In supporting customers in the field, we receive many questions about Office 365 ProPlus update process. The objective of this blog is to provide context around end user behavior during update scenario and clarify when and how Office updates are applied.
Office ProPlus was designed to be a cloud first product…. What does that mean? It means that by default, Microsoft recommends you update Office 365 ProPlus directly from Microsoft Content Delivery Network (CDN). While IT Pros are always in control, Office 365 ProPlus is automatically kept up-to-date via evergreen model. IT Pros can offload servicing aspect of Office 365 ProPlus to Microsoft so they can focus on other duties removing repetitive tasks. At present, while we lead with CDN as our recommendation, the vast majority of Enterprise customers I work with prefer to manage updates from System Center Configuration Manager (SCCM) for a variety of reasons. (too many to list here such as network, governing process or political etc.)
Let’s compare and contrast both scenarios below to see which approach is best to address your business requirements. Regardless, the goal is to ensure Office 365 ProPlus is serviced every month to address security and deliver features based on cadence suitable for our customers.
Quick refresher of Office ProPlus channel cadence -Simplified
Monthly: Provide users with the newest features of Office as soon as they're available. This could be three or four builds per Month. (Updates should be delivered by CDN)
Semi-Annual Channel (Targeted): Provide pilot users and application compatibility testers the opportunity to test the next Semi-Annual Channel. Features\fixes delivered every six months, in March and September (Updates can use CDN or SCCM)
Semi-Annual Channel: Provide users with new features of Office only a few times a year. Features\fixes delivered every six months, in January and July (Updates can use CDN or SCCM)
(Official Link is here Overview of update channels)
The point of the channels is to define the timing when those cumulative builds include features and fixes in addition to security. If you would like more information about channel management please see my other posting for more information called How to manage Office 365 ProPlus Channels for IT Pros
*This blog will focus primarily on update process. Deployment of Office 365 ProPlus is out of scope and will assume Office 365 ProPlus is already installed on the machine.
Note: On idle is very interesting trigger condition in that it can check for criteria such as user absence and lack of resource consumption to determine opportunistic time to retry updates (no reboots required when Office applications are closed).
Reference Links for next section: Update history for Office 365 ProPlus (listed by date) and Download sizes for updates to Office 365 ProPlus
Let’s imagine Office 365 ProPlus has June 2019 build installed which is Version 1808 (Build 10730.20348). “Patch Tuesday” rolls around and on July 9th 2019 July build is released which is Version 1902 (Build 11328.20368). Based on the trigger assigned the scheduled task “Office Automatic Updates 2.0” will detect a newer build applicable. Upon initial release to CDN, a new build is temporary throttled until signals are received ensuring highest quality release have been verified. As a result, IT Pros may observe updates may not occur on Day 0 to all machines but rather over a period of days. Alternatively, IT Pros can intervene and enable policy “delay downloading and installing updates for Office” and simply define installing update based on number of days. This mirrors servicing plans feature in SCCM for delivering Windows Feature Updates and makes it easy to build rings.
Since the build installed is most recent version we can leverage a feature called binary delta compression to help reduce the size of the files further. Therefore, keeping Office ProPlus up-to-date is friendlier on network. Office will download deltas and will stage in C:\Program Files\Microsoft Office\Updates\Download. After download Office Automatic Updates 2.0 will attempt to update Office 365 ProPlus. If no Office applications are open, it will update. If Office applications were open at the time of update request a series of notifications will occur of period of days. (Officially documented here)
Specifically, If, after four days, the updates still aren't applied, a message appears in the notification area in Windows, telling the user that updates are available.
If, after six days, the updates still aren't applied, a message appears in any newly opened Office document, reminding the user that updates are available. We refer to this as the “BusBar” which allows user to drive change when convenient.
Clicking “Update now” when Office applications are open will result in sample dialogue below. Clicking continue will save work, update and reopen applications.
The Office backstage also offers a “Update now” selection driven by the user which will check for updates and download build resulting in same prompt above.
IT Pros can also configure policy “Update Deadline” to set a deadline by when updates for Office must be applied. Users are given notifications leading up to the deadline. For example, within seventy-two hours of the deadline, users see a message, in any newly opened Office document, that updates are blocked.
Additional reminders will appear leading up to deadline notifying user update is mandatory. This message appears every two hours. It'll also be shown 60 minutes, 30 minutes, 15 minutes, and 5 minutes before the deadline.
If the deadline arrives and the updates still aren't applied, users see a dialog box that warns them that they have 15 minutes before the updates are applied.
Overwhelming majority of enterprise customers use SCCM to deliver Office 365 Client updates for compliance and distribute content from Distribution Points. Microsoft is always working hard to provide customers additional options including the new feature Delivery Optimization and Office 365 ProPlus which is now in (Preview). Please read article for full details but one-liner is customers will be able to install AND update Office 365 ProPlus sourcing content from peers without infrastructure requirements which we're super excited about. (no more "thick packages" or distributing loads of content to support a simple language pack). If you enabled OfficeMgmtCom for SCCM integration, this action must be reversed in order to use Delivery Optimization (DO). The Microsoft Office Click-to-Run Service is responsible for registering and unregistering OfficeC2RCom (OfficeMgmtCOM) application during service startup. Changing domain policy or SCCM client settings for Office 365 Client Management from ‘Enabled’ to ‘Not configured’ is not enough. Domain Policy or SCCM Client settings require explicit ‘Disable’ selection for OfficeC2RCom to be successfully deregistered and restore default configuration. Further, any custom update path configuration must also be removed.
If the deployment is Available only, the user will only see a toast notification in the system tray for a few seconds, Office update will never be deployed automatically. The problem is this notification isn’t context sensitive so it simply takes end user to Software Center and it also doesn’t ensure security compliance. Therefore, approach isn’t used often in my experience.
This scenario is a good fit for customers who desire faster compliance, no reboots for Office 365 ProPlus updates and are comfortable with additional Office 365 ProPlus end user toast notifications, also in app notifications as well as Office 365 ProPlus countdown dialog leading up to deadline. If the SCCM deployment is Available with future Installation Deadline, Office 365 ProPlus working with OfficeC2RCom application will download the necessary Office build pieces (not the entire build) and stage for installation pulling content from Distribution Point. When COM is enabled and new build is staged, restart of Windows will not result in installation of update. Immediately after the newer build is staged, any Office 365 ProPlus application which is reopened will immediately see the “BusBar” with end user option to drive change through “Update now” button. This is a subtle difference compared to CDN scenario where banner shows only after a number of days. Clicking the button results in same workflow as defined in CDN section. When content is prestaged, there are a number of potential notifications, please review bullet items in blue from page Manage Office 365 ProPlus with Configuration Manager to review all details as there are many.
Once build is staged, a toast notification might not display until the user clicks the icon in the notification area which is easy to miss.
7.5 hours prior to deadline, Office will show 'Enforced Toast' which will present above "Office Updates Available" toast to foreground. If user doesn't click "Update now", end user will potentially receive three additional notifications with countdown. If no decision is made to postpone, Office applications will be forced closed and updates prior to deadline defined in SCCM.
If user postponed update by clicking 'Postpone' and deadline is eventually reached, standard SCCM restart window will be displayed with countdown. Additionally, Office may also raise additional notification with 30 minute countdown. Important to note, countdown from SCCM and Office countdown are not synchronized in any way, they work on separate timers.
This scenario is best for IT Pros who want to minimize notifications to end user unless deadline has been reached.(Office content is not prestaged) If the software deployment Available time and Installation Deadline have the same date, SCCM Client will determine that deadline has been missed and therefore make the deployment immediate. Typical notification workflow will be presented to user.
In this case since deadline has passed, download will begin automatically.
Once content has been downloaded, SCCM will immediately initiate Office update with following logic:
The end user will begin to see SCCM “Restart Window” below which shows countdown until restart is forced. The countdown frequency of notification are controlled solely by SCCM Client and can be configured within Client Settings node within SCCM Console.
Is there a simple way to hide all notifications in Office such as the “Biz Bar” with button “Update Now?”
Yes. Use “Hide Update Notifications” GPO or registry
Is there an Microsoft official page which talks about this topic?
If the download is supposed to only contain deltas and stage to C:\Program Files\Microsoft Office\Updates\Download, why in my environment is it staged in C:\Windows\ccmcache and full build? (~2GB)
This means SCCM “Peer Cache” feature is enabled and content is available to be shared with other peers. Windows is leveraging a NTFS feature called “Sparse Files”. Looking closely at size on disk details, you can compare the differences between the full data and the one on the right using peer cache. (Peer cache really only downloaded 80 MB.)
I’ve done everything I can think of and OfficeC2RCom application never shows within MMC console. In fact, when I browse COM applications from within dcomconfg.exe, My Computer has a red down arrow?
This means COM, part of .NET may be corrupted on machine. Office cannot register application as COM itself is broken. Typically this is edge case and requires rebuild of Windows :(
You mentioned On idle update feature in CDN section but was omitted for SCCM, why?
"By design", feature is enabled only for CDN scenario.
Users who launch Office immediately after logon receive message "Updating Office, please wait a moment". Why?
This means Office update was attempted while applications were open which cannot succeed. Therefore, build was staged to retry update by Microsoft Office Click-to-Run Service on Windows startup. In this edge case, the user was able to access desktop and launch a Office application while Office update process is in progress. If easily reproducible, this is often a reflection of slow boot process and Windows startup performance. Best to troubleshoot by removing 3rd party filter drivers and or startup items.
I've tried everything and Software Center never shows Office 365 Client build applicable to my machine?
Review how Office 365 ProPlus determines priority:
1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" under HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
4th Priority : "CDNBaseURL" - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl
Reflecting on priority list above, have you intentionally or unintentionally set a GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath or included an element inside configuration.xml during initial installation for UpdatePath HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UpdatePath="\\Server\Share"? This in effect breaks native updates via SCCM as they take precedence. To resolve, remove these values and reset HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration UpdateChannelChanged to False, run Automatic Updates 2.0 scheduled task manually (or be patient and allow it to run) and then perform Software Updates Deployment Evaluation Cycle from SCCM Control Panel Applet.
You didn't mention updating from on-premises file share, why?
Updating Office 365 ProPlus from File Shares has been deemphasized as a strategy. Initially Office 365 ProPlus didn't support update workflows such as SCCM or Delivery Optimization and therefore customers used this approach. However, this is resolved with SCCM Current Branch and modern versions of Windows 10 this is no longer necessary. (still supported just less adopted)
This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.