Configuring Office 365 ProPlus updates for remote workers using VPN
Published Mar 25 2020 12:29 PM 41.5K Views
Microsoft

Due to the dynamic situation with COVID-19 many IT pros are being challenged to assess ways to configure Office 365 Client to update directly from Microsoft CDN. Today, the majority of customers I engage with manage updates using Configuration Manager (ConfigMgr), predominately on-premises. The objective of this posting is how to minimize internet egress through customer VPN network for Office updates.  We also have guidance for initial remote install and second installs (e.g. Visio/Project) of Office.  Further, we offer additional free security layer to protect machines whether they are  on-premises or remote regardless if machine is "managed" or not.

 

Network considerations

There are an infinite number of ways customers configure network access, no two customers are identical in configuration.  Speaking generally, the VPN client needs to support split tunneling or be configured so network traffic destined for Office 365 are directed to internet and are not required to pass through VPN Server.  Microsoft provides a list of all Office 365 URLs and IP address ranges in the following document.  Some customers have VPN clients dynamically aware of Office 365 Services using Microsoft Graph API, some support URLs and others only support IP exclusions.  You’ll notice item(s) 90 and 92 which provide specific URLs used by the Office 365 Client to perform updates.

90

Default
Required

mrodevicemgr.officeapps.live.com (Description: Device Management Service (DMS) is used to advertise the C2R builds to the machines which are non-admin managed based on the meta data passed by the machine.)

TCP: 443

92

Default
Required

officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net (Description: Office CDN where content is downloaded)

TCP: 443, 80

 

Concerning Office updates, one challenge is that the CNAME officecdn.microsoft.com doesn't belong to the "optimize" category.  Therefore, the IP addresses which may be defined for VPN Forced Tunnel with exceptions won't include OfficeCDN IP addresses (hosted by Akamai) so Office updates will be directed to the VPN tunnel and back to corporate.  If you have VPN Selective Tunnel implemented, then all network traffic for Office updates will go directly to the internet.  Reviewing common VPN scenarios and comparing it to your environment is an important first step.

 

Tip: Please review blog posting How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure

Tip: Please review blog posting Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

 

Background on how Office 365 Client works by default

Office 365 ProPlus is designed by default to update from CDN.  A scheduled task called “Office Automatic Updates 2.0” uses a trigger to routinely check for updates as advertised by DMS service.  The Office client will always move to the latest version\build available by assigned channel documented hereDocumentation around what to expect from a user experience when updates are delivered from CDN can be found here.  If ConfigMgr Office 365 Client Management integration is enabled by Configuration.xml during initial installation, ConfigMgr Client settings, or Domain Policy, the scheduled task will continue to execute but will only perform software updates from ConfigMgr. 

 

Options available to update from CDN

Option 1: Cloud managed

Steps:

  • Disable OfficeMgmtCOM (required if previously ConfigMgr managed)
    • On the next restart of Microsoft Office Click-to-Run Service, Office COM application will de-registered.  Allows Office Client to do its thing and get updates from the CDN.  
    • This can be done by changing client settings in ConfigMgr or by Group Policy.
  • Set UpdatesEnabled GPO to True (optional)
    • Allows the client to resume normal update checks from the CDN
  • UpdateDeadline GPO as an integer (optional) in days (ex. 12) to ensure the client is updated to ensure compliance.  Using an integer value allows the admin to not have to continually change the date to a future date/time for every update.

Option 2: SCCM managed but offload content distribution

Use normal deploy software updates wizard within ConfigMgr console selecting deploy option. When completing deployment package screen, it is important to select option “No deployment package”. In this way, clients will download content directly from CDN but keep existing controls and user experience during software update workflow.

Steps:

Deploy1.png

NoDeployPackage.png

FAQ:

How can I verify ConfigMgr integration is disabled?

Start -> Run ->dcomcnfg.exe and look for presence of OfficeC2Rcom application.

COMEnabled.png

COMDisabled.png

Where in the Office logs can I confirm Office updates are coming from CDN?

Use http://aka.ms/office365logcollector to collect Office logs or search for files in C:\windows\temp which have your NetBIOS name like MININT-314VFT4-20200318-0857.log.  (There will be a bunch of them).  Use your favorite text editor to search for strings like 'officecdn.microsoft.com' or the build number you deployed.

 

Starting with version 1902, 'Prefer cloud based sources over on-premise sources' allows IT Pro to prioritize Cloud content.  Does this feature extend\support Office 365 Client updates?

**Updated 10/28/2020** 

The fix for this was not included in 2002 as originally expected and is still under development.  We expect technical preview in coming weeks available for testing.  Please see official guidance for latest updates on this specific issue:

Manage Microsoft 365 Apps with Configuration Manager

Use a cloud distribution point in Configuration Manager

 

[original statement below]

No, this appears to be a bug which is under investigation.  Workaround is to ensure Distribution Points used by VPN clients do not host Office 365 Client updates resulting in error 404.  If the software deployment has selection ‘If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates', this should allow new location of CDN fallback to be used.  I will update this item with updates when available.

 

The Authors

This blog post is brought to you by Dave Guenthner and Martin Nothnagel, two ProPlus Rangers at Microsoft.  We’re looking forward to your questions and feedback in the comments below.

24 Comments
Iron Contributor

Hi, great post that summarize options to manage O365 updates.

 

I have a question for option 2. if we have already downloaded the updates and made them available for our on-prem users, will it still work? Do we have to make sure that VPN clients will not fallback to any DP, so that they will for sure download from the CDN, while still being managed by configmgr?

 

Second question, how can we be sure that they will not use delivery optimization between their vpn peers while they download the updates?

 

thank in advance and don't hesitate if you have any questions.

Hi Lalanc01,

For option2, The current behavior is when OfficeCOMMgmt is enabled AND Configuration Manager is triggering the update, Delivery Optimization is not used.

this is documented here.
"If you’re using Configuration Manager or local network shares to manage installing and updating Office 365 ProPlus on devices, Delivery Optimization won't be used. ".
I don't think we use the peer cache configured when fallingback to CDN to get the content.
Kind Regards,

Esteban

Copper Contributor

What about configuring 'Prefer Cloud Distribution Points over Distribution Points' for VPN boundaries?

The docs suggest that Microsoft Update is added as a cloud source in 1902, does this not include Office 365 content?

Hi Stewpollock,

Great question ;)

I guess you refer to this doc.
The only way I know to use Office CDN content instead of Content on the DP is to not provide content on the DP to fallback to CDN.
So my understanding is that "Microsoft Update" option does not apply to C2R products.
@Dave Guenthner can you confirm my understanding?
Kind Regards,

Esteban

Microsoft

@lalanc01 Esteban's points are spot on.  SCCM uses API and passes reference to use BITS as transport so DO won't be used when OfficeMgmtCom is Enabled.  For non-Office updates which may fall into scope for DO you may want to take a look at DO VPN GPO .  Based on initial testing you do need to ensure Office clients are directed to DPs where content is not present in order for fallback to cloud.

Microsoft

 

@stewpollock 'Prefer Cloud' is not working as expected for Office 365 Client Updates.  My tests show Client fetching updates from DP even with setting in place.  I've filed a bug for this issue and will add to FAQ for tracking.
Copper Contributor

@Dave Guenthner Thanks for testing this, will look forward to hearing an update r.e. the bug.

Iron Contributor

@Dave Guenthner, thank you for the tests/validations.

 

Just wanted to be sure, yes sccm uses bits to download it's content, but if the content isn't there and tries to get it from the CDN, will it try to get the content from other peers in the same VPN subnet, using DO or will it always just get all the content from the CDN directly?

