigabyte), a copy of the Office Deployment Tool (ODT) together with a configuration file into a package.

But, especially in larger organizations, you often do not run a single installation of Office 365 ProPlus. You might have a mix of update channels (often SAC and SAC-T) and maybe you are currently transitioning from 32 bit to 64 bit, and for quite some time you will have to support both architectures.

So at the end, we would not have one package per component, but rather four, covering each possible permutation of SAC/SAC-T and x86/x64.
The end result would be:

• High number of packages, the four listed components would result in 16 or more packages.
• High bandwidth consumption, as a client might get the full 2.5 GB package pushed down before install
• High maintenance costs to keep embedded source files current.
• High user impact, if you haven’t kept the source files current and installing a component will perform a downgrade, just to perform an update to the current version soon after.
• Low user satisfaction when having to pick the matching package out of a bunch of options.

While the initial upgrade to Office 365 ProPlus is a one-time activity, the above scenarios will be applicable over a longer period as users might need additional components days, weeks or even years after the initial deployment.
So, how do we build packages which are less costly to maintain over a long time frame and avoid the above downsides?

The solution: Dynamic, lean and universal packages

• Use Version=MatchInstalled to prevent unexpected updates and stay in control of the version installed on a client. No hard-coding of a build number (which gets outdated quickly) required.
• Use Language=MatchInstalled to instruct e.g. Visio or Project to install with the very same languages which are already installed for Office. No need to list them or build a script which injects the required languages.

Build lean packages by removing the source files from the packages. This has multiple benefits:

• Package size is much smaller, from 2.5 GB down to less than 10 megabytes for the ODT and its configuration file.
• Instead of pushing a 2.5 GB install package to clients, we allow clients to pull what it needs on demand from Office CDN which saves bandwidth:
  • When adding Project to an existing Office 365 ProPlus install, we need to download less than 50 megabytes as Office shared components are already installed.
  • Visio installs are typically between 100-200 megabytes, based and the number of languages as the templates/stencils are a substantial part of the download.
  • Installing Proofing Tools is typically between 30-50 megabytes versus a full Language Pack is somewhere between 200 to 300 megabyte.
• A 2nd install scenario is often less frequent, which lowers the burden on the internet traffic ultimately reducing the impact.
• You don’t have to update the source files every time when Microsoft releases new features, security and quality fixes.

• Leaving out OfficeClientEdition makes your package universal for mixed x86/x64 environments.
• Leaving out Channel makes your package universal across update channels, even ones you don’t support .

How to and benefit of building dynamic, lean & universal packages

When applying  the concepts of dynamic, lean, universal packages, the result would look like this:
 

 

So what have we changed and what are the benefits of doing so?

• Removed OfficeClientEdition-attribute, as the ODT will automatically match the installed version.
  • Benefit: Configuration file now work for both x86 and x64 scenarios.
• Remove Channel, same reason, ODT will automatically match the already assigned update channel.
  • Benefit I: Package works for all update channels (Monthly, Semi-Annual, SAC-T, you name it)
  • Benefit II: It will also work for update channels you don’t offer as central IT. Some users are running Monthly, some are on Insider builds? Don’t worry, it just works!
• Added Version=MatchInstalled which will ensure that ODT will install the exact same version which is already installed.
  • Benefit: You are in control of versions deployed, no unexpected updates.
• Added Language ID=”MatchInstalled”  and TargetProduct  designed to match the currently installed language(s), replacing a hard-coded list of languages to install.
  • Benefit I: User will have the same languages in Project as already installed for Office.
  • Benefit II: No need to re-request Language Pack installs.
  • Benefit III: Will also work for rarely used languages which you as central IT admin don’t offer, leading to happier users.
• Removed the source files, the ODT will fetch the correct set of source files from the Office CDN just-in-time.
  • Benefit I: Package never gets old. No maintenance of source files needed.
  • Benefit II: Download is ~50 megabyte instead of pushing 2.5 GB around.

Another example: Adding Language Packs and Proofing Tools the dynamic, lean & universal way

Prerequisites

• Use Office Deployment Tool 16.0.11615.33602 or newer to enable Version=MatchInstalled to work.
• The ODT must be able to locate the matching source files on the Office CDN.
• Ensure that the context your using for running the install can traverse the proxy. Check out our Office 365 ProPlus Deployment and Proxy Server Guidance  for a deep-dive on this.
• Make sure, that the account (user or SYSTEM) used to install the apps is able to connect to the internet.

The Author

How to manage Office 365 ProPlus Channels for IT Pros

**12/5/2019 We’ve updated this guidance and published it as an article on docs.microsoft.com: Change the Office 365 ProPlus update channel for devices in your organization. We recommend that you follow the steps in that article to change channels.”

Microsoft recommends enterprise customers include validation as a part of their Office 365 ProPlus deployment processes. Microsoft provides “channels” which control the rate of change in terms of features and quality fixes. For most customer deployments this means a minimum of two channels such as Semi-Annual Channel and Semi-Annual Channel (Targeted). Many IT Pros broadly deploy a single channel (usually Semi-Annual Channel) and leverage group policy to assign validation computers to faster channel such as Semi-Annual Channel (Targeted). In this way, IT Pros can preview what’s coming four months prior to production release.

The goal of the blog is to provide clarification around the mechanics on how Office 365 ProPlus processes channel change requests.

Tip: New Semi-Annual Channel versions are released in JanuaryJuly and Semi-Annual Channel (Targeted) versions are released in MarchSeptember. All channels will receive a minimum of one build per month which contain security and critical customer escalated fixes. (The latter has very high bar)

To read more about Channels please see Overview of update channels for Office 365 ProPlus

Ideally, minimizing the number of Office 365 ProPlus packages reduces overall cost of ownership. Therefore, the next step is to develop a process where machines receive standard package placing them on Semi-Annual Channel but dynamically move validation machines to faster channel such as Semi-Annual Channel (Targeted).

Step 1: Deploy your standard Office 365 ProPlus package based on Semi-Annual Channel

Step 2: Assign GPO to validation machine(s) or add policy registry key specifying Semi-Annual Channel (Targeted)

Using Office ADMX files, use Update Channel GPO to set Semi-Annual Channel (Targeted)

* Group Policy refreshes in the background every 90 minutes by default.  Use gpupdate /force to expedite.  Alternatively, add registry key manually to policy key

             HKLMSOFTWAREPoliciesMicrosoftoffice16.0commonofficeupdate “updatebranch”=”FirstReleaseDeferred”

Step 3: Allow MicrosoftOfficeOffice Automatic Updates 2.0 scheduled task to run

Group Policy will set registry keys, that’s all. Office 365 ProPlus uniquely leverages a scheduled task named Office Automatic Updates to maintain product configuration including channel management. The name itself “Automatic Updates” can cause confusion for IT Pros in enterprise environments where System Center Configuration (SCCM) is used to deploy updates. When OfficeMgmtCom (COM) is enabled, updates will be delivered only from SCCM. The Office Automatic Updates scheduled task will fire based on default set of triggers, regardless if COM is enabled or not, or by manually running task you can compress time frame to validate change.

Microsoft recommends Automatic Updates remain Enabled (default configuration) in all update scenarios. This task does more than name implies. By disabling task, you may observe diminished experience in terms of channel management and disable feature to apply updates when SYSTEM is IDLE.

See 2:00 in Managing Office with SCCM (2019) video for more information, applicable for CDN update workflow.

Tip: List of Channels and respective URL identifiers

CDNBaseUrl represents the channel where product was installed. If no channel was defined in unattend, Semi-Annual Channel is default selection.

Monthly Channel 
(formerly Current Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60

Semi-Annual Channel 
(formerly Deferred Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114

Monthly Channel (Targeted)
(formerly First Release for Current Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be

Semi-Annual Channel (Targeted) 
(formerly First Release for Deferred Channel):
CDNBaseUrl = http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf

Tip: IT Pros can monitor several registry keys to validate change has occurred after scheduled task has completed. Registry keys of interest when monitoring can be found under the following key: HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration. Editing key(s) should not be done directly and can lead to unintended consequences. Rather, monitor keys for desired outcome.                                                                                                         

UpdateChannel: This is the channel configuration “winner”.  This is dynamically managed by the Automatic Updates scheduled task and should not be edited directly.

In our example where we are using GPO to move Office 365 ProPlus to Semi-Annual Channel (Targeted), Office Automatic Updates scheduled task will discover policy key and then will flip UpdateChannel to new value, in this case from http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 (SAC) to http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf (SAC-T). Additionally, UpdateChannelChanged will be set to True. Upon next successful Office 365 Client update, UpdateChannelChanged will reset to False. The product can only accept one channel change request at a time with successful update as a prerequisite prior to accepting another change.

If you have completed steps above and channel change is still not being reflected, you may be blocked by temporary “Discovery Period.” Generally, updates will not happen within the Discovery Period which can last up to 24 hours after initial installation. IT Pros may encounter this scenario during compressed time validation in lab scenarios.

After UpdateChannel has successfully changed, Office 365 Clients pointing to CDN will download latest build from faster channel. Office 365 Clients which have COM enabled for SCCM integration will download newer build next time Software Updates Deployment Evaluation cycle runs based on configuration of Software Deployment within SCCM. IT Pros can expedite testing channel migration by deploying desired build to validation collection (should be a build from Semi-Annual Channel (Targeted), use the Configuration Manager applet from control panel to perform Machine Policy Retrieval followed by Software Updates Deployment Evaluation Cycle.

Tip: Office 365 ProPlus behavior – slow to fast vs fast to slow

Slower -> Faster (Example: Semi-Annual Channel to Semi-Annual Channel Targeted)

• Client will always gracefully move forward when now available build number is higher.  For example, a client on June 2019 Semi-Annual Channel with build version 1808 (Build 10730.20348) will move to Semi-Annual Channel Targeted with build Version 1902 (Build 11328.20318).  No other Administrative intervention is required, normal update processworkflow applies the change.

Faster -> Slower (Example: SAC-T to SAC)

• In SCCM managed environment where COM is enabled, Office will not auto downgrade when channel is changed.  It will only move forward once build advertised is greater than what’s currently installed.  For example, Office ProPlus client on Semi-Annual Targeted build June 2019 Version 1902 (Build 11328.20318) will have to wait until Semi-Annual Channel build number is greater to move forward such as July 2019 Version 1902 (Build 11328.20368).  Supported downgrade method is to re-run Office Deployment Tool (ODT) with desired build and channel.  Keep in mind during waiting period, Office 365 Client will not receive any updates including security.
• In non COM managed environment such as default configuration CDN, we will downgrade your new version to match the Group Policy assigned.  

*Since we can’t do binary delta compression (BDC) the download will be larger.  As a result, network considerations should be considered when downgrading from CDN.

FAQ:

How does channel management work when Office 2019 is installed and GPO “Upgrade Office 2019 to Office 365 ProPlus” is enabled?

Some customers may have a need to have one factory image of Windows which includes Office 2019 and later upgrade a subset of machines to Office 365 ProPlus.  The steps outlined above still apply in terms of mechanics and how channel chnages are processed.  The only difference is Office 2019 will initially have CDNBaseURL and UpdateChannel will reflect http://officecdn.microsoft.com/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208.  First, the GPO above will set policy key.  Second, The Office Automatic Updates 2.0 scheduled task will flip the UpdateChannel to Semi-Annual Channel (3114) by default and dynamically convert the product to Semi-Annual Channel.  In short, Office 2019 is just an older version of Office 365 ProPlus, so differences in content between the two products will download from CDN or from SCCM Distribution Point depending on your configuration. (Size will be significant for one-time conversion).  For CDN, this process is automatic.  For SCCM, IT Pro only needs to deploy latest Semi-Annual Channel build software update to collection, just like any monthly “Patch Tuesday” process.  SCCM will find build applicable and upgrade like any other Office update.  LicensingActivation will switch from volume activation (KMS) to subscription based (Office Licensing Service).

Why does this guidance differ from SCCM page Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager?

Microsoft recommends customers leverage Group Policy to change Office 365 ProPlus channels because its easier for IT Pros. Group Policy sets registry key under policy hive and Office Automatic Updates scheduled task to processes channel change.  The link above references CDNBaseURL.  Notice from the list below this is the 4th item evaluated for priority by the scheduled task.  As a result, if the first three priorities listed are not configured and CDNBaseURL doesn’t match UpdateChannel, scheduled task will align them resulting in channel change.  This blog posting leads with Group Policy where link above requires a direct registry change through Group Policy Preferences or Compliance Item in SCCM.

1st Priority : GPO "UpdatePath" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="ServerShare" HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration
4th Priority : CDNBaseURL - HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationCDNBaseUrl

I hope this blog post helps provide additional context for how Office ProPlus Channel Management works “under the hood”.

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Office 365 Groups @ Ignite – Recap

Office 365 Groups is the membership service that drives teamwork and powers collaboration across Microsoft 365. With Office 365 Groups, a group of people can access and share a collection of collaboration resources, such as a shared Outlook inbox, calendar, SharePoint document library, a Planner, a Team, and more.

Recently, at Microsoft Ignite 2019 in Orlando, FL, the Office 365 Groups team delivered several session that included announcements of enhancements and new innovations for Office 365 Groups, such as new user activity-based expiration policy for Office 365 Groups, and the Groups Admin role, and best practices, such as creating a governance plan, enabling self-service, and leveraging analytics to understand usage.

The Office 365 Groups breakout sessions highlighted innovations across Outlook Mobile, Outlook Desktop, Outlook on the Web, Microsoft Teams, Microsoft 365 admin center, SharePoint Site URL Rename, Identity Governance, Yammer, and more. In case you missed it, you can view the Office 365 Groups sessions on-demand, and download the slide decks, as well.

We’re also taking the learning path session for Office 365 Groups (Embrace Office 365 Groups: What’s new and what’s next) on the Microsoft Ignite The Tour, so if you would like to see it live, and interact with Office 365 Groups experts, register now for a city near you.

–The Office 365 Groups Team

New functionality to make it easier to customize, manage, and secure Office 365 ProPlus

At Microsoft, we’re committed to protecting your data and helping your organization stay current and secure in today’s fast-moving, complex technology environment. And we’ve designed new innovations for Office 365 ProPlus to do just that. As announced at Microsoft Ignite 2019 last week, we introduced:

• An update to the Office cloud policy service.
• Deeper integration for managing Office 365 for Mac using Jamf Pro.
• New tools for Configuration Manager to better plan Office deployment projects.
• New security features for the Office client.
• New Group Policy setting to enable users to install Insider builds.

Together, these new functionalities help you more efficiently adopt, deploy, and manage Office 365 ProPlus—regardless of the size of your organization and the platform you choose.

Cross-platform support* for the Office cloud policy service

The Office cloud policy service—initially announced for Windows earlier this year—is a cloud-based service that enables IT admins to enforce policy settings for Office 365 ProPlus users. The settings are enforced across devices, whether domain-joined, Azure Active Directory (AAD)-joined, or completely unmanaged. In short, the policy settings roam with the user.

Today, we’re introducing an update to add cross-platform support for Office on the web, Android, Mac*, and iOS* devices, giving administrators the ability to manage Office policies from a single portal for all their Office users. To learn more, read this article. 

Easier Office 365 for Mac management using Jamf Pro

Today, we’re announcing deeper integration for managing Office 365 using Jamf Pro. Our integration with the new Application and Custom Settings experience, which was demonstrated at the Jamf Nation User Conference (JNUC), allows IT admins to easily set Office 365 policies using a familiar forms-based interface. Mac administrators can centrally configure security, privacy, and update policies to deliver the very best Office 365 experience to their users, including:

• Enabling friction-free sign-on to Office 365
• Controlling privacy and telemetry options
• Reducing the attack surface for sensitive devices
• Increasing compliance levels through feature enablement
• Lowering support costs by implementing desired update workflows

Pilot health and inventory tools to deploy faster

We’ve brought a pair of updates to the Microsoft System Center Configuration Manager—you probably know it as Config Manager—to help IT admins streamline parts of the device upgrade process. The first of these shows the health of pilot devices as it relates to a forthcoming upgrade. Pilots are a subset of devices you’ve selected to validate before deploying. With this update, that subset will also show the upgraded health of selected devices, including which are ready to upgrade right now. For those not ready, you can see what issues are blocking the upgrade and remediate those for faster deployment.

The second update, which enhances your existing inventory tools, leverages device telemetry to determine which devices running Office 365 ProPlus are ready to update to newer release. This update also provides insight into issues that are blocking an immediate upgrade, giving you the information needed to remediate problem areas.

Pilot health and enhanced inventory tools are just the beginning. With 80% of Office 365 ProPlus admins using Config Manager, we’re continuing to prioritize upgrades for the Config Manager console—including features like recommended configurations.

Safe Documents and Application Guard for enhanced file protection

On Tuesday, we shared Safe Documents, a new capability that brings the power of Microsoft Defender Advanced Threat Protection (ATP) to Office 365 ProPlus.  When a user has a document in Protected View and wants to consider that document “trusted”, the field will be automatically checked against the ATP threat cloud before release. Admins will have advanced visibility and response capabilities, including alerts, logs, and visibility into similar threats across the enterprise.

We also showed an early, live demo of Application Guard capabilities integrated with Office 365 ProPlus. When available in mid-2020, Microsoft 365 customers will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container instead of Protected View. From there, users will be able to view, print, edit, and save changes to untrusted Office documents—all while benefiting from hardware-level security. If the untrusted file is malicious, the attack is confined to the isolated container and the host machine is untouched. Users will be able to leverage Safe Documents to “trust” a document securely, and full reporting and audit trails will be available through ATP.

Group Policy to allow users to experience Office Insider builds  

Enabling your users to self-select into the Office Insiders program is as simple as delivering a policy.  This can be done by using the Office Cloud Policy service which is available in config.office.com and via group policy. This policy makes it easy for you to enable which users can self-select their device to receive the Office Insider builds as they become available in order to try new features. Read more in this article.

Microsoft Teams deployed with Office 365 ProPlus

As a quick reminder, when you update to Version 1908 of Office 365 ProPlus in January, Microsoft Teams will be rolled out to existing installations on the Semi-Annual Channel. Learn more about deploying Teams as part of Office 365 ProPlus in this article.

Office 2010 End of Support

Finally, support for Office 2010 is ending in October 2020—but with Office 365 ProPlus, you can continue to stay current with the latest Office tools and security features, like the ones we described above. Read more in this blog.

Catch up on all other Office 365 ProPlus deployment content recorded at Ignite by following this guide. As always, learn what’s new in Office 365 ProPlus, watch our YouTube Deployment Insider channel, and join Office Insider Program.

You may also find the following additional resources useful:

• Office Apps deployment center https://config.office.com/
• Office deployment content for IT Pros https://docs.microsoft.com/deployoffice
• What’s new in Office deployment for IT Pros https://docs.microsoft.com/DeployOffice/whats-new-office-it-pros
• Microsoft 365 Enterprise documentation and resources https://docs.microsoft.com/microsoft-365/enterprise/
• Getting started deploying Office Insider builds https://insider.office.com/en-us/business/deploy
• Office 365 ProPlus deployment assistance from FastTrack https://fasttrack.microsoft.com

*Office cloud policy service support for Mac and iOS devices is expected to roll out soon.

Your OneNote

From your flashes of inspiration at 2:00 AM to the list of funny things your children say, or that brilliant idea you had in the conference room, and your ever-growing list of household chores — OneNote holds the notes to your life to track all the things you need to keep in mind, but simply don’t have room for in your overworked brain. 

We enjoy the privilege of serving millions of customers like you, who each have unique needs and who use OneNote in unique ways. Over the past year, we’ve been listening to your passionate feedback and are humbled by your consistent love for OneNote. We hear you loud and clear — you want to keep your notes your way! 

With that in mind, we’re pleased to announce that we are continuing mainstream support for OneNote 2016 beyond October 2020, so that you can continue using the version of OneNote that works best for you. New support dates for OneNote 2016 now align with Office 2019 (October 10, 2023 for mainstream support and October 14, 2025 for extended support). We also want to make deployment and installation easier for organizations and individuals, so for Windows users, starting in March 2020, when you deploy or install Office 365 subscriptions that include the Office desktop apps or Office 2019, the OneNote desktop app will be installed by default alongside Word, Excel, and PowerPoint. If you’d like to install OneNote 2016 earlier, you can get it here: aka.ms/InstallOneNote. 

And, of course, OneNote should look the way you want it to. That’s why this week we are rolling out Dark Mode for OneNote 2016. This will be available for Office 365 subscribers and non-volume licensing Office 2019 customers. Dark Mode changes the app’s interface elements from light to dark. Using OneNote in this mode can improve readability in low light environments, increase legibility of the user interface as well as your notes, provide better contrast, and reduce eye strain. You might also use OneNote in Dark Mode simply as a personal preference. The choice is yours! 

We’re excited about today’s announcements and we’ll keep listening to your feedback to make your OneNote better and better! Please continue requesting features and telling us what you think via the in-app feedback. 

For more information check out our OneNote FAQ! 

User Activity based Expiration Policy for Office 365 groups is now in Private Preview!

Update: This feature has new updates. Please see the blog for details.

—

O365 Groups power collaboration across Office 365 

Collaboration is a key ingredient for the success of any organization. Office 365 groups, of the most used collaboration features in Microsoft 365 today, power the collaboration features across apps, including Outlook, Teams, Yammer, and SharePoint. Employees can create groups quickly and start collaborating with co-workers by sharing group documents, emails, and calendars.

The twin problems of Groups Life cycle Management 

As the number of Office 365 groups increases, an organization needs to strike a balance between cleaning up unused groups and ensuring any valuable groups do not get deleted unintentionally, causing data loss. Many of you have shared feedback about these challenges in groups lifecycle management.

You say, we listen and act

We heard your feedback, and we’ve made some changes! We are excited to announce the new version of expiration policy which ensures any group being actively used continues to be available, circumventing expiration. This feature makes life easier for users, including admins, group owners and members, by automating the expiration and renewal process by tracking groups for user activity across different apps, like Teams, SharePoint, Outlook, tied to the group.

The new expiration policy puts group life cycle management on autopilot 

The current Expiration policy allows you to set an expiration time frame for selected or all Office 365 groups . After the defined group lifetime, owners are asked to renew them if they are still needed. With this newly added intelligence, groups which are being actively used will be automagically renewed. This preempts the need for any manual action on the part of the group owners. This is based on user activity in groups across Office 365 apps like Outlook, SharePoint, Teams, Yammer, and others.

Example:  At Contoso, the administrator has configured the Group lifetime to be 180 days. Megan is the owner of the Contoso Marketing O365 Group, with Enrico and Alex as its members. Her group is set to expire in 45 days. If an owner or a member performs actions like uploading a document in SharePoint, visiting Teams channel or sending an email to the group in Outlook, the group is automatically renewed for another 180 days, and she does not get any expiry notifications.

Manual Controls: Group owners will continue to have the manual “delete”, “renew” option for granular control.

Soft Delete: Like before, groups which aren’t renewed (either automatically based on activity or manually) will be soft deleted. Groups in “Soft-delete” state can still be restored within 30 days, after which the content is deleted permanently.

User actions for group auto-renewal: The following user actions will lead to automatic renewal of groups

• SharePoint – View, Edit, Download, Move, Share, Upload Files
• Outlook – Join group, Read/write group message from group space, Like a message (OWA)
• Teams – Visit a Teams channels

We will continue to update this list to fine tune group auto-renewal experience.

Auditing and reporting: Administrators can get a list of auto-renewed groups from audit logs on the azure portal.

Here are some quick steps to get you started.

Getting started

Office 365 groups expiration policy can be configured from the Azure Active Directory portal, as well as programmatically via Azure Active Directory PowerShell. Please note you need an Azure AD Premium license. Below is a quick tutorial on how to get started with the functionality in the new Azure portal experience.

1. Create Expiration Policy: Sign into the Azure portal, select Azure Active Directory, go to the Groups tab and select Expiration under Settings. (More details here) .

2. Set Group Life cycle: Specify the group lifetime in days and select which groups you want the expiration settings to apply to.

Group owners will receive a renewal notification 30 days before the expiration date, and from that notification they can renew their group with a single click!

If there is no user activity in the group (and the owners don’t manually renew their group) within the required time frame, their group will expire. Upon expiry it will stay in a “soft deleted” state for 30 days. Owners of deleted groups will receive a notification letting them know their group has been deleted and giving them the opportunity to restore their group within 30 days after its deletion date. The Group will be permanently deleted after 30 days.

3. Auto-renewal based on user activity: No explicit action is required to enable activity-based auto-renewal. If an the expiration policy is set for Office 365 groups, auto-renewal will be enabled by default.

Learn more about how you can restore you group to recover all its content, including SharePoint, Planner, and Outlook – how to restore deleted Office 365 groups.

Note: The new version of Office 365 groups expiration feature is available in private preview today for select Azure AD Premium customers. Please reach out to your TAMs/CSMs regarding enrollment in private preview.

Let us know what you think!

We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment below. We’re always looking for ways to improve.

User Voice: Add security groups to Office 365 groups

Support & feedback: groupsarfeedback@microsoft.com

Best regards,

Salil Kakkar                                                               Yuan Karppanen

Program Manager                                                    Program Manager

Office 365 Groups                                                    Azure Active Directory

  @salil_kakkar

User Activity based Expiration Policy for Office 365 groups is now generally available!

O365 Groups power collaboration across Office 365 

Collaboration is a key ingredient for the success of any organization. Office 365 groups, of the most used collaboration features in Microsoft 365 today, power the collaboration features across apps, including Outlook, Teams, Yammer, and SharePoint. Employees can create groups quickly and start collaborating with co-workers by sharing group documents, emails, and calendars.

The twin problems of Groups Life cycle Management 

As the number of Office 365 groups increases, an organization needs to strike a balance between cleaning up unused groups and ensuring any valuable groups do not get deleted unintentionally, causing data loss. Many of you have shared feedback about these challenges in groups lifecycle management.

