Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)
Published Aug 08 2019 10:30 AM 66.8K Views
Microsoft

In supporting customers in the field, we receive many questions about Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) update process. The objective of this blog is to provide context around end user behavior during update scenario and clarify when and how Office updates are applied. 

 

Microsoft 365 Apps for enterprise was designed to be a cloud first product…. What does that mean?  It means that by default, Microsoft recommends you update Microsoft 365 Apps for enterprise directly from Microsoft Content Delivery Network (CDN).  While IT Pros are always in control,  Microsoft 365 Apps for enterprise is automatically kept up-to-date via evergreen model.  IT Pros can offload servicing aspect of Office to Microsoft so they can focus on other duties removing repetitive tasks.  At present, while we lead with CDN as our recommendation, the vast majority of Enterprise customers I work with prefer to manage updates from Microsoft Endpoint Configuration Manager (Configuration Manager) formerly known as SCCM for a variety of reasons. (too many to list here such as network, governing process or political etc.)

Let’s compare and contrast both scenarios below to see which approach is best to address your business requirements.  Regardless, the goal is to ensure Microsoft 365 Apps for enterprise is serviced every month to address security and deliver features based on cadence suitable for our customers.

 

Quick refresher of Microsoft 365 Apps for enterprise channel cadence -Simplified 

 

Current Channel: Provide users with the newest features of Office as soon as they're available.  This could be three or four builds per Month. (Updates should be delivered by CDN)

Monthly Enterprise Channel: Provide your users with new Office features only once a month and on a predictable schedule. (Updates can be delivered by CDN or ConfigMgr)

Semi-Annual Enterprise Channel (Preview): Provide pilot users and application compatibility testers the opportunity to test the next Semi-Annual Channel.  Features\fixes delivered every six months, in March and September

Semi-Annual Enterprise Channel: Provide users with new features of Office only a few times a year. Features\fixes delivered every six months, in January and July (Updates can be delivered by CDN or ConfigMgr)

 

(Official Link is here Overview of update channels)

 

The point of the channels is to define the timing when those cumulative builds include features and fixes in addition to security. If you would like more information about channel management please see my other posting for more information called How to manage Office 365 ProPlus Channels for IT Pros

 

*This blog will focus primarily on update process.  Deployment of Microsoft 365 Apps for enterprise is out of scope and will assume Office 365 ProPlus is already installed on the machine.

 

Update from CDN

Prerequisites

  • Automatic Updates is by default Enabled (equivalent GPO is “Enabled Automatic Updates”). If disabled, Microsoft 365 Apps for enterprise will never update.

Benefits

  • Admins don’t have to spend time developing processes to duplicate CDN content on-premises.
  • Admins don’t have to build processes to target software updates to collections. Each machine will pull updates on it’s own.
  • Aligns with “Modern Desktop” motion where machines are increasingly managed by Mobile device management (MDM) rather than on-premises solutions without requirement for any infrastructure.
  • CDN supports a variety of advanced policies to control updates at granular level such as “delay downloading and installing updates for Office”, “prioritize BITS”, “Target Version”, “Update Channel”, “Update Deadline”. IT Pros can control updates effectively without the need for on-premises software.
  • Leverages inbox task scheduler \Microsoft\Office\Office Automatic Updates 2.0 to perform updates based on trigger mechanism (Weekly, At log on, On idle)

Note: On idle is very interesting trigger condition in that it can check for criteria such as user absence and lack of resource consumption to determine opportunistic time to retry updates (no reboots required when Office applications are closed).

 

Reference Links for next section: Update history for Office 365 ProPlus (listed by date) and Download sizes for updates to Office 365 ProPlus

 

User Experience when updating from CDN

Let’s imagine Microsoft 365 Apps for enterprise has June 2019 build installed which is Version 1808 (Build 10730.20348).  “Patch Tuesday” rolls around and on July 9th 2019 July build is released which is Version 1902 (Build 11328.20368).  Based on the trigger assigned the scheduled task “Office Automatic Updates 2.0” will detect a newer build applicable.  Upon initial release to CDN, a new build is temporary throttled until signals are received ensuring highest quality release have been verified.  As a result, IT Pros may observe updates may not occur on Day 0 to all machines but rather over a period of days.  Alternatively, IT Pros can intervene and enable policy “delay downloading and installing updates for Office” and simply define installing update based on number of days. (*GPO is still subject to throttle)  This mirrors servicing plans feature in Configuration Manager for delivering Windows Feature Updates and makes it easy to build rings as long as the delay defined isn't shorter than throttle.