 

thks

Microsoft

@lalanc01 When OfficeMgmtCOM is Enabled, only BITS transport will be used.  Therefore, with this configuration DO is out of scope.  To use DO, OfficeMgmtCOM must be Disabled.  When OfficeMgmtCOM is Enabled and content is not on DP, fallback to CDN will occur (with the checkbox in the deployment)

Microsoft

@stewpollock Thank you for bringing this issue to our attention.  Please see FAQ section as its been updated to reflect resolution. ConfigMgr 2002

Copper Contributor

@Dave Guenthner Does this configuration use Office365 express updates?

Microsoft

@SayeedM365 Can you rephrase the question?  Define the desired outcome as I'm not clear on the question.

Copper Contributor

@Dave Guenthner 

Hi Dave, what we're trying to achieve is Option 2: SCCM managed but offload content distribution as detailed in this article.

Currently we have SCCM managing all the Office365 client updates. I was just reading your other blog post here:

https://techcommunity.microsoft.com/t5/office-365-blog/understanding-office-365-proplus-updates-for-...

 

We have VPN connected clients therefore we can't use peer cache or delivery optimisation. I'm trying to understand if clients will download the full data or just delta data?

For Office, updates are always a delta, it never pulls down the full source files to update the product. There are basically two types of delta: binary delta and regular delta. Update sizes are documented here: https://docs.microsoft.com/en-us/officeupdates/download-sizes-microsoft365-apps-updates

 

If Office updates to version N and the installed client is on N-1, it will download only the actual changes per file. E.g. 1K changed in excel.exe, it will download just this 1 K instead of the (compressed) 55MB excel.exe. This is called "binary delta". As mentioned, this is leveraged when updates are only one release apart OR when a new SAEC-Preview comes along (e.g. from 2002 to 2008) or a new SAEC (e.g. from 1902 to 1908) for the first time.

 

If installed version and targeted version are not in one of the above mentioned relations to each other (e.g. updating a machine which was offline for a while from Current Channel 2001 to Current Channel 2004), it will download each changed file (e.g. the compressed(!) excel.exe) and stage this on disk.

 

Note: When assessing the update size, always measure what is actually going over the wire. Looking at files on disc is misleading, as these files are already decompressed, sometimes sparse files and merged from downloaded bits and files already on disk. 

Copper Contributor

@Dave Guenthner @Martin Nothnagel I have been scouring through blogs and documentation but I am not able to find IP Ranges for officecdn to use for Office 365 Updates. We unfortunately have a limitation where we need to split tunnel using only IP addresses and not FQDN for our Office 365 Updates to use public internet for clients connected over VPN. Our original plan was to use CMG to deploy the updates but turns out Office 365 Updates (CDN content) are not supported over CMG\cloud Distribution points. The only alternative is to allow our clients to download the updates over the internet but in order to do that we need the IP ranges for the office CDN. We have been discussing creating an installation package for the update that we would then deploy through the CMG but the package would have a very complex logic for X86 or X64, with or without Visio\Project etc. Hoping you can point me in the right direction to find the IP ranges for the officecdn for updates. 

Microsoft

@ukazim I'm no longer on the Office team at Microsoft but I do know there was a message center post at the start of COVID (I don't have the specific reference available) which directed customers in your situation to contact your Microsoft Account Manager (TAM or CSAM) and open a support ticket as a workaround does exist, not public. (Microsoft recommends split tunnel by FQDN where possible).  As you stated, if IP is the only way for your customer, MS Support can share instructions to permit this as an exception.  If the MS Support person isn't familiar direct them to contact me and I can point them in right direction to help you. The one caveat is the workaround only works when using default update from CDN scenario. You cannot use Configuration Manager to deliver updates for Office 365 Client and restrict updates to subset of IPs. Of course, Configuration Manager will continue to provide compliance information, just not be involved in pushing updates.  In short, the answer is option #1 above + Workaround provided by MS Support. (where IPs are shared for your VPN exceptions)

Microsoft

@ukazim I learned yesterday the *workaround*, initially released for COVID support, has been deprecated mentioned above.  Therefore, customers who use forced tunnel VPN must whitelist by FQDN the URLs as specified on the Office IP and URL page.  This option was dropped primarily due to lack of use by other customers.

Copper Contributor

@Esteban Patrigeon This is incorrect. O365 Updates are not supported over CMG\Cloud Distribution points as per the limitations listed here and from our own internal testing as well:

 

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/use-a-cloud-based-distribu...

 

@Dave Guenthner Thank you! We are planning to setup some On Prem DPs which we will add to our boundary group for our VPN clients. These new DPs will have no other content except the O365 updates on them. We will ensure the CMG is not targeted for the O365 update content. The BG would be setup to prefer cloud distribution points. When the clients do not find the content on the CMG they will move on looking for the content on the next set of DPs as per the content lookup request based on the boundary group. This is the only way we found we would be able to continue to support our clients without significant VPN tunnel re-design.

Thanks @ukazim for correcting me. you right. we cannot store M365apps update on the cloud DP. (I deleted the post that contain the wrong advise)
Open question:
"The BG would be setup to prefer cloud distribution points. When the clients do not find the content on the CMG they will move on looking for the content on the next set of DPs as per the content lookup request based on the boundary group."
If the boundary group is configure to "prefer cloud based sources over on-premises sources", the client should get it directly from Cloud DP or Microsoft.
https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_bg...

How did you configure the Office update? 
If in the deployment download settings you check the option "if software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates", and you do not synch the update content with the cloud DPs then the client should fallback to Microsoft to get the content.
Did you try that option?

Copper Contributor

@Esteban Patrigeon We are currently in process of deploying the on prem DPs. We are getting new servers provisioned to do this. What we had tested in our lower environments was so, we simply didnt select any option for fallback to neighbour or default boundary group. We also didnt select the option to go to Microsoft updates when content is not found on local DPs. We are allowing the client to look at CMG, where the content is not staged. By default the client will look to the next set of DPs in the BG which will be on prem and will get content from the on prem DPs. This has worked in our lower environments. 

 

The reason to now allow clients to go to Microsoft updates is the fact that we will not be able to control the time when the updates are downloaded and also we do not want to consume our VPN Bandwidth with the download of this update content over the internet while connected to VPN. We are not able to split tunnel based on FQDN due to limitations on our VPN infrastructure. 

Copper Contributor

Hello  @Dave Guenthner 

"Starting with version 1902, 'Prefer cloud based sources over on-premise sources' allows IT Pro to prioritize Cloud content.  Does this feature extend\support Office 365 Client updates?"

The fix for this was not included in 2002 as originally expected and is still under development.  We expect technical preview in coming weeks available for testing. "

If you know, Are this issue resolved latest 2103 version?

Copper Contributor

@Nbregvadze This is not fixed in 2103 either. To over come this issue we deployed new on premise DPs and staged only O365 Updates to it, no other content is staged to these on prem DPs. We removed the O365 Updates from CMG. We added the new on prem DPs to the VPN Boundary group. This way for O365 Updates the on prem DP is used, for all other content the CMG is used. We recognize that due to this configuration our clients will come over the VPN link to our on prem DP to download the O365 updates but that is a compromise we had to make as CMG would still not support O365 CDN content. 

Brass Contributor

@Nbregvadze @Dave Guenthner @ukazim @Esteban Patrigeon 

 

We are experimenting a similar issue since our VPN software cannot deal with URL's for split tunneling (IP Only).

The workaround with dedicated DP for o365 updates looks great but if my understanding is right it will not work for clients that are sometimes connected to Internet only (VPN disconnected). Can you confirm ?

Copper Contributor

That is correct, the workaround for dedicated DPs for O365 will not work when your clients are over internet. In that scenario I think you would have to let your clients download straight from Microsoft catalog over the internet. 

Co-Authors
Version history
Last update:
‎Feb 10 2023 12:26 PM
Updated by: