Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

Dave Guenthner · ‎Aug 08 2019

In supporting customers in the field, we receive many questions about Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) update process. The objective of this blog is to provide context around end user behavior during update scenario and clarify when and how Office updates are applied.

Microsoft 365 Apps for enterprise was designed to be a cloud first product…. What does that mean? It means that by default, Microsoft recommends you update Microsoft 365 Apps for enterprise directly from Microsoft Content Delivery Network (CDN). While IT Pros are always in control, Microsoft 365 Apps for enterprise is automatically kept up-to-date via evergreen model. IT Pros can offload servicing aspect of Office to Microsoft so they can focus on other duties removing repetitive tasks. At present, while we lead with CDN as our recommendation, the vast majority of Enterprise customers I work with prefer to manage updates from Microsoft Endpoint Configuration Manager (Configuration Manager) formerly known as SCCM for a variety of reasons. (too many to list here such as network, governing process or political etc.)

Let’s compare and contrast both scenarios below to see which approach is best to address your business requirements. Regardless, the goal is to ensure Microsoft 365 Apps for enterprise is serviced every month to address security and deliver features based on cadence suitable for our customers.

Quick refresher of Microsoft 365 Apps for enterprise channel cadence -Simplified

Current Channel: Provide users with the newest features of Office as soon as they're available. This could be three or four builds per Month. (Updates should be delivered by CDN)

Monthly Enterprise Channel: Provide your users with new Office features only once a month and on a predictable schedule. (Updates can be delivered by CDN or ConfigMgr)

Semi-Annual Enterprise Channel (Preview): Provide pilot users and application compatibility testers the opportunity to test the next Semi-Annual Channel. Features\fixes delivered every six months, in March and September

Semi-Annual Enterprise Channel: Provide users with new features of Office only a few times a year. Features\fixes delivered every six months, in January and July (Updates can be delivered by CDN or ConfigMgr)

(Official Link is here Overview of update channels)

The point of the channels is to define the timing when those cumulative builds include features and fixes in addition to security. If you would like more information about channel management please see my other posting for more information called How to manage Office 365 ProPlus Channels for IT Pros

*This blog will focus primarily on update process. Deployment of Microsoft 365 Apps for enterprise is out of scope and will assume Office 365 ProPlus is already installed on the machine.

Update from CDN

Prerequisites

Automatic Updates is by default Enabled (equivalent GPO is “Enabled Automatic Updates”). If disabled, Microsoft 365 Apps for enterprise will never update.

Benefits

Admins don’t have to spend time developing processes to duplicate CDN content on-premises.
Admins don’t have to build processes to target software updates to collections. Each machine will pull updates on it’s own.
Aligns with “Modern Desktop” motion where machines are increasingly managed by Mobile device management (MDM) rather than on-premises solutions without requirement for any infrastructure.
CDN supports a variety of advanced policies to control updates at granular level such as “delay downloading and installing updates for Office”, “prioritize BITS”, “Target Version”, “Update Channel”, “Update Deadline”. IT Pros can control updates effectively without the need for on-premises software.
Leverages inbox task scheduler \Microsoft\Office\Office Automatic Updates 2.0 to perform updates based on trigger mechanism (Weekly, At log on, On idle)

Note: On idle is very interesting trigger condition in that it can check for criteria such as user absence and lack of resource consumption to determine opportunistic time to retry updates (no reboots required when Office applications are closed).

Reference Links for next section: Update history for Office 365 ProPlus (listed by date) and Download sizes for updates to Office 365 ProPlus

User Experience when updating from CDN

Let’s imagine Microsoft 365 Apps for enterprise has June 2019 build installed which is Version 1808 (Build 10730.20348). “Patch Tuesday” rolls around and on July 9^th 2019 July build is released which is Version 1902 (Build 11328.20368). Based on the trigger assigned the scheduled task “Office Automatic Updates 2.0” will detect a newer build applicable. Upon initial release to CDN, a new build is temporary throttled until signals are received ensuring highest quality release have been verified. As a result, IT Pros may observe updates may not occur on Day 0 to all machines but rather over a period of days. Alternatively, IT Pros can intervene and enable policy “delay downloading and installing updates for Office” and simply define installing update based on number of days. (*GPO is still subject to throttle) This mirrors servicing plans feature in Configuration Manager for delivering Windows Feature Updates and makes it easy to build rings as long as the delay defined isn't shorter than throttle.

Since the build installed is most recent version we can leverage a feature called binary delta compression to help reduce the size of the files further. Therefore, keeping Microsoft 365 Apps for enterprise up-to-date is friendlier on network. Office will download deltas and will stage in C:\Program Files\Microsoft Office\Updates\Download. After download Office Automatic Updates 2.0 will attempt to update Microsoft 365 Apps for enterprise. If no Office applications are open, it will update. If Office applications were open at the time of update request a series of notifications will occur of period of days. (Officially documented here)

We receive frequent questions around deadlines and delivery of end user notifications. While the CDN only experience doesn't include Configuration Manager, the dialogs from Office overlap with Configuration Manager scenario 2 below. Therefore, examples of the Office notifications (the white dialogs which say "Office will update in X minutes" can be found below in a single place of reference.