 

Since the build installed is most recent version we can leverage a feature called binary delta compression to help reduce the size of the files further.  Therefore, keeping Microsoft 365 Apps for enterprise up-to-date is friendlier on network.  Office will download deltas and will stage in C:\Program Files\Microsoft Office\Updates\Download.  After download Office Automatic Updates 2.0 will attempt to update Microsoft 365 Apps for enterprise.  If no Office applications are open, it will update.  If Office applications were open at the time of update request a series of notifications will occur of period of days. (Officially documented here)

 

We receive frequent questions around deadlines and delivery of end user notifications.  While the CDN only experience doesn't include Configuration Manager, the dialogs from Office overlap with Configuration Manager scenario 2 below.  Therefore, examples of the Office notifications (the white dialogs which say "Office will update in X minutes" can be found below in a single place of reference.

 

When Office stages a build for installation, in app notifications within Office will occur in the following manner:

  • Without OfficeMgmtCom enabled (CDN):
    Business bar shown after 6 days 
  • With OfficeMgmtCom enabled (Configuration Manager):
    If update not applied, display business bar immediately upon next launch of Office app.

*Business bar is defined as the yellow in app notification which says "Update now".  See picture below in scenario 2.

 

Notifications and Countdown Dialogs

Toast notifications (system tray "Office Updates Available") delivered by Office and their potential timing

24hrs
12hrs
6hr
2hr
30mins

Countdown dialogs (Office delivered white countdown dialogs )

30mins + postpone (2hrs)
30mins + postpone (2hrs)
30mins + enforced

 

User Experience when updating from Configuration Manager

 

Prerequisites

  • Configuration Manager Current Branch with Windows Server Update Services (WSUS) 4.0, you can't use WSUS by itself to deploy these updates. You need to use WSUS in conjunction with Configuration Manager
  • The hierarchy's top level WSUS server and the top level Configuration Manager site server must have access to the following URLs: *.microsoft.com, *.msocdn.com, *.office.com, *.office.net, *.onmicrosoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net.
  • Office 365 Client product must be selected from products tab under Software Update Point Component Properties and synchronize software updates after change. Once complete, you should see Office 365 Client Updates populate the Office 365 Updates node under Office 365 Client Management within Software Library tab in Configuration Manager Console.
  • Management of Microsoft 365 Apps for enterprise must be enabled on the client. This can be configured in multiple ways such as adding OfficeMgmtCOM="TRUE" in configuration.xml during installation, enable domain policy “Management of Microsoft 365 Apps for enterprise” and finally by toggling “Management of Microsoft 365 Apps for enterprise” to Yes from within Configuration Manager Client settings under Software Updates.  You can verify by launching dcomcnfg.exe on the client computer and confirming OfficeC2RCom application is registered.  Only one is required, where policy overrides and take priority over all other methods.  The purpose of the COM application is to allow Microsoft 365 Apps for enterprise to interop with Configuration Manager to pull updates from distribution points rather than CDN

Example of running dcomcnfg.exeExample of running dcomcnfg.exe

Note about PREVIEW feature using Delivery Optimization for Office 365 ProPlus install\updatesNote about PREVIEW feature using Delivery Optimization for Office 365 ProPlus install\updates

Overwhelming majority of enterprise customers use Configuration Manager to deliver Microsoft 365 Apps for enterprise updates for compliance and distribute content from Distribution Points.  Microsoft is always working hard to provide customers additional options including the new feature Delivery Optimization and Office 365 ProPlus which is now in (Preview).  Please read article for full details but one-liner is customers will be able to install AND update Microsoft 365 Apps for enterprise sourcing content from peers without infrastructure requirements which we're super excited about. (no more "thick packages" or distributing loads of content to support a simple language pack).  If you enabled OfficeMgmtCom for Configuration Manager integration, this action must be reversed in order to use Delivery Optimization (DO). The Microsoft Office Click-to-Run Service is responsible for registering and unregistering OfficeC2RCom (OfficeMgmtCOM) application during service startup.  Changing domain policy or Configuration Manager client settings for Management of Microsoft 365 Apps for enterprise from ‘Enabled’ to ‘Not configured’ is not enough.  Domain Policy or Configuration Manager Client settings require explicit ‘Disable’ selection for OfficeC2RCom to be successfully deregistered and restore default configuration. Further, any custom update path configuration must also be removed.