You say, we listen and act

We heard your feedback, and we’ve made some changes! We are excited to announce the new version of expiration policy which ensures any group being actively used continues to be available, circumventing expiration. This feature makes life easier for users, including admins, group owners and members, by automating the expiration and renewal process by tracking groups for user activity across different apps, like Teams, SharePoint, Outlook, tied to the group.

The new expiration policy puts group life cycle management on autopilot 

The current Expiration policy allows you to set an expiration time frame for selected or all Office 365 groups . After the defined group lifetime, owners are asked to renew them if they are still needed. With this newly added intelligence, groups which are being actively used will be automagically renewed. This preempts the need for any manual action on the part of the group owners. This is based on user activity in groups across Office 365 apps like Outlook, SharePoint, Teams, Yammer, and others.

Example:  At Contoso, the administrator has configured the Group lifetime to be 180 days. Megan is the owner of the Contoso Marketing O365 Group, with Enrico and Alex as its members. Her group is set to expire in 45 days. If an owner or a member performs actions like uploading a document in SharePoint, visiting Teams channel or sending an email to the group in Outlook, the group is automatically renewed for another 180 days, and she does not get any expiry notifications.

Manual Controls: Group owners will continue to have the manual “delete”, “renew” option for granular control.

Soft Delete: Like before, groups which aren’t renewed (either automatically based on activity or manually) will be soft deleted. Groups in “Soft-delete” state can still be restored within 30 days, after which the content is deleted permanently.

User actions for group auto-renewal: The following user actions will lead to automatic renewal of groups

• SharePoint – View, Edit, Download, Move, Share, Upload Files
• Outlook – Join group, Read/write group message from group space, Like a message (OWA)
• Teams – Visit a Teams channels

We will continue to update this list to fine tune group auto-renewal experience.

Auditing and reporting: Administrators can get a list of auto-renewed groups from audit logs on the azure portal.

Here are some quick steps to get you started.

Getting started

Office 365 groups expiration policy can be configured from the Azure Active Directory portal, as well as programmatically via Azure Active Directory PowerShell. Please note you need an Azure AD Premium license. Below is a quick tutorial on how to get started with the functionality in the new Azure portal experience.

1. Create Expiration Policy: Sign into the Azure portal, select Azure Active Directory, go to the Groups tab and select Expiration under Settings. (More details here) .

2. Set Group Life cycle: Specify the group lifetime in days and select which groups you want the expiration settings to apply to.

Group owners will receive a renewal notification 30 days before the expiration date, and from that notification they can renew their group with a single click!

If there is no user activity in the group (and the owners don’t manually renew their group) within the required time frame, their group will expire. Upon expiry it will stay in a “soft deleted” state for 30 days. Owners of deleted groups will receive a notification letting them know their group has been deleted and giving them the opportunity to restore their group within 30 days after its deletion date. The Group will be permanently deleted after 30 days.

3. Auto-renewal based on user activity: No explicit action is required to enable activity-based auto-renewal. If an the expiration policy is set for Office 365 groups, auto-renewal will be enabled by default.

Learn more about how you can restore you group to recover all its content, including SharePoint, Planner, and Outlook – how to restore deleted Office 365 groups.

Note: The new version of Office 365 groups expiration feature is available in private preview today for select Azure AD Premium customers. Please reach out to your TAMs/CSMs regarding enrollment in private preview.

Let us know what you think!

We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment below. We’re always looking for ways to improve.

User Voice: Add security groups to Office 365 groups

Support & feedback: groupsarfeedback@microsoft.com

Best regards,

Salil Kakkar                                                               Yuan Karppanen

Program Manager                                                    Program Manager

Office 365 Groups                                                    Azure Active Directory

  @salil_kakkar

Microsoft Ignite 2019 Guide to Office 365 ProPlus Deployment

If you’re an Office IT Admin, get ready to learn the latest and greatest about Microsoft Office 365 ProPlus deployment at Ignite starting November 4. We’re very excited to announce the following sessions, workshops, speakers, and other learning opportunities to help you make your Office 365 ProPlus deployment and management success. Here is what we have lined up for you:

Best practices for deploying and managing Microsoft Office 365 ProPlus (BRK3087). Amesh Mansukhani, a Principal Program Manager focused on helping enterprise organizations efficiently manage Office 365 ProPlus deployments, shares what’s new from the Office engineering team on how to best deploy and manage Office 365 ProPlus within your environment. He’ll also walk through the deployment tools and discuss the best options to suit your environment.

What’s new in the Office Customization Tool (THR 30309). Learn what’s new in the Office Customization Tool for Office 365 ProPlus from Chris Hopkins, a Senior Program Manager on the Office Enterprise Lifecycle team responsible for the deployment and management experience for Office across Office 365, System Center Configuration Manager, and Microsoft Intune.

Best practices for compatibility assessment and Office 365 ProPlus upgrades using Office Readiness in Configuration Manager (BRK3090). In this session, Tara Hanratty, a Senior Program Manager in Microsoft Ireland who focuses on helping enterprises address compatibility concerns, will discuss best practices for upgrading to Office 365 ProPlus, including:

• Evaluating Office readiness
• Using the Readiness Toolkit for advanced VBA readiness
• Discovering and remediating issues
• Deploying to “ready devices” with the right settings
• Identifying optimal pilots to unblock more devices
• Viewing health on deployed devices
• Viewing unblocked devices
• Advanced plug-in reports (accessibility)

Get to know the new Office Cloud Policy Service (THR3038). If you are still managing Office policies using Group Policy Manager, but you want to move the cloud, come learn about the new Office Cloud Policy Service. Chris Hopkins will explain how you can use the Office Cloud Policy Service to manage policies for Microsoft Office 365 ProPlus on Windows, Mac, and Office on the web. He’ll also show you how to use built-in intelligence to provide security policy recommendations and baselines for simplifying management and compliance.

Deploying and managing Microsoft Office 365 ProPlus (WRK3019). In this workshop, Matt Philipenko, Senior Premier Field Engineer for Office Deployment, Servicing, and Activation and ProPlus Ranger, will cover deploying and managing Office 365 ProPlus using Configuration Manager and Intune. He will walk through creating an Office 365 ProPlus deployment, managing updates, configuring cloud policies, and monitoring your current deployment status, and also share Microsoft best practices and common customer implementations.

Microsoft Office privacy controls and Diagnostic Data (BRK3088). Office uses the power of the Microsoft Cloud to deliver exciting new capabilities to individuals and organizations. Diagnostic data helps Microsoft keep Office and these experiences secure, up to date, and performing as customers expect. Some organizations have wondered what happens to this data, how it’s used, and how they might control the flow. Revolutionary change in product transparency over the past year means commercial customer IT departments can now control this data. In this session, you’ll gain a deep understanding about diagnostic data, identify the benefits of diagnostic data to your organization, learn about you can view and manage this data, and hear from a customer that has implemented the controls. This session is presented by Brian Albrecht and Steve Conn. Brian runs the Microsoft Office Data, Privacy, and Insights PM Team and is responsible for diagnostic data privacy and compliance with GDPR and next generation privacy regulations across the Office 365 client experiences. Steve has worked on Office and Windows in various marketing and engineering roles for 12 years.

The future of Office: The insiders view and how we’re making it easier for IT admins and organizations to deploy and use Office 365 ProPlus (BRK3298). Are you interested in what’s being developed for Office 365 ProPlus deployment? In this panel, moderated by Amesh Mansukhani, Microsoft CVPs Aleš Holeček and Tara Roth dive deep into what we’re bringing in the coming year to IT Admins and organizations around Office 365 ProPlus deployment. We also talk about the Office Insider program and why it’s a necessary component to successful deployments. And, we’ll get some real-world feedback from several customers, including Thuy Mesina from Chevron and Jason Meyers from Mars, about their recent experiences with ProPlus deployment and the Office Insider program.

Moving to Windows 10 and Office 365 ProPlus? FastTrack is here to help! (BRK2177) Learn from the FastTrack experts Sean McLaren and Bryan Allen as they share deployment best practices and learnings from experience with customers moving to Windows 10 and Office 365 ProPlus. The clock is ticking on end of support for Windows 7, with the January 14, 2020 deadline quickly approaching. Learn how FastTrack can help you accelerate your upgrade to Windows 10 with Desktop Analytics and leverage your existing investments in System Center Configuration Manager. You’ll also learn how we can help you deploy Office 365 ProPlus, mitigate application compatibility issues with Desktop App Assure, and keep your devices up to date. FastTrack for Microsoft 365 is your advisor to help deploy Windows 10 and Office 365 ProPlus, and leverage the value of Office in the cloud at no additional cost.

We look forward to seeing you at Ignite in Orlando, Florida starting November 4! Come talk with us at the Hubb. Our experts are easiest to find in the following booths: Office 365 ProPlus Deployment, Office Insiders Program, and FastTrack. For those not joining Ignite in person, you can watch livestream keynotes and some select sessions on-demand. As always, visit out Docs page to see what’s new in Office 365 ProPlus, watch our YouTube Deployment channel, and join the Office Insider program.

You may also find the following additional resources useful:

• Office deployment content for IT Pros: https://docs.microsoft.com/deployoffice
• What’s new in Office deployment for IT Pros: https://docs.microsoft.com/DeployOffice/whats-new-office-it-pros
• Microsoft 365 Enterprise documentation and resources: https://docmicrosoft.com/microsoft-365/enterprise/
• Getting started deploying Office Insider builds: https://insider.office.com/en-us/business/deploy
• Office 365 ProPlus deployment assistance from FastTrack: https://fastttrack.microsoft.com

Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

In supporting customers in the field, we receive many questions about Office 365 ProPlus update process. The objective of this blog is to provide context around end user behavior during update scenario and clarify when and how Office updates are applied. 

Office ProPlus was designed to be a cloud first product…. What does that mean?  It means that by default, Microsoft recommends you update Office 365 ProPlus directly from Microsoft Content Delivery Network (CDN).  While IT Pros are always in control,  Office 365 ProPlus is automatically kept up-to-date via evergreen model.  IT Pros can offload servicing aspect of Office 365 ProPlus to Microsoft so they can focus on other duties removing repetitive tasks.  At present, while we lead with CDN as our recommendation, the vast majority of Enterprise customers I work with prefer to manage updates from System Center Configuration Manager (SCCM) for a variety of reasons. (too many to list here such as network, governing process or political etc.)

Let’s compare and contrast both scenarios below to see which approach is best to address your business requirements.  Regardless, the goal is to ensure Office 365 ProPlus is serviced every month to address security and deliver features based on cadence suitable for our customers.

Quick refresher of Office ProPlus channel cadence –Simplified 

Monthly: Provide users with the newest features of Office as soon as they’re available.  This could be three or four builds per Month. (Updates should be delivered by CDN)

Semi-Annual Channel (Targeted): Provide pilot users and application compatibility testers the opportunity to test the next Semi-Annual Channel.  Featuresfixes delivered every six months, in March and September (Updates can use CDN or SCCM)

Semi-Annual Channel: Provide users with new features of Office only a few times a year. Featuresfixes delivered every six months, in January and July (Updates can use CDN or SCCM)

(Official Link is here Overview of update channels)

Note about PREVIEW feature using Delivery Optimization for Office 365 ProPlus installupdates

The point of the channels is to define the timing when those cumulative builds include features and fixes in addition to security. If you would like more information about channel management please see my other posting for more information called How to manage Office 365 ProPlus Channels for IT Pros

*This blog will focus primarily on update process.  Deployment of Office 365 ProPlus is out of scope and will assume Office 365 ProPlus is already installed on the machine.

Update from CDN

Prerequisites

• Automatic Updates is by default Enabled (equivalent GPO is “Enabled Automatic Updates”). If disabled, Office 365 ProPlus will never update.

Benefits

• Admins don’t have to spend time developing processes to duplicate CDN content on-premises.
• Admins don’t have to build processes to target software updates to collections. Each machine will pull updates on it’s own.
• Aligns with “Modern Desktop” motion where machines are increasingly managed by Mobile device management (MDM) rather than on-premises solutions without requirement for any infrastructure.
• CDN supports a variety of advanced policies to control updates at granular level such as “delay downloading and installing updates for Office”, “prioritize BITS”, “Target Version”, “Update Channel”, “Update Deadline”. IT Pros can control updates effectively without the need for on-premises software.
• Leverages inbox task scheduler MicrosoftOfficeOffice Automatic Updates 2.0 to perform updates based on trigger mechanism (Weekly, At log on, On idle)

Note: On idle is very interesting trigger condition in that it can check for criteria such as user absence and lack of resource consumption to determine opportunistic time to retry updates (no reboots required when Office applications are closed).

Reference Links for next section: Update history for Office 365 ProPlus (listed by date) and Download sizes for updates to Office 365 ProPlus

User Experience when updating from CDN

Let’s imagine Office 365 ProPlus has June 2019 build installed which is Version 1808 (Build 10730.20348).  “Patch Tuesday” rolls around and on July 9^th 2019 July build is released which is Version 1902 (Build 11328.20368).  Based on the trigger assigned the scheduled task “Office Automatic Updates 2.0” will detect a newer build applicable.  Upon initial release to CDN, a new build is temporary throttled until signals are received ensuring highest quality release have been verified.  As a result, IT Pros may observe updates may not occur on Day 0 to all machines but rather over a period of days.  Alternatively, IT Pros can intervene and enable policy “delay downloading and installing updates for Office” and simply define installing update based on number of days.   This mirrors servicing plans feature in SCCM for delivering Windows Feature Updates and makes it easy to build rings.

Since the build installed is most recent version we can leverage a feature called binary delta compression to help reduce the size of the files further.  Therefore, keeping Office ProPlus up-to-date is friendlier on network.  Office will download deltas and will stage in C:Program FilesMicrosoft OfficeUpdatesDownload.  After download Office Automatic Updates 2.0 will attempt to update Office 365 ProPlus.  If no Office applications are open, it will update.  If Office applications were open at the time of update request a series of notifications will occur of period of days. (Officially documented here)

Specifically, If, after four days, the updates still aren’t applied, a message appears in the notification area in Windows, telling the user that updates are available.

If, after six days, the updates still aren’t applied, a message appears in any newly opened Office document, reminding the user that updates are available.  We refer to this as the “BusBar” which allows user to drive change when convenient. 

Clicking “Update now” when Office applications are open will result in sample dialogue below.  Clicking continue will save work, update and reopen applications.

The Office backstage also offers a “Update now” selection driven by the user which will check for updates and download build resulting in same prompt above.

IT Pros can also configure policy “Update Deadline” to set a deadline by when updates for Office must be applied.  Users are given notifications leading up to the deadline. For example, within seventy-two hours of the deadline, users see a message, in any newly opened Office document, that updates are blocked.

Additional reminders will appear leading up to deadline notifying user update is mandatory.  This message appears every two hours. It’ll also be shown 60 minutes, 30 minutes, 15 minutes, and 5 minutes before the deadline.

If the deadline arrives and the updates still aren’t applied, users see a dialog box that warns them that they have 15 minutes before the updates are applied.

User Experience when updating from SCCM

Prerequisites

• SCCM Current Branch with Windows Server Update Services (WSUS) 4.0, you can’t use WSUS by itself to deploy these updates. You need to use WSUS in conjunction with Configuration Manager
• The hierarchy’s top level WSUS server and the top level Configuration Manager site server must have access to the following URLs: *.microsoft.com, *.msocdn.com, *.office.com, *.office.net, *.onmicrosoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net.
• Office 365 Client product must be selected from products tab under Software Update Point Component Properties and synchronize software updates after change. Once complete, you should see Office 365 Client Updates populate the Office 365 Updates node under Office 365 Client Management within Software Library tab in SCCM Console.
• Office 365 Client Management must be enabled on the client. This can be configured in multiple ways such as adding OfficeMgmtCOM=”TRUE” in configuration.xml during installation, enable domain policy “Office 365 Client Management” and finally by toggling “Enable management of the Office 365 Client Agent” to Yes from within SCCM Client settings under Software Updates.  You can verify by launching dcomcnfg.exe on the client computer and confirming OfficeC2RCom application is registered.  Only one is required, where policy overrides and take priority over all other methods.  The purpose of the COM application is to allow Office 365 ProPlus to interop with SCCM to pull updates from distribution points rather than CDN

Example of running dcomcnfg.exe

Note about PREVIEW feature using Delivery Optimization for Office 365 ProPlus installupdates

Overwhelming majority of enterprise customers use SCCM to deliver Office 365 Client updates for compliance and distribute content from Distribution Points.  Microsoft is always working hard to provide customers additional options including the new feature Delivery Optimization and Office 365 ProPlus which is now in (Preview).  Please read article for full details but one-liner is customers will be able to install AND update Office 365 ProPlus sourcing content from peers without infrastructure requirements which we’re super excited about. (no more “thick packages” or distributing loads of content to support a simple language pack).  If you enabled OfficeMgmtCom for SCCM integration, this action must be reversed in order to use Delivery Optimization (DO). The Microsoft Office Click-to-Run Service is responsible for registering and unregistering OfficeC2RCom (OfficeMgmtCOM) application during service startup.  Changing domain policy or SCCM client settings for Office 365 Client Management from ‘Enabled’ to ‘Not configured’ is not enough.  Domain Policy or SCCM Client settings require explicit ‘Disable’ selection for OfficeC2RCom to be successfully deregistered and restore default configuration. Further, any custom update path configuration must also be removed.

Benefits

• Office 365 ProPlus updates can easily be included in the same software deployment as monthly Windows patch process. As a result, all existing business processes and change control can be aligned in the same manner as legacy MSI Office products.
• Clients will only pull down what’s needed to update themselves from Distribution Point.
• SCCM Administrators can download cumulative build one time from the internet and than deploy to all distribution points so clients pull updates from intranet sources.
• Administrators can make deployment Available (optional where user is notified update)
• Administrators can make deployment Available for a period of time prior to Installation Deadline. In this scenario, Office 365 Client using OfficeMgmtCOM will pull deltas from distribution point prior to Installation Deadline and give user a chance to “Update now” via BizBar discussed above at a time which is convenient for them.  This is especially important in a ever mobile world where machines are mobile and not powered on all the time.  Further, IT Pros can get some early production validation as some subset of their population will update prior to Installation Deadline giving them advanced notification of any problems prior to broad deployment.
• Administrators can make deployment Available time and Installation Deadline the same time. SCCM will ensure update is downloaded and installed at Deadline. (additional details on user experience below)
• Administrators can enable SCCM features such as Peer Cache so clients can share content among themselves further reducing network WAN traffic. (Peer cache for Configuration Manager clients)

User Experience when updating from SCCM

Frequency of toast notifications from SCCM are configurable within “Client Settings” under “Computer Agent”. This configuration is applicable to all software deployments not just Office 365 Client

Can be found within SCCM console under client settings

SCCM Deployment Scenarios

Scenario 1 – Available only

If the deployment is Available only, the user will only see a toast notification in the system tray for a few seconds, Office update will never be deployed automatically.  The problem is this notification isn’t context sensitive so it simply takes end user to Software Center and it also doesn’t ensure security compliance.  Therefore, approach isn’t used often in my experience.

Scenario 2 – Available with future Installation Deadline

This scenario is a good fit for customers who desire faster compliance, no reboots for Office 365 ProPlus updates and are comfortable with additional Office 365 ProPlus end user toast notifications, also in app notifications as well as Office 365 ProPlus countdown dialog leading up to deadline.  If the SCCM deployment is Available with future Installation Deadline, Office 365 ProPlus working with OfficeC2RCom application will download the necessary Office build pieces (not the entire build) and stage for installation pulling content from Distribution Point.  When COM is enabled and new build is staged, restart of Windows will not result in installation of update.  Immediately after the newer build is staged, any Office 365 ProPlus application which is reopened will immediately see the “BusBar” with end user option to drive change through “Update now” button.  This is a subtle difference compared to CDN scenario where banner shows only after a number of days.  Clicking the button results in same workflow as defined in CDN section.  When content is prestaged, there are a number of potential notifications, please review bullet items in blue from page Manage Office 365 ProPlus with Configuration Manager to review all details as there are many.

For example:

“BusBar”

Business Bar

Once build is staged, a toast notification might not display until the user clicks the icon in the notification area which is easy to miss. 

“Basic notification” which sometimes be hidden under task bar chevron  

7.5 hours prior to deadline, Office will show ‘Enforced Toast’ which will present above “Office Updates Available” toast to foreground.  If user doesn’t click “Update now”, end user will potentially receive three additional notifications with countdown.  If no decision is made to postpone, Office applications will be forced closed and updates prior to deadline defined in SCCM.

Minute countdown Second countdownUpdates Installed

If user postponed update by clicking ‘Postpone’ and deadline is eventually reached, standard SCCM restart window will be displayed with countdown.  Additionally, Office may also raise additional notification with 30 minute countdown.  Important to note, countdown from SCCM and Office countdown are not synchronized in any way, they work on separate timers.

Scenario 3 – Available and Required Installation Deadline have same date

This scenario is best for IT Pros who want to minimize notifications to end user unless deadline has been reached.(Office content is not prestaged)  If the software deployment Available time and Installation Deadline have the same date, SCCM Client will determine that deadline has been missed and therefore make the deployment immediate.  Typical notification workflow will be presented to user.  

In this case since deadline has passed, download will begin automatically.

Once content has been downloaded, SCCM will immediately initiate Office update with following logic:  

• If all Office applications are closed, update will occur with no reboot. 
• If any Office application are open standard SCCM reboot workflow occurs.

The end user will begin to see SCCM “Restart Window” below which shows countdown until restart is forced.  The countdown frequency of notification are controlled solely by SCCM Client and can be configured within Client Settings node within SCCM Console.

FAQ:

Is there a simple way to hide all notifications in Office such as the “Biz Bar” with button “Update Now?”

Yes. Use “Hide Update Notifications” GPO or registry

HKLMSOFTWAREPoliciesMicrosoftoffice16.0commonofficeupdate
"hideupdatenotifications"=dword:00000001

This registry setting doesn’t apply to deadline notifications such as the large white splash screen with countdown.

Is there an Microsoft official page which talks about this topic?

Yes. Manage Office 365 ProPlus with Configuration Manager

If the download is supposed to only contain deltas and stage to C:Program FilesMicrosoft OfficeUpdatesDownload, why in my environment is it staged in C:Windowsccmcache and full build? (~2GB)

This means SCCM “Peer Cache” feature is enabled and content is available to be shared with other peers.  Windows is leveraging a NTFS feature called “Sparse Files”.  Looking closely at size on disk details, you can compare the differences between the full data and the one on the right using peer cache. (Peer cache really only downloaded 80 MB.)

I’ve done everything I can think of and OfficeC2RCom application never shows within MMC console.  In fact, when I browse COM applications from within dcomconfg.exe, My Computer has a red down arrow?

This means COM, part of .NET may be corrupted on machine.  Office cannot register application as COM itself is broken.  Typically this is edge case and requires rebuild of Windows 🙁

You mentioned On idle update feature in CDN section but was omitted for SCCM, why?

“By design”, feature is enabled only for CDN scenario.

Users who launch Office immediately after logon receive message “Updating Office, please wait a moment”.  Why?

This means Office update was attempted while applications were open which cannot succeed.  Therefore, build was staged to retry update by Microsoft Office Click-to-Run Service on Windows startup.  In this edge case, the user was able to access desktop and launch a Office application while Office update process is in progress.  If easily reproducible, this is often a reflection of slow boot process and Windows startup performance.  Best to troubleshoot by removing 3rd party filter drivers and or startup items.

I’ve tried everything and Software Center never shows Office 365 Client build applicable to my machine?

Review how Office 365 ProPlus determines priority:

1st Priority : GPO "UpdatePath" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="ServerShare" under HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration
4th Priority : "CDNBaseURL" - HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationCDNBaseUrl

Reflecting on priority list above, have you intentionally or unintentionally set a GPO “UpdatePath” – HKLMsoftwarepoliciesmicrosoftoffice16.0commonofficeupdate!updatepath or included an element inside configuration.xml during initial installation for UpdatePath HKLMSOFTWAREMicrosoftOfficeClickToRunConfigurationUpdatePath=”ServerShare”? This in effect breaks native updates via SCCM as they take precedence.  To resolve, remove these values and reset HKLMSOFTWAREMicrosoftOfficeClickToRunConfiguration UpdateChannelChanged to False, run Automatic Updates 2.0 scheduled task manually (or be patient and allow it to run) and then perform Software Updates Deployment Evaluation Cycle from SCCM Control Panel Applet.

You didn’t mention updating from on-premises file share, why?

Updating Office 365 ProPlus from File Shares has been deemphasized as a strategy.  Initially Office 365 ProPlus didn’t support update workflows such as SCCM or Delivery Optimization and therefore customers used this approach.  However, this is resolved with SCCM Current Branch and modern versions of Windows 10 this is no longer necessary. (still supported just less adopted)

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

Office 365 ProPlus Deployment and Proxy Server Guidance

By far, the most important prerequisite for successful Office 365 ProPlus deployment is network configuration. 

Unlike older versions of Office, Office 365 ProPlus was designed from the ground up to work with cloud services such as Microsoft Content Delivery Network (CDN).  Microsoft recommends IT Pros “Bypass or white list endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection and content filtering” when accessing Microsoft Office 365 service endpoints.  

We often find customers apply “legacy” network configurations for on-premises only products to Office 365 ProPlus which can lead to slower product adoption, poor product performance, and higher cost of ownership.  The network requirements are documented in Office 365 URLs and IP address ranges document.

The goal of this blog is to clarify how IT Pros can optimize Office 365 ProPlus deployments with a proxy server in order to leverage a new concept called Hybrid or “Lean Installs”.

In terms of Office 365 ProPlus general deployment, we have several broad approaches. We’re going to focus on the 3^rd option, “SCCM with Office CDN fallback” or “Lean Install”.

• On-premises only – download and mirror all content from CDN on-premises. Enterprise customers have a variety of install packages (Base Office, Visio, Project, Visio + Project, second installs for languages).  All Office 365 ProPlus builds are cumulative and are updated monthly which can make this cumbersome and difficult to maintain as each permutation requires refreshed content.
• Cloud only – installations from the Office portal and update workflow occur using CDN. End users in the enterprise are normally not Administrators so self-service installations from portal.office.com are blocked.  Further, installation from CDN doesn’t currently support custom configuration files to exclude applications and so forth.
• SCCM with Office CDN fallback or “Lean Install” – IT Pros use SCCM (which has elevated permissions and allows custom configuration.xml files) to deploy Office 365 ProPlus but can either omit all or portions of the installation source and use CDN content.

SCCM is not a requirement to adopt “Lean Install” approach. If you are using 3rd party deployment tool, identify user context of process using process monitor and adopt proxy strategy below.

Lean install examples:

1^st Install

SCCM package contains all Office 365 ProPlus content and only subset of languages. You support 12 languages but only include two primary languages in the application source to minimize content and include AllowCdnFallback as Enabled within configuration.xml.  During the Office 365 ProPlus installation process, the Office Deployment Tool (ODT) looks first for source files in local working directory. If the language pack files required aren’t available in local source location and the AllowCdnFallback setting within configuration.xml is set to True, then the ODT will leverage the Office CDN for the missing ones.

2^nd Install

Office may need to be reconfigured to make changes to Office deployments without changing the version, like adding a language or Project/Visio. In this case, we only want the required bits to perform the change and nothing else.

All example scenarios above depend on the CDN to fetch content when embracing these new “Lean Install” approaches.  The primary reason we want to lean on the CDN is because it allows Office 365 ProPlus to only download the bits it requires for the change request resulting in the smallest network payload possible. 

Exploring 2^nd Install Scenario in detail in terms of content size:

IT Pro wants to perform a 2^nd install to add Project to an existing Office 365 ProPlus installation on one machine. 

If we use SCCM on-premises only strategy:

SCCM will download full Office content from CDN ~2GB.  SCCM will then copy this content to all distribution points to support scenario.  Let’s assume an enterprise customer has 50 distribution points, 2 GB * 50 = 100 GB per month every month (build needs to be up to date as to not downgrade client introducing security concerns).  Office 365 ProPlus builds are cumulative, irrespective of channel, so this content changes each month.

If we use SCCM with Office CDN fallback:

SCCM calls ODT Setup.exe /configure to add Project, only ~41 MB will be downloaded from CDN. 

Make sure to use MatchInstalled parameter in your XML

We expect most customers will download and cache all Office 365 ProPlus content one time to existing machines to perform an upgrade to Office 365 ProPlus but once installed we recommend to leverage the lean technique going forward.

Having “lean” applications in SCCM also means they rarely need to be updated. An occasional refresh of the Office Deployment Tool (ODT) is good idea. (Less than 10 MB)

Tip: There are several ODT features which can benefit from approach (FallbacktoCDN, MatchPreviousMSI, MatchInstalled, MatchOS)

Proxy Challenge

To be clear, even if the lean installation is triggered by an admin user, it still requires the computer (System account) to be able to access the internet in order to support all installation scenarios.  Most of the customers we visit in the field prohibit computers from accessing the internet directly.  Typically, only Users can access the internet through a proxy server or via PAC file.  These User settings are defined as WinINET proxy setting you’ll find in Internet Explorer. 

Standard proxy configuration in Internet Explorer

So, what about the local SYSTEM account needed by SCCM?  If customers follow guidance to allow users and computers direct access to Office 365 endpoints, everything “just works”.  However, often we find customers only configure network proxy for Users and therefore the “lean install” scenarios fail. (Installation will hang as Office Deployment Tool running as SYSTEM process will fail when attempting to access Office CDN)

OK, what can we do to solve problem?  Configure additional proxy settings using Microsoft Windows HTTP Services (WinHTTP) and Background Intelligent Transfer Service (BITS) for System Account.   

Recommended actions

1. Configure WinINET Proxy for SYSTEM
2. Sync configuration from WinINET to WinHTTP

*In this way, we ensure one proxy configuration is set for WinINET and WinHTTP regardless of application caller and network API used.

In my lab I use PSEXEC.EXE to accelerate testing.

From elevated command prompt, run PSEXEC.EXE -s -i cmd.exe.  This will launch cmd.exe process in the SYSTEM context to simulate SCCM package etc.  Type whoami from command line to verify.

C:WindowsSystem32>whoami
nt authoritysystem

Sample commands to set WinINET and import into WinHTTP:

C:WindowsSystem32>bitsadmin /util /setieproxy localsystem MANUAL_PROXY proxy.contoso.com:8080 ";*.contoso.com"
C:WindowsSystem32>netsh.exe winhttp import proxy source=ie

Sample commands to reset:

C:windowssystem32>bitsadmin /util /setieproxy localsystem RESET
C:windowssystem32>netsh winhttp reset proxy

The proxy servernetwork team should only allow computer access to internet URLs as defined by Office 365 URLs and IP address ranges document as well as any other URLs that they want to explicitly allow the Computer account to access.

In summary, configuring a SYSTEM proxy enables adopting a “lean” Office 365 ProPlus deployment strategy which can greatly reduce complexity and cost of ownership to operate Office 365 ProPlus. 

Additional Reference Documentation on proxy configuration for Windows

Use Group Policy to apply WinHTTP proxy settings to Windows clients

bitsadmin util and setieproxy

Office 365 system requirements changes for Office client connectivity

Editor’s note:

Changes have been made to the Office 365 system requirements. Go here to see the September 6, 2018 update and announcement: https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/

Today on the Office blog, we announced changes to Office 365 system requirements for Office client connectivity and how we will make it easier for enterprises to deploy and manage Office 365 ProPlus. In this post, we are sharing some more detail on what the system requirement changes mean for IT between now and 2020 and why we’ve decided to make this change.

As technology evolves, system requirements need to change

The new system requirements provide clarity and predictability for client connectivity to Office 365 services. When customers connect to Office 365 with a legacy version of Office, they’re not enjoying all that the service has to offer – The IT security and reliability benefits and end user experiences in the apps is limited to the features shipped at a point in time.

When we release new on-premises apps and servers, we use that opportunity to update the system requirements. But there is not yet a common convention on when to update system requirements for a multitenanted cloud service that is always up to date. In absence of that, we are sharing these system requirement changes as early as possible and as part of a larger discussion of the Office 365 ProPlus roadmap for deployment and management capabilities.

As we get closer to 2020, we will share more details about implementation and the user experience for affected desktop clients. The updated Office 365 system requirements for Business Enterprise and Government plans state:

Effective October 13th, 2020, Office 365 will only support client connectivity from subscription clients (Office 365 ProPlus) or Office perpetual clients within mainstream support (Office 2016 and Office 2019). (Please refer to the Microsoft support lifecycle site for Office mainstream support dates.)

Here is a high level summary of  the implications for client connectivity in 2020, depending on how you use Office 365:

2020 may sound like a long way away, but your feedback to us has been consistent on the more advanced notice for Office 365 changes, the better. Providing over 3 years advance notice for this change to Office 365 system requirements for client connectivity gives you time to review your long-term desktop strategy, budget and plan for any change to your environment.

For now, the key takeaway is: Office 365 ProPlus is our recommended Office client for Office 365 users. This is the Office client that stays up to date with frequent feature releases and ensures the best service experience.

Here are some resources to help you plan for a ProPlus upgrade:

• Office 365 ProPlus Deployment Guide – The complete enterprise guide for Office 365 ProPlus deployment
• FastTrack deployment engagement – Start your onboarding engagement with assistance from Microsoft
• FastTrack Productivity Library – Enhance organizational readiness with scenario based productivity resources
• Office 365 RoadMap – Get a view into the future updates for Office 365 ProPlus
• Ignite On-Demand – Review the latest deployment content for Office 365 ProPlus
• Ignite 2017 – See what is coming at this year’s Ignite conference

Thank you!

New feature: Make changes to Office deployments without changing the version

With the most recent release of the Office Deployment Tool (ODT) we have implemented a new feature based on customer’s feedback. Starting with version 16.0.11615.33602 it is possible to make changes to an existing installation of Office 365 ProPlus while keeping the installed version as is, even when a newer one is available on the Office CDN or in your network share/local folder.

Scenario

Let’s assume that you want to add e.g. a Language Pack to an installation of Office 365 ProPlus on a certain device in an automated fashion. We also assume, that the device is not on the most recent build of their update channel, e.g. the device is still on SAC 1803. Maybe there is still some testing to be done before SAC 1808 can be deployed across the organization.

The updated “version” handling allows you to add e.g. Language Packs, Proofing Tools, additional products (like Visio or Project) or apps without updating the installed build, even when a newer build is available in the source location (Office CDN or the specified source path).

In the past the ODT automatically updated the installation to the latest build while installing the specified product, Language Pack or Proofing Tool.

How to use

The usage of the new feature is straight forward. Instead of specifying a build number (like 16.0.9126.2356), you just specify “MatchInstalled”. This instructs the ODT to keep whatever build version is already installed.

Benefit

In the past we saw different workaround in order to pin the version. These ranged from manually updating the configuation.xml with the correct build number every time to custom scripts which injected the build number into the configuration.xml on the fly. The new feature allows you to retire such workarounds and use a consistent method across update channels and versions.

Sample XMLs

The following XML is an implementation example of the “dynamic, lean and universal packaging” concept, which greatly reduces effort and maintenance costs of install packages. The configuration file will install Project, match the languages to already installed Office products and keep everything else (architecture (x86/x64), update channel and version) as is:

	Version="MatchInstalled">
		ProjectProRetail">
			MatchInstalled" TargetProduct="All" />
		
	

The following XML will add the German Language Pack and keep the architecture (x86/x64), update channel and version as is:

	Version="MatchInstalled">
		
			
		
	

Prerequisites

In order to use the new feature, the following prerequisites apply:

• Use Office Deployment Tool 16.0.11615.33602 or newer
• The feature is intended to be used when an existing installation is modified or something added to it. If no installation is present, “MatchInstalled” for “Version” will be ignored and the ODT will go through normal detection to install proper version. No hard error in such case.
• If you are not using the Office CDN as an installation source, make sure to have the matching source files in your specified source path. We recommend to leverage the Office CDN.

The Authors

This blog post is brought to you by   and , two ProPlus Rangers at Microsoft. We’re looking forward to your questions and feedback in the comments below.

Microsoft wants your ideas on end user adoption & engagement with Microsoft 365 & Office 365

Edit: Survey results as of August 6, 2019: Thank you to all who participated in the survey! Here are the top 5 takeaways from your responses:

• Who: Admins and adoption/change management teams start with support from decision-makers and leverage power-users.
• Challenges: Lack of time, executive support/budget, metrics, training resources, and the complexity of newer apps.
• Needs: Adoption statistics and product roadmaps to help plan, plus training in the form of business scenarios and short, guided tutorials and videos.
• MS Comms: It’s ok for Microsoft to communicate to end users only if admins/adoption teams can control/customize frequency and content.
• Portal: Admins/adoption teams want all content centrally stored and navigable for easy referral and use.

Survey request as of June 12, 2019: Microsoft is looking for IT professionals like you to provide feedback on end user adoption and engagement for Microsoft 365 / Office 365 through a brief survey. Topics include key challenges in your role, end-user adoption and engagement practices, and preferred communications from Microsoft. Your feedback will help drive the types of content Microsoft develops for you and your end-users.

To qualify for this survey, you must meet the following criteria:

• Your role involves end-user training / change management / adoption of Microsoft 365 & Office 365 applications
• You are not in government or education sectors
• Your organization has at least 150 employees / seats on Microsoft 365 & Office 365 subscription

Dynamically convert MSI versions of Project and Visio to Click-to-Run

With the latest release of the Office Deployment Tool (ODT) we have implemented a new feature based on customer feedback. It is now possible to make the installation of a C2R product dependent on the previous presence of an MSI-based product. As it works for all products, it is especially helpful when deploying Project and/or Visio to users which had it previously. The feature is known as MSI Condition.

Prerequisites
In order to use the new feature, the following prerequisites apply:
• Office Deployment Tool 16.0.11901.20022 or newer
• The feature is intended to be used when an Admin wants to migrate the user from Office/Project/Visio in one pass with one XML.
• If you are not using the Office CDN as an installation source, make sure to have the matching source files in your specified source path.
• MSI Condition will detect 2010/2013/2016 MSI products.

Scenario
Since the release of RemoveMSI we’ve had the capability for your “first install” to match the MSI version of Office and replace with Office 365 ProPlus. MSI Condition allows an admin to specify a list of MSI Product ID’s along with a Product ID for a Click-to-Run install such as Subscription, Standard Perpetual and Professional Perpetual.

How to use
To use this feature simply add the MSICondition attribute to the Product node as shown in the example below. Once you have created the XML run setup.exe /configure like you would with any other installation process and that’s it

Benefit
In the past customers created very complex scripting to detect and replace Office products, in some cases running the install up to three times based on the number of previous products detected. We have even seen customers simply ignore Project and Visio and remove everything, then wait for helpdesk to get a call and replace it with the version the end user requested. MSI Condition makes your migration from MSI to C2R flow smoothly with one XML for your deployment which dynamically adjusts to the task at hand.

Please note that the above picture shows a simplified XML(in the image) to just show the concept behind it. For a fully working XML, please refer to the next section.

Sample XML
The following XML will
• install Office 365 ProPlus from Monthly channel, and match the previously installed languages
• install Visio Pro on machines that already have any older MSI version of Visio Pro
• install Project Pro on machines that already have any older MSI version of Project Pro
• remove all older MSI versions of Office, Project and Visio

Is this limited to Visio and Project?
No, it is not. The feature will accept any valid product ID for Click-To-Run and any MSI code as a condition. So, you can mix and match to your specific needs you could also build a deployment which installs e.g. Access Runtime for existing users of it:

<

The Authors
This blog post is brought to you by @Matt Philipenko (OFFICE PFE)  and @Martin Nothnagel , two senior ProPlus deployment experts at Microsoft from the Services organization. We’re looking forward to your questions, feedback and comments below.

Office 365 Home and Personal Licensing and Activation Improvements

Since launching Office 365 to consumers, we have heard feedback from customers about the challenges in installing and using their office subscription across multiple devices. The first step in addressing this issue happened in October 2018, increasing a single user’s device limits to five (meaning they can concurrently use five devices) for Office 365 Home and Office 365 Personal. Our next step in simplifying use across multiple devices will streamline the activation of a user’s device.

Beginning in May, we rolled out the following changes to customers on PCs, followed by Mac devices in July.

For customers, here’s what stays the same:

• Sign in to activate Office: Users will continue to sign in to activate Office on their devices. When single sign-on is enabled, Office detects the user’s credentials and activates Office automatically.
• Sign-in limits: Users will be able to install Office 365 on all their devices and be signed in to five at the same time. This includes any combination of PCs, Macs, tablets, or phones.

It’s important to stay signed in while you use Office on your device. This is what keeps your Office installation activated and ready to use.  

Here are the changes that you may notice:

• No more prompts to deactivate: Users can install Office on a new device without being prompted to deactivate Office on another device.
• Automatic sign-out: When a user reaches the sign-in limit (five devices), instead of being prompted to deactivate, the user will be automatically signed out of Office on the device where Office has been least recently used. The next time the user starts Office on that device, the user will be prompted to sign in to activate Office.

For more information on how sign-in works on devices where Office 365 is licensed, please visit this support article: https://support.office.com/en-us/article/how-sign-in-works-in-office-365-1d646e83-1585-4278-8daf-d4a2cc0905e0

Office 365 Client Licensing and Activation Improvements

Edit: July 30, Availability dates updated to reflect schedule.

Over the years, we’ve heard feedback from customers and IT Admins about the difficulty in managing Office activation for subscription-based Office clients, such as Office 365 ProPlus. We’re excited to announce upcoming changes to Office that will help simplify activation management and streamline the Office activation experience for users.

In August, we’ll start slowly rolling out these changes to commercial customers on Monthly Channel. The roll-out will continue to Semi-Annual Channel (Targeted) in January 2020.

For your users, here’s what stays the same:

• Sign in to activate Office: Users will continue to sign in to activate Office on their devices. When single sign-on is enabled, Office detects the user’s credentials and activates Office automatically.
• Sign-in limits: Users can sign in to activate Office on five desktops, five tablets, and five mobile devices.

Here are the changes that your users may notice:

• No more prompts to deactivate: Users can install Office on a new device without being prompted to deactivate Office on another device.
• Automatic sign out: When a user reaches the sign-in limit, instead of being prompted to deactivate, the user will be automatically signed out of Office on the device where Office has been least recently used. The next time the user starts Office on that device, the user will be prompted to sign in to activate Office.

Here are the changes that you as an admin may notice when managing devices where Office is installed:

• Improved device reallocation: Previously, users who received reallocated devices could receive an error if the previous user deactivated the device from the portal or if you removed the Office 365 license from the previous user. Going forward, users will not receive the error because the activation and deactivation is user specific.
• Improved activation reporting: Previously, when one user activated Office on a device and a second user later signed on to that device, the second activation was not displayed in the Admin Center’s Activation Reports. Going forward, both activations will be identified and displayed in the Activation Report.

Keep an eye out for these improvements as we start to slowly roll them out for our commercial customers. No additional action is required on your part.