When Office stages a build for installation, in app notifications within Office will occur in the following manner:

Without OfficeMgmtCom enabled (CDN):
Business bar shown after 6 days
With OfficeMgmtCom enabled (Configuration Manager):
If update not applied, display business bar immediately upon next launch of Office app.

*Business bar is defined as the yellow in app notification which says "Update now". See picture below in scenario 2.

Notifications and Countdown Dialogs

Toast notifications (system tray "Office Updates Available") delivered by Office and their potential timing

24hrs
12hrs
6hr
2hr
30mins

Countdown dialogs (Office delivered white countdown dialogs )

30mins + postpone (2hrs)
30mins + postpone (2hrs)
30mins + enforced

User Experience when updating from Configuration Manager

Prerequisites

Configuration Manager Current Branch with Windows Server Update Services (WSUS) 4.0, you can't use WSUS by itself to deploy these updates. You need to use WSUS in conjunction with Configuration Manager
The hierarchy's top level WSUS server and the top level Configuration Manager site server must have access to the following URLs: *.microsoft.com, *.msocdn.com, *.office.com, *.office.net, *.onmicrosoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net.
Office 365 Client product must be selected from products tab under Software Update Point Component Properties and synchronize software updates after change. Once complete, you should see Office 365 Client Updates populate the Office 365 Updates node under Office 365 Client Management within Software Library tab in Configuration Manager Console.
Management of Microsoft 365 Apps for enterprise must be enabled on the client. This can be configured in multiple ways such as adding OfficeMgmtCOM="TRUE" in configuration.xml during installation, enable domain policy “Management of Microsoft 365 Apps for enterprise” and finally by toggling “Management of Microsoft 365 Apps for enterprise” to Yes from within Configuration Manager Client settings under Software Updates. You can verify by launching dcomcnfg.exe on the client computer and confirming OfficeC2RCom application is registered. Only one is required, where policy overrides and take priority over all other methods. The purpose of the COM application is to allow Microsoft 365 Apps for enterprise to interop with Configuration Manager to pull updates from distribution points rather than CDN

Example of running dcomcnfg.exe

$Note about PREVIEW feature using Delivery Optimization for Office 365 ProPlus install\updates$ Note about PREVIEW feature using Delivery Optimization for Office 365 ProPlus install\updates

Overwhelming majority of enterprise customers use Configuration Manager to deliver Microsoft 365 Apps for enterprise updates for compliance and distribute content from Distribution Points. Microsoft is always working hard to provide customers additional options including the new feature Delivery Optimization and Office 365 ProPlus which is now in (Preview). Please read article for full details but one-liner is customers will be able to install AND update Microsoft 365 Apps for enterprise sourcing content from peers without infrastructure requirements which we're super excited about. (no more "thick packages" or distributing loads of content to support a simple language pack). If you enabled OfficeMgmtCom for Configuration Manager integration, this action must be reversed in order to use Delivery Optimization (DO). The Microsoft Office Click-to-Run Service is responsible for registering and unregistering OfficeC2RCom (OfficeMgmtCOM) application during service startup. Changing domain policy or Configuration Manager client settings for Management of Microsoft 365 Apps for enterprise from ‘Enabled’ to ‘Not configured’ is not enough. Domain Policy or Configuration Manager Client settings require explicit ‘Disable’ selection for OfficeC2RCom to be successfully deregistered and restore default configuration. Further, any custom update path configuration must also be removed.

Benefits

Microsoft 365 Apps for enterprise updates can easily be included in the same software deployment as monthly Windows patch process. As a result, all existing business processes and change control can be aligned in the same manner as legacy MSI Office products.
Clients will only pull down what's needed to update themselves from Distribution Point.
Configuration Manager Administrators can download cumulative build one time from the internet and than deploy to all distribution points so clients pull updates from intranet sources.
Administrators can make deployment Available (optional where user is notified update)
Administrators can make deployment Available for a period of time prior to Installation Deadline. In this scenario, Office 365 Client using OfficeMgmtCOM will pull deltas from distribution point prior to Installation Deadline and give user a chance to “Update now” via BusBar discussed above at a time which is convenient for them. This is especially important in a ever mobile world where machines are mobile and not powered on all the time. Further, IT Pros can get some early production validation as some subset of their population will update prior to Installation Deadline giving them advanced notification of any problems prior to broad deployment.
Administrators can make deployment Available time and Installation Deadline the same time. Configuration Manager will ensure update is downloaded and installed at Deadline. (additional details on user experience below)
Administrators can enable Configuration Manager features such as Peer Cache so clients can share content among themselves further reducing network WAN traffic. (Peer cache for Configuration Manager clients)

Configuration Manager Deployment Scenarios

Scenario 1 - Available only

If the deployment is Available only, the user will only see a toast notification in the system tray for a few seconds, Office update will never be deployed automatically. The problem is this notification isn’t context sensitive so it simply takes end user to Software Center and it also doesn’t ensure security compliance. Therefore, approach isn’t used often in my experience.

Scenario 2 - Available with future Installation Deadline

Important change with ConfigMgr 2111

Starting with Configuration Manager 2111, configure the client setting Enable update notifications from Microsoft 365 Apps: No to disable the on-screen Office update notifications. This is set by default starting with 2111 and will ensure all notifications come only from Software Center. This is vast improvement and eliminates explanation for scenario #2.

[Guidance for Configuration Manager older than version 2111]

This scenario is a good fit for customers who desire faster compliance, no Windows reboots for Office 365 ProPlus updates and are comfortable with additional Microsoft 365 Apps for enterprise end user toast notifications, also in app notifications as well as Microsoft 365 Apps for enterprise countdown dialog leading up to deadline. If the Configuration Manager deployment is Available with future Installation Deadline, Microsoft 365 Apps for enterprise working with OfficeC2RCom application will download the necessary Office build pieces (not the entire build) and stage for installation pulling content from Distribution Point. When content is prestaged, there are a number of potential notifications, please review bullet items in blue from page Manage Office 365 ProPlus with Configuration Manager to review all details as there are many or reference the list from CDN section above.

For example:

"BusBar"

Business Bar

Once build is staged, a toast notification might not display until the user clicks the icon in the notification area which is easy to miss.

"Basic notification" which sometimes be hidden under task bar chevron

Examples of "Countdown dialogs"

Minute countdown Second countdownUpdates Installed

Important to note, countdown from Configuration Manager and Office countdown are not synchronized in any way, they work on separate timers. Specifically, Configuration Manager will stamp in the Office side of the registry the deadline date and time. From that point on, Office and Configuration Manager notifications will in effect work independently based on deadline defined in Software Update Group. For pre-stage scenario its normal for Office to attempt to apply updates before the Configuration Manager defined deadline or allow user to temporarily extend beyond deadline based on countdown dialog section above.

prestage and deadline has passed.png

Scenario 3 - Available and Required Installation Deadline have same date

This scenario is best for IT Pros who want to minimize notifications to end user unless deadline has been reached.(Office content is not pre-staged) If the software deployment Available time and Installation Deadline have the same date, Configuration Manager Client will determine that deadline has been missed and therefore make the deployment immediate. Typical notification workflow will be presented to user.

In this case since deadline has passed, download will begin automatically.

Once content has been downloaded, Configuration Manager will immediately initiate Office update with following logic:

If all Office applications are closed, update will occur with no reboot.
If any Office application are open standard Configuration Manager reboot workflow occurs.

The end user will begin to see Configuration Manager “Restart Window” below which shows countdown until restart is forced. The countdown frequency of notification are controlled solely by Configuration Manager Client and can be configured within Client Settings node within Configuration Manager Console.

FAQ:

Is there a simple way to hide all notifications in Office such as the “BusBar” with button “Update Now?”

Yes. Use “Hide Update Notifications” GPO or registry

HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate
"hideupdatenotifications"=dword:00000001

This registry setting doesn't apply to deadline notifications such as the large white splash screen with countdown.

Is there an Microsoft official page which talks about this topic?

Yes. Manage Office 365 ProPlus with Configuration Manager

If the download is supposed to only contain deltas and stage to C:\Program Files\Microsoft Office\Updates\Download, why in my environment is it staged in C:\Windows\ccmcache and full build? (~2GB)

This means Configuration Manager “Peer Cache” feature is enabled and content is available to be shared with other peers. Windows is leveraging a NTFS feature called “Sparse Files”. Looking closely at size on disk details, you can compare the differences between the full data and the one on the right using peer cache. (Peer cache really only downloaded 80 MB.)

I’ve done everything I can think of and OfficeC2RCom application never shows within MMC console. In fact, when I browse COM applications from within dcomconfg.exe, My Computer has a red down arrow?

This means COM, part of .NET may be corrupted on machine. Office cannot register application as COM itself is broken. Typically this is edge case and requires rebuild of Windows :(

You mentioned On idle update feature in CDN section but was omitted for Configuration Manager, why?

"By design", feature is enabled only for CDN scenario.

Users who launch Office immediately after logon receive message "Updating Office, please wait a moment". Why?

This means Office update was attempted while applications were open which cannot succeed. Therefore, build was staged to retry update by Microsoft Office Click-to-Run Service on Windows startup. In this edge case, the user was able to access desktop and launch a Office application while Office update process is in progress. If easily reproducible, this is often a reflection of slow boot process and Windows startup performance. Best to troubleshoot by removing 3rd party filter drivers and or startup items.

I've tried everything and Software Center never shows Office 365 Client build applicable to my machine?

Review how Office 365 ProPlus determines priority:

1st Priority : GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath
2nd Priority : GPO "UpdateChannel" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatebranch
3rd Priority : "UpdateURL" or UpdatePath="\\Server\Share" HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
*4th Priority: UnmanagedUpdateURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UnmanagedUpdateURL
5th Priority : CDNBaseURL - HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

*This value is new May 2020, official documentation

Reflecting on priority list above, have you intentionally or unintentionally set a GPO "UpdatePath" - HKLM\software\policies\microsoft\office\16.0\common\officeupdate!updatepath or included an element inside configuration.xml during initial installation for UpdatePath HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UpdatePath="\\Server\Share"? This in effect breaks native updates via Configuration Manager as they take precedence. To resolve, remove these values and reset HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration UpdateChannelChanged to False, run Automatic Updates 2.0 scheduled task manually (or be patient and allow it to run) and then perform Software Updates Deployment Evaluation Cycle from Configuration Manager Control Panel Applet.