 

Benefits

  • Microsoft 365 Apps for enterprise updates can easily be included in the same software deployment as monthly Windows patch process. As a result, all existing business processes and change control can be aligned in the same manner as legacy MSI Office products.
  • Clients will only pull down what's needed to update themselves from Distribution Point.
  • Configuration Manager Administrators can download cumulative build one time from the internet and than deploy to all distribution points so clients pull updates from intranet sources.
  • Administrators can make deployment Available (optional where user is notified update)
  • Administrators can make deployment Available for a period of time prior to Installation Deadline. In this scenario, Office 365 Client using OfficeMgmtCOM will pull deltas from distribution point prior to Installation Deadline and give user a chance to “Update now” via BusBar discussed above at a time which is convenient for them.  This is especially important in a ever mobile world where machines are mobile and not powered on all the time.  Further, IT Pros can get some early production validation as some subset of their population will update prior to Installation Deadline giving them advanced notification of any problems prior to broad deployment.
  • Administrators can make deployment Available time and Installation Deadline the same time. Configuration Manager will ensure update is downloaded and installed at Deadline. (additional details on user experience below)
  • Administrators can enable Configuration Manager features such as Peer Cache so clients can share content among themselves further reducing network WAN traffic. (Peer cache for Configuration Manager clients)

 

Configuration Manager Deployment Scenarios

 

Scenario 1 - Available only

If the deployment is Available only, the user will only see a toast notification in the system tray for a few seconds, Office update will never be deployed automatically.  The problem is this notification isn’t context sensitive so it simply takes end user to Software Center and it also doesn’t ensure security compliance.  Therefore, approach isn’t used often in my experience.

 

Scenario 2 - Available with future Installation Deadline

Important change with ConfigMgr 2111Important change with ConfigMgr 2111

Starting with Configuration Manager 2111, configure the client setting Enable update notifications from Microsoft 365 Apps: No to disable the on-screen Office update notifications. This is set by default starting with 2111 and will ensure all notifications come only from Software Center.   This is vast improvement and eliminates explanation for scenario #2.

 

[Guidance for Configuration Manager older than version 2111]

This scenario is a good fit for customers who desire faster compliance, no Windows reboots for Office 365 ProPlus updates and are comfortable with additional Microsoft 365 Apps for enterprise end user toast notifications, also in app notifications as well as Microsoft 365 Apps for enterprise countdown dialog leading up to deadline.  If the Configuration Manager deployment is Available with future Installation Deadline, Microsoft 365 Apps for enterprise working with OfficeC2RCom application will download the necessary Office build pieces (not the entire build) and stage for installation pulling content from Distribution Point.  When content is prestaged, there are a number of potential notifications, please review bullet items in blue from page Manage Office 365 ProPlus with Configuration Manager to review all details as there are many or reference the list from CDN section above.

 

For example:

"BusBar"

Business BarBusiness Bar

Once build is staged, a toast notification might not display until the user clicks the icon in the notification area which is easy to miss. 

"Basic notification" which sometimes be hidden under task bar chevron"Basic notification" which sometimes be hidden under task bar chevron  SystrayReminder2.png

 

Examples of "Countdown dialogs"

Minute countdownMinute countdown Second countdownSecond countdownUpdates InstalledUpdates Installed

Important to note, countdown from Configuration Manager and Office countdown are not synchronized in any way, they work on separate timers.  Specifically, Configuration Manager will stamp in the Office side of the registry the deadline date and time.  From that point on, Office and Configuration Manager notifications will in effect work independently based on deadline defined in Software Update Group.  For pre-stage scenario its normal for Office to attempt to apply updates before the Configuration Manager defined deadline or allow user to temporarily extend beyond deadline based on countdown dialog section above.

 

  prestage and deadline has passed.png

Scenario 3 - Available and Required Installation Deadline have same date

This scenario is best for IT Pros who want to minimize notifications to end user unless deadline has been reached.(Office content is not pre-staged)  If the software deployment Available time and Installation Deadline have the same date, Configuration Manager Client will determine that deadline has been missed and therefore make the deployment immediate.  Typical notification workflow will be presented to user.  

SCCMSoftwareChangesRequired.png

In this case since deadline has passed, download will begin automatically.

downloadinginstalling.png

Once content has been downloaded, Configuration Manager will immediately initiate Office update with following logic:  

  • If all Office applications are closed, update will occur with no reboot. 
  • If any Office application are open standard Configuration Manager reboot workflow occurs.

restartwindow.png

The end user will begin to see Configuration Manager “Restart Window” below which shows countdown until restart is forced.  The countdown frequency of notification are controlled solely by Configuration Manager Client and can be configured within Client Settings node within Configuration Manager Console.

SCCMRestartWindow.png

FAQ:

Is there a simple way to hide all notifications in Office such as the “BusBar” with button “Update Now?”

Yes. Use “Hide Update Notifications” GPO or registry

HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
"hideupdatenotifications"=dword:00000001

This registry setting doesn't apply to deadline notifications such as the large white splash screen with countdown.This registry setting doesn't apply to deadline notifications such as the large white splash screen with countdown.

 

 

Is there an Microsoft official page which talks about this topic?

Yes. Manage Office 365 ProPlus with Configuration Manager

 

If the download is supposed to only contain deltas and stage to C:\Program Files\Microsoft Office\Updates\Download, why in my environment is it staged in C:\Windows\ccmcache and full build? (~2GB)

This means Configuration Manager “Peer Cache” feature is enabled and content is available to be shared with other peers.  Windows is leveraging a NTFS feature called “Sparse Files”.  Looking closely at size on disk details, you can compare the differences between the full data and the one on the right using peer cache. (Peer cache really only downloaded 80 MB.)

Peercache.jpg

I’ve done everything I can think of and OfficeC2RCom application never shows within MMC console.  In fact, when I browse COM applications from within dcomconfg.exe, My Computer has a red down arrow?

This means COM, part of .NET may be corrupted on machine.  Office cannot register application as COM itself is broken.  Typically this is edge case and requires rebuild of Windows :(

 

You mentioned On idle update feature in CDN section but was omitted for Configuration Manager, why?

"By design", feature is enabled only for CDN scenario.

 

Users who launch Office immediately after logon receive message "Updating Office, please wait a moment".  Why?

UpdatingOfficeWait.jpg

This means Office update was attempted while applications were open which cannot succeed.  Therefore, build was staged to retry update by Microsoft Office Click-to-Run Service on Windows startup.  In this edge case, the user was able to access desktop and launch a Office application while Office update process is in progress.  If easily reproducible, this is often a reflection of slow boot process and Windows startup performance.  Best to troubleshoot by removing 3rd party filter drivers and or startup items.

 

I've tried everything and Software Center never shows Office 365 Client build applicable to my machine?

Review how Office 365 ProPlus determines priority:

 

1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
*4th Priority: UnmanagedUpdateURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UnmanagedUpdateURL
5th Priority
 : CDNBaseURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

*This value is new May 2020, official documentation

Reflecting on priority list above, have you intentionally or unintentionally set a GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath or included an element inside configuration.xml during initial installation for UpdatePath HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UpdatePath="\\Server\Share"? This in effect breaks native updates via Configuration Manager as they take precedence.  To resolve, remove these values and reset HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration UpdateChannelChanged to False, run Automatic Updates 2.0 scheduled task manually (or be patient and allow it to run) and then perform Software Updates Deployment Evaluation Cycle from Configuration Manager Control Panel Applet.

 

You didn't mention updating from on-premises file share, why?

Updating Microsoft 365 Apps for enterprise from File Shares has been deemphasized as a strategy.  Initially Microsoft 365 Apps for enterprise didn't support update workflows such as Configuration Manager or Delivery Optimization and therefore customers used this approach.  However, this is resolved with Configuration Manager Current Branch and modern versions of Windows 10 this is no longer necessary. (still supported just less adopted)

 

Change log:

03/05/2021 Refreshing updated product names for Office and Configuration Manager and terms where possible

08/14/2020 Added Notifications and Countdown Dialogs section for more detail.

02/25/2022 Added note for Configuration Manager 2111 or greater which simplifies end user notifications as described in scenario #2.

 

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

40 Comments
Co-Authors
Version history
Last update:
‎Feb 10 2023 12:27 PM
Updated by: