Configuring Office 365 ProPlus updates for remote workers using VPN

This post has been republished via RSS; it originally appeared at: Office 365 Blog articles.

Due to the dynamic situation with COVID-19 many IT pros are being challenged to assess ways to configure Office 365 Client to update directly from Microsoft CDN. Today, the majority of customers I engage with manage updates using Configuration Manager (ConfigMgr), predominately on-premises. The objective of this posting is how to minimize internet egress through customer VPN network for Office updates.

Network considerations

There are an infinite number of ways customers configure network access, no two customers are identical in configuration.  Speaking generally, the VPN client needs to support split tunneling or be configured so network traffic destined for Office 365 are directed to internet and are not required to pass through VPN Server.  Microsoft provides a list of all Office 365 URLs and IP address ranges in the following document.  Some customers have VPN clients dynamically aware of Office 365 Services using graph API, some support URLs and others only support IP exclusions.  You’ll notice item(s) 90 and 92 which provide specific URLs used by the Office 365 Client to perform updates.

Tip: Please review blog posting How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure

Background on how Office 365 Client works by default

Office 365 ProPlus is designed by default to update from CDN.  A scheduled task called “Office Automatic Updates 2.0” uses a trigger to routinely check for updates as advertised by DMS service.  The Office client will always move to the latest version\build available by assigned channel documented here.  Documentation around what to expect from a user experience when updates are delivered from CDN can be found here.  If ConfigMgr Office 365 Client Management integration is enabled by Configuration.xml during initial installation, ConfigMgr Client settings, or Domain Policy, the scheduled task will continue to execute but will only perform software updates from ConfigMgr. 

Options available to update from CDN

Option 1: Cloud managed

Steps:

• Disable OfficeMgmtCOM (required if previously ConfigMgr managed)
  • On the next restart of Microsoft Office Click-to-Run Service, Office COM application will de-registered.  Allows Office Client to do its thing and get updates from the CDN.  
  • This can be done by changing client settings in ConfigMgr or by Group Policy.
• Set UpdatesEnabled GPO to True (optional)
  • Allows the client to resume normal update checks from the CDN
• UpdateDeadline GPO as an integer (optional) in days (ex. 12) to ensure the client is updated to ensure compliance.  Using an integer value allows the admin to not have to continually change the date to a future date/time for every update.

Option 2: SCCM managed but offload content distribution

Use normal deploy software updates wizard within ConfigMgr console selecting deploy option. When completing deployment package screen, it is important to select option “No deployment package”. In this way, clients will download content directly from CDN but keep existing controls and user experience during software update workflow.

Steps:

FAQ:

How can I verify ConfigMgr integration is disabled?

Start -> Run ->dcomcnfg.exe and look for presence of OfficeC2Rcom application.

Where in the Office logs can I confirm Office updates are coming from CDN?

Use http://aka.ms/office365logcollector to collect Office logs or search for files in C:\windows\temp which have your NetBIOS name like MININT-314VFT4-20200318-0857.log.  (There will be a bunch of them).  Use your favorite text editor to search for strings like 'officecdn.microsoft.com' or the build number you deployed.

The Authors

This blog post is brought to you by Dave Guenthner and Martin Nothnagel, two ProPlus Rangers at Microsoft.  We’re looking forward to your questions and feedback in the comments below.