You didn't mention updating from on-premises file share, why?

Updating Microsoft 365 Apps for enterprise from File Shares has been deemphasized as a strategy. Initially Microsoft 365 Apps for enterprise didn't support update workflows such as Configuration Manager or Delivery Optimization and therefore customers used this approach. However, this is resolved with Configuration Manager Current Branch and modern versions of Windows 10 this is no longer necessary. (still supported just less adopted)

Change log:

03/05/2021 Refreshing updated product names for Office and Configuration Manager and terms where possible

08/14/2020 Added Notifications and Countdown Dialogs section for more detail.

02/25/2022 Added note for Configuration Manager 2111 or greater which simplifies end user notifications as described in scenario #2.

The Author

This blog post is brought to you by Dave Guenthner, a Senior Premier Field Engineer and “ProPlus Ranger” at Microsoft. Feel free to share your questions and feedback in the comments below.

rimetree · ‎Aug 12 2019

Thanks for this overview. This subject seems to be under-documented so had to try to figure a lot of this out through trial and error. There are so many values in the HKLM\Software\Microsoft\Office\ClickToRun\Configuration key and very little info on what the heck is going on in there. Anyway, one thing I was wondering about is the UpdateChannelChanged value. You mention resetting it after removing some values that interfere with SCCM processing. What should that value normally be? Is there any reason why you'd ever want to set it to "True"?

Thanks,

Doug

Dave Guenthner · ‎Aug 12 2019

I agree 100% not documented enough.. I'm working with the folks who manage docs.microsoft.com to include additional information and of course posted this blog to address some of the routine questions I receive each day. UpdateChannelChanged is a Microsoft internal and managed value which is why its not documented broadly. It simply toggles to True on a change request like channel change. Office will reset this to False after the next successful update, like going from build 1 to build 2. Once False, another change request can be issued. (it should be a non-issue for you to be concerned about) However, if you at one time set a custom update path like \\O365\Updates and never populated share with newer builds and disabled Automatic Updates, clients can become orphaned because they will never receive a successful update, ever. Since this value is True, the Office client may not respect a new GPO for channel assignment because it believes the original change remains pending. This was more of a troubleshooting tip to help the few unwind custom configuration in favor of CDN or SCCM.

Lassaad · ‎Nov 01 2019

Thank you for the detailed overview , Monthly Updates from CDN can be deployed with SCCM .

Dave Guenthner · ‎Nov 01 2019

@Lassaad You're correct. However while its possible to deploy Monthly builds via SCCM, for this scenario Microsoft recommends leveraging technologies such as Delivery Optimization and Office 365 ProPlus.(DO) The reason is Monthly Channel can offer four or sometimes five builds in a month which is a lot of content to mirror on-premises. While DO is technically a Windows technology, investments are being made in Office to ensure we can take advantage of this approach. Being able to share content peer to peer using a cloud service is super exciting and something we're learning about every day. Thanks for giving blog posting a read.

Nico l · ‎Nov 11 2019

"Additionally, Office may also raise additional notification with 30 minute countdown. Important to note, countdown from SCCM and Office countdown are not synchronized in any way, they work on separate timers."

How is this user experience any good? Surely you'd want to be able to deploy the O365 update just like any other Windows Update where SCCM controls all notifications. We should be able to simply have a deadline on the update where it installs in the background with no other Office notifications and more importantly, no requirement to shutdown office apps. In other words, to have the same behavior as we did with Office 2013/2016 ProPlus updates.

Dave Guenthner · ‎Nov 11 2019

Nico, we're in alignment and I agree with you. I've shared our sentiments with the team who owns this code to hopefully influence future design to align with your wishes.

Olaf Thyssen · ‎Nov 25 2019

We totally moved to CDN keeping approx 10000 seats up-to-date globally even in traditional WAN environment, Delivery Optimization is our friend (80% of downloads are from peers in same subnet)
In SCCM we only have the setup.exe and XML file, the just needed content is pulled from CDN, e.g. we offer the language packs/proofing tools in software center but the content will be pulled from CDN, even installing Project and Visio through CDN is more efficient now as only the delta of about 300MB on top of existing ProPlus becomes downloaded

The "MatchInstalled" parameter was the best improvement ever (not available in the OCT yet)

Dave Guenthner · ‎Nov 25 2019

@Olaf Thyssen This is awesome news and we appreciate you taking time to post! We've worked really hard to position "Lean Approach" as desired implementation and we're thrilled to receive feedback on approach.

RaslDasl · ‎Nov 25 2019

As for moving from SCCM to CDN, it seems to me this would be akin to moving from SCCM to WUfB in terms of both content sources and control of the updates. Is this a fairly accurate comparison?

Question on SCCM updates...we see that we are distributing ~2GB/month per channel/bitness of O365. Is the client downloading the entire 2GB from the DP to ccmcache and extracting what it needs or skipping and this step and just downloading the bits it needs from the DP to C:\Program Files\Microsoft Office\Updates\Download? (Not yet using peer cache)

Dave Guenthner · ‎Nov 25 2019

SCCM downloads entire build (~2 GB) from CDN and distributes that content to your distribution points. On the Windows Client, during the Software Updates Deployment Evaluation Cycle, SCCM client will pull down just the files needed (deltas) from closest distribution point. If the client is way out of date, the content payload will be much larger of course since there is so much change. We publish this information here:

Download sizes for updates to Office 365 ProPlus

https://docs.microsoft.com/en-us/officeupdates/download-sizes-office365-proplus-updates

Alexander Kanakaris · ‎May 07 2020

Hello, we are on 1908 and use SCCM to update Office. Since we are doing Deployments without DP content (pull from Microsoft Update is selected) we wish to use DO. We run Windows 10 Enterprise.

So what is a bit confusing it the below.

For Version 1908 through Version 1911, you need to configure a registry key on devices in your organization before installing Microsoft 365 Apps on those devices. You can use the following reg add command to configure the registry key:

reg add HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate /v SetDOAsPrimary /t REG_DWORD /d 1

And then this:

If you're using Configuration Manager or local network shares to manage installing and updating Microsoft 365 Apps on devices, Delivery Optimization won't be used. Delivery Optimization is used only if you're installing or updating Microsoft 365 Apps directly from the Office Content Delivery Network (CDN) on the internet. If you want some of these devices, such as those on Monthly Channel, to take advantage of Delivery Optimization, you need to reconfigure them to use the Office CDN. You can do that by using the Office Deployment Tool or Group Policy settings, depending how your environment is configured. You have to remove any configuration of the update path as well as the use of the OfficeMgmtCOMattribute, which enables Configuration Manager to manage updates.

I have added the key but haven't disabled the COM, so SCCM is still responsible for updating Office.

BUT, considering that there is no Software Update Package created on DPs (since we only push out metadata and point clients to MU for the bits) will DO be used in this scenario?

In this case, the PrioritizeBits will do its work as in the past.

Now, if we fully switch to CDN for updates so we disable COM, this will mean that the reg key will start functioning again for DO?

Wouldn't it be better to move our Office ProPlus workload to Intune if we are co-managed? That would serve us the same I guess and lean more towards Modern Desktop and would completely take out the SCCM parameter?

Thanks!
Alex

Olaf Thyssen · ‎May 12 2020

@Alexander Kanakaris , we're totally using CDN and DO for Office 365 management and have taken away the burden from SCCM.

The "solution" consists of three elements in our environment:

1) GPO for Office Updates
The SCCM client used Local Group Policy for its client settings so I'm using old fashioned GPOs to make sure that my settings are the boss.
Of course disabling the COM and clearing the Update Path which could point to internal URL or UNC is the main purpose.
Even that COM is disabled you still get the figures in \Software Library\Overview\Office 365 Client Management through hardware inventory.

Below are my settings

2) GPO for Delivery Optimization

I like the GPO over the SCCM client settings as I have much more control over different pieces.

3) Using SCCM Distribution Points as DOINC

More than 60 distribution points across the globe have the Connected Cache (aka DOINC) enabled

(100GB is in use as we are using Windows Updates for Business (WUfB) for patching and this uses DO and DOINC)

But make sure you enable DOINC in your boundary groups, otherwise the client will connect directly to Windows Updates

Final Note

Don't blame me that it is ... let's say ... a traditional approach with GPOs, but above combination suites well in our traditional WAN with limited breakouts or bad lines in some parts of the world. It is just to give some ideas

Recent COVID problematic proven the setup as users working from home have split tunnel in VPN client going directly to CDN / Windows Updates while internal clients using the cache on SCCM servers. With the combined bandwidth of all Internet accesses at home the 1809 to 1909 feature update went faster and smoother than any OS update in the past. Every user could easily download the approx. 3GB update without bothering our WAN.

I'm sure that similar things can be achieved with Office 365 policies (O365 portal) and Intune URIs and policies (preview).
With the Co-Management you always need to think at which end to create the settings and whose settings will win on the client at the end of the day.

I feel this is the most challenging part.

My next configuration change is related to Cloud Management Gateway to have clients installing their software from the cloud distribution point (split tunnel) and not contacting internal servers through VPN. With that move we might go back to SCCM based operating system patching as with WUfB you don't have much control over "bad" patches.

Alexander Kanakaris · ‎May 18 2020

@Olaf Thyssen Thanks for the great article, I am following similar procedures like yours -split VPN is there- but what I was wondering mostly was about remaining under SCCM management for Office ProPlus updates (COM+ Enabled) but still use DO by using the referenced registry key.

Probably you might haven't tested this kind of configuration yet so I will and report back of my findings.

Cheers,

Alex

Olaf Thyssen · ‎May 18 2020

@Alexander Kanakaris , I'm taking the lazy approach. Let the C2R do its job, Microsoft improved a lot here and it is working smoothly. Via collections I'm identifying the amount of clients under each major version and if I see higher amount of clients stuck in older version I'll dig into it.

We had SCCM management in place where the source was DFS share, not happy with it, always to keep the sources up-to-date. We thought about SCCM/CDN but we asked ourselves why to administrate SCCM to tell C2R what to do as C2R is already grown up and can handle it on its own.

We're installing all O365 applications, language packs and proofing tools through CDN/DO, why not doping it with the updates, too.

SCCM has of course the monitoring and reporting capabilities, I'm missing those in the cloud but rumors say they are coming at some point.

So far relying on the hardware inventory is ok with me.

I'm interested to hear from your experience with SCCM/DO

Dave Guenthner · ‎Jun 18 2020

@Olaf Thyssen Thank you for your "Hybrid" steps with CDN + DO + Connected Cache. I will be directing my customers to your clear summary as its a great way to transition to cloud only at some future point. Thank you!

Deleted · ‎Jun 23 2020

Hi Dave,

my Organization is planning on moving to downloading update from CDN. Is there a Microsoft documentation, images of what services are involved and how is update downloaded. Are they downloaded from Office 365 CDN? if so private and public cdn type is both set to false in SPO so from where exactly update is getting downloaded.

Regards,

Yash

Dave Guenthner · ‎Jun 23 2020

@Deleted The Office client uses a CNAME called Officecdn.microsoft.com to fetch content. Using CDN is excellent choice especially when most are working remote.

RichardStephens · ‎Jul 02 2020

Whilst using the CDN solution with three different phased deployment rings configured it quickly became clear that the different schedules were not being adhered to. We had systems in Enterprise ring getting the update before those in our Initial and Pilot rings… Not good!

After working through this with Microsoft it appears the delay and random scheduling is apparently "by design", and is caused by Microsoft's global throttling policy.

Throttling configuration is randomly configured by Microsoft on a per-device basis. This essentially renders the phased deployment ring approach useless when following the standard configuration for CDN.

In the snippet below taken from the log files you can see the MROThroVal=5 and the MachineThroVal=177. This essentially means the update will not download until the MROThroVal is the same or greater than the MachineThroVal.. In my case this took five days These values cannot be altered as they are controlled by Microsoft.

However according to the Microsoft engineer the only way around this is to use the updatetargetversion value which apparently overrides the throttling configuration.

So it appears all is not lost, however this isn’t great given that this is meant to be a modern more secure service, just one that isn’t easily controlled.

Can Office36 update management be introduced to co-management and Intune in the same way as Windows Update for Business? This would be great to see and would enable us to move away from Group Policy… Just a thought.

Come patch Tuesday I will be testing this and will report back with another update (no pun intended)

Richard

Deleted · ‎Jul 02 2020

@RichardStephens O365 update management is already introduced to Intune. You just need to plan for switching the workload

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/co-management-of-office-clic...

RichardStephens · ‎Jul 03 2020

@Deleted

Apologies I should have covered it in a little more detail.. ..

I meant it would be great to something like "Office365 Updates for Business" in the MEM Admin Center similar to Windows Update For Business..

Office365 is pretty much a given on all devices in Microsoft environment and it would make sense (in my head at least) to have it managed centrally through an additional blade (are they called blades?) in the MEM Admin Center.

If "Office365 Updates for Business" could bypass the throttling from the outset that would be awesome as well

Deleted · ‎Jul 04 2020

Hi Dave,

Following your article on managing Office 365 update from CDN, I got started with preparatory work on how I can switch to managing update through GP but upon running some further tests I have observed that CDN actually downloads more data than what SCCM client does from distribution point.

In my environment, we have Office deployed in 3 product languages(en-us, pt-br, de-de) and additional proofing languages(french, spanish, russian, norwegian). When downloading the update from CDN for this configuration, office downloads 1.90 GB and software center downloads 1.08 GB

BTW, I ran the upgrade from 16.0.11328.20368 to 16.0.11929.20708

The whole reason we thought of switching to CDN is to reduce the network bandwidth and to direct more and more traffic to Internet. According to Microsoft, the update size should be approx 400MB and knowing that I've office in 3 main languages, this should exponentially grow to 1.2 GB which configMgr client complies to but Office do not.

https://docs.microsoft.com/en-us/officeupdates/download-sizes-microsoft365-apps-updates#:~:text=It%2....

Can you tell me why so much of size difference?

Dave Guenthner · ‎Jul 06 2020

@Deleted The way I read your statement is you're testing a move from July 9th SAC 1902 (2019) -> April 14th (2020). The upgrade sizes assume you are basically moving from a N-1 version to N. You're performing update from ~N-9 where there is a huge amount of change. A better testing would be to install May Version 1908 (Build 11929.20776) 2020 -> June Version 1908 (Build 11929.20838) 2020. My recommendation is CDN using the 3 steps outlined by Olaf higher in the comments. You'll see numbers fall in line with what you're expecting which amount of change is minimized.

Olaf Thyssen · ‎Aug 24 2020

@Deleted , you mentioned three product languages and you're already using proofing languages.

I recommend to maintain only one product language - en_US recommended - and do the rest with language packs / proofing tools.

install.xml

uninstall.xml

In SCCM it is just three files to offer as available application in software center.

setup.exe
install.xml
uninstall.xml

Everything is pulled from CDN.

Adding more configs like above for other languages brings user interface and proofing to your global users and makes them happy.

e.g. we're offering 15 languages but having only one product language.

Even you device to install another product later, e.g. Viso, the language pack is directly applied.

Petrokl · ‎Nov 19 2020

Hello Dave,

My company is planning to use SCCM for O365 Updates instead of shared folder (setup by GPO). And I stuck with updating HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UpdateChannel that points to our shared folder. For test environment I've setup next GPO settings:
Annotation 2020-11-19 203532.png

I ran Office Automatic Updates 2.0 task on my test machine several times and restarted PC. The key HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UpdateChannel doesn't want to change or remove (I tried to remove UpdatePath in GPO). If I don't change it into the same as HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl O365 Updates won't come in Software Center. Kindly what may you recommend in my case? Thank you.

Dave Guenthner · ‎Nov 20 2020

Lab validation for IT Pros can create a lot of frustration because you're trying to validate a change in a compressed timeframe, like 30 minutes. Deploy GPO, gpupdate, software update evaluation cycle, reboot etc. and then the change doesn't occur as expected. Channel changes can take up to 24 hours due to some internal timers so waiting sometimes is all you need to do understanding in production its a non-issue. Brief feedback, remove UpdatePath, that overrides the updatebranch value. Understand that when you set OfficeMgmtCom=1 a restart Office Click-to-run service is required to register COM and enable the SCCM integration.

Have confidence that the HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\UpdateChannel will change but the scheduled task can take time, based on timers mentioned. Once the GPO is there, Office Click-to-run service has to be restarted, scheduled task has run to change channel every 24 hours and machine has to get SCCM machine policy, software update evaluation cycle has to run and SCCM will deliver the software updates. (so there are a number of timers likely impacting you)

Colin Dorman · ‎Nov 25 2020

You mention "Updating Office 365 ProPlus from File Shares has been deemphasized as a strategy" are you aware if the method of simply updating UpdateURL within "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" to the file share location with office updates is still an option? This was the method I have implemented which appears to have stopped working. Would ideally like to resolve the current issue before implementing the options your described above i.e. SCCM

Olaf Thyssen · ‎Nov 25 2020

@Colin Dorman

I would go the group policy path in order to dictate the setting instead of modifying parameters which have been set during setup

Computer Configuration
Policies
Administrative Templates
Microsoft Office 2016 (Machine)/Updates
Update Path = Enabled
Location for updates: Set the UNC path of file share here

Dave Guenthner · ‎Nov 30 2020

@Colin Dorman Hi Colin, Yes I am. From the Microsoft "ivory tower", there appears to be very little upside in using File Shares to update Office. We believe customers should leverage CDN whenever possible combined with Windows features such as Delivery Optimization. When available, combine DO with **SCCM Connected Cache. (understand not all customers have SCCM but DO is included with Windows) Our goal is to lower IT Pro overhead low keeping Office up-to-date and that's hard to do using File shares. There are always exceptions to the rule, but broadly speaking I think this holds true.

Petrokl · ‎Dec 07 2020

Hi Dave,

Thanks for your response about 'UpdateChannel' key. It definitely works.

I've got another question. For enabling "Office 365 Client Management" on clients we used GPO on our test environment. Also we switched “Enable management of the Office 365 Client Agent” to Yes from within SCCM Client settings under Software Updates (to get O365 updates via SCCM). As you mentioned: "Only one is required, where policy overrides and take priority over all other methods." And it's true. We have this key on the machines: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate OfficeMgmtCOM = 1

But when I turned setting "Management of Microsoft 365 Apps for enterprise" to "Not Configured" in GPO, then update group policies on the machines, "OfficeMgmtCOM" disappeared from the machines. It's ok... and I expected to receive it again from SCCM client setting (because of Yes in “Enable management of the Office 365 Client Agent”), but it won't. I ran "Machine policy Retrieval & Evaluation Cycle" several times, waited for couple of days. Nothing. "OfficeC2RCom" object is registered.

What I'm doing wrong? How to switch on/off "OfficeMgmtCOM" from SCCM client settings?

Thank you.

Petrokl · ‎Dec 07 2020

Hello Dave,

Thanks for your response about 'UpdateChannel' key. It definitely works.

I've got another question. For enabling "Office 365 Client Management" on clients we used GPO on our test environment. Also we switched “Enable management of the Office 365 Client Agent” to Yes from within SCCM Client settings under Software Updates (to get O365 updates via SCCM). As you mentioned: "Only one is required, where policy overrides and take priority over all other methods." And it's true. We have this key on the machines: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate OfficeMgmtCOM = 1

But when I turned setting "Management of Microsoft 365 Apps for enterprise" to "Not Configured" in GPO, then update group policies on the machines, "OfficeMgmtCOM" disappeared from the machines. It's ok... and I expected to receive it again from SCCM client setting (because of Yes in “Enable management of the Office 365 Client Agent”), but it won't. I ran "Machine policy Retrieval & Evaluation Cycle" several times, waited for couple of days. Nothing. "OfficeC2RCom" object is registered.

What I'm doing wrong? How to switch on/off "OfficeMgmtCOM" from SCCM client settings?

Thank you.

Dave Guenthner · ‎Dec 07 2020

@Petrokl To add one important note... when you use GPO or SCCM Client settings to enable\disable OfficeMgmtCom this only sets a registry key, that is all. It doesn't actually register\de-register the OfficeC2RCom COM+ Application. That's the job of Microsoft Office Click-to-Run Service. During restart, it will look to known locations for OfficeMgmtCom like Policy then Configuration to retrieve value On\Off and then register or de-register the application. So its a policy refresh followed by a restart of the service above. In terms ensuring the policy is set you can make a more intentional decision, set it to Enabled or Disabled. If for some reason you are saying the SCCM policy is not happening, I don't have a good answer here, standard troubleshooting for Client settings apply. To my recollection, GPOs win as they are domain based and SCCM client settings are in effect local policy.

kallaswamy · ‎Jul 09 2021

Hello Dave,

Are toast notifications applicable for deployment through intune, with updates controlled by the admin?

Dave Guenthner · ‎Jul 09 2021

@kallaswamy Deploying Office using the 'Microsoft 365 Apps (Windows 10)' wizard within Intune is unique in that it leverages the OfficeCSP. When using OfficeCSP, there is no deadline defined which is a requirement to generate the CDN described deadline notifications above. I suspect for OfficeCSP scenarios, you would need to additionally add a Configuration Profile from Devices to access Windows 10 Administrative Templates. There is a selection Computer Configuration/Microsoft Office 2016 (Machine)/Updates/Update Deadline. Define an integer here in terms of days. Example 5. Which would mean once new Office build has been download, a deadline of 5 days in the future would be stamped in registry and provide same CDN experience described in article. I haven't tested this scenario but believe it should work as described.

aarony · ‎Jul 16 2021

So I'm trying to make Scenario 2 work. Updates are deployed with available as of today, set with deadline for 2 days from now. The update shows in software center as "Scheduled to install after <insert 2 days from now date here>"

Scenario 2 says that OfficeMgmtCOM should step in and download this content from the distribution point. When does it do that? When does it get staged? I can't seem to find these answers.

Note: If I manually kick it off from Software Center, it downloads and does its thing, but I want to know when users will be prompted WITHIN office apps to do it themselves in order to avoid the deadline install that fails and requires reboot...

Also, wanting to know if this works at all with Office 2019 Perpetual Click-To-Run as well, since it's using the same setup engine from Office Deployment Toolkit.

Dave Guenthner · ‎Jul 19 2021

@aarony Let me start with the easy one, Office 2019 behavior is the same. As you stated, M365 Apps and Office 2019 use same code base so same behavior. By design, SCCM uses some internal randomization in terms of timing, there are a bunch of timers at play. (this is the reason precise timers are not provided as they will be different by design) To my recollection, when I did testing for this scenario, I had to be patient and wait for SCCM to do its thing and stage the content on the machine. Once that happens, the next launch of Office application will result in the "BusBar", the yellow banner in app notification saying updates are pending and user can drive change. If an Office application was already open it won't show the BusBar unless you close and reopen it. Therefore, the greater window prior to deadline would give users more time to drive the update themselves before deadline.

aarony · ‎Jul 19 2021

@Dave Guenthner Yep, the good ole' SCCM waiting game. Even after the update evaluation was done, and logs shows it as applicable, there was a need to wait over an hour for it to kick off on it's own. No rebooting, kicking off tasks, extra eval cycles etc would get the C2R COM to start the download during the availability window. Only time did that :)

All good now!

Krishnareddy · ‎Feb 22 2023

Hi,

We are using Intune Configuration Profile to manage the Office 365 click-to-run updates.

Is there any way to expediate Office 365 auto-update to trigger, as soon it released by Microsoft? Even it should surpass throttling value and make it available to download and install.

Dave Guenthner · ‎Feb 23 2023

@Krishnareddy The best answer is to evaluate "Servicing Profiles" Overview of servicing profile in the Microsoft 365 Apps admin center

It's designed to provide you tenant level controls with rollout and bypasses throttle because behind the scenes automates bumping the UpdateTargetVersion for you. Ton of quality videos here Microsoft 365 Apps Deployment Insiders - YouTube.

This approach has been very successful for my customers.

Petrokl · ‎Aug 11 2023

Hi,

Sorry if it's wrong subject, but I faced the issue with switching to MEC channel from Current on machines which get updates via shared folder and GPO. I checked path, access to the folder with MEC distributive, registry. Everything looks ok. I wait more than 24 hours. Restart click-to-run service and task in Scheduler. Bun no success. Any ideas? Thanks in advance.

Dave Guenthner · ‎Aug 11 2023

Hi @Petrokl Its hard to speculate or troubleshoot via blog forum. A few thoughts\asks\questions.

While updating from a file share is technically supported, its strongly discouraged. We recommend updating from CDN using Servicing Profiles.

To my recollection, with you use a custom path, you need to ensure your downloading the LATEST build\version using ODT because we require the V32.cab\v64.cab as means to inform the client which build to consume. The build number you are making available on the file share must be higher than what is installed on that client.

Troubleshooting is best done using tool Microsoft 365 Apps Deployment Log Collector .

Use a tool like Notepad++ to search all files from log output folder for string 'unexpected' for clues and to review configuration.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

Update from CDN

Benefits

User Experience when updating from CDN

User Experience when updating from Configuration Manager

Benefits

Configuration Manager Deployment Scenarios

Scenario 1 - Available only

Scenario 2 - Available with future Installation Deadline

Scenario 3 - Available and Required Installation Deadline have same date

The Author