Loading...

Configuring Office 365 ProPlus updates for remote workers using VPN

Configuring Office 365 ProPlus updates for remote workers using VPN

Due to the dynamic situation with COVID-19 many IT pros are being challenged to assess ways to configure Office 365 Client to update directly from Microsoft CDN. Today, the majority of customers I engage with manage updates using Configuration Manager (ConfigMgr), predominately on-premises. The objective of this posting is how to minimize internet egress through customer VPN network for Office updates.  We also have guidance for initial remote install and second installs (e.g. Visio/Project) of Office.  Further, we offer additional free security layer to protect machines whether they are  on-premises or remote regardless if machine is "managed" or not.

 

Network considerations

There are an infinite number of ways customers configure network access, no two customers are identical in configuration.  Speaking generally, the VPN client needs to support split tunneling or be configured so network traffic destined for Office 365 are directed to internet and are not required to pass through VPN Server.  Microsoft provides a list of all Office 365 URLs and IP address ranges in the following document.  Some customers have VPN clients dynamically aware of Office 365 Services using Microsoft Graph API, some support URLs and others only support IP exclusions.  You’ll notice item(s) 90 and 92 which provide specific URLs used by the Office 365 Client to perform updates.

90

Default
Required

mrodevicemgr.officeapps.live.com (Description: Device Management Service (DMS) is used to advertise the C2R builds to the machines which are non-admin managed based on the meta data passed by the machine.)

TCP: 443

92

Default
Required

officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net (Description: Office CDN where content is downloaded)

TCP: 443, 80

 

Concerning Office updates, one challenge is that the CNAME officecdn.microsoft.com doesn't belong to the "optimize" category.  Therefore, the IP addresses which may be defined for VPN Forced Tunnel with exceptions won't include OfficeCDN IP addresses (hosted by Akamai) so Office updates will be directed to the VPN tunnel and back to corporate.  If you have VPN Selective Tunnel implemented, then all network traffic for Office updates will go directly to the internet.  Reviewing common VPN scenarios and comparing it to your environment is an important first step.

 

Tip: Please review blog posting How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure

Tip: Please review blog posting Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

 

Background on how Office 365 Client works by default

Office 365 ProPlus is designed by default to update from CDN.  A scheduled task called “Office Automatic Updates 2.0” uses a trigger to routinely check for updates as advertised by DMS service.  The Office client will always move to the latest version\build available by assigned channel documented hereDocumentation around what to expect from a user experience when updates are delivered from CDN can be found here.  If ConfigMgr Office 365 Client Management integration is enabled by Configuration.xml during initial installation, ConfigMgr Client settings, or Domain Policy, the scheduled task will continue to execute but will only perform software updates from ConfigMgr. 

 

Options available to update from CDN

Option 1: Cloud managed

Steps:

  • Disable OfficeMgmtCOM (required if previously ConfigMgr managed)
    • On the next restart of Microsoft Office Click-to-Run Service, Office COM application will de-registered.  Allows Office Client to do its thing and get updates from the CDN.  
    • This can be done by changing client settings in ConfigMgr or by Group Policy.
  • Set UpdatesEnabled GPO to True (optional)
    • Allows the client to resume normal update checks from the CDN
  • UpdateDeadline GPO as an integer (optional) in days (ex. 12) to ensure the client is updated to ensure compliance.  Using an integer value allows the admin to not have to continually change the date to a future date/time for every update.

Option 2: SCCM managed but offload content distribution

Use normal deploy software updates wizard within ConfigMgr console selecting deploy option. When completing deployment package screen, it is important to select option “No deployment package”. In this way, clients will download content directly from CDN but keep existing controls and user experience during software update workflow.

Steps:

Deploy1.png

NoDeployPackage.png

FAQ:

How can I verify ConfigMgr integration is disabled?

Start -> Run ->dcomcnfg.exe and look for presence of OfficeC2Rcom application.

COMEnabled.png

COMDisabled.png

Where in the Office logs can I confirm Office updates are coming from CDN?

Use http://aka.ms/office365logcollector to collect Office logs or search for files in C:\windows\temp which have your NetBIOS name like MININT-314VFT4-20200318-0857.log.  (There will be a bunch of them).  Use your favorite text editor to search for strings like 'officecdn.microsoft.com' or the build number you deployed.

 

Starting with version 1902, 'Prefer cloud based sources over on-premise sources' allows IT Pro to prioritize Cloud content.  Does this feature extend\support Office 365 Client updates?

**Updated 10/28/2020** 

The fix for this was not included in 2002 as originally expected and is still under development.  We expect technical preview in coming weeks available for testing.  Please see official guidance for latest updates on this specific issue:

Manage Microsoft 365 Apps with Configuration Manager

Use a cloud distribution point in Configuration Manager

 

[original statement below]

No, this appears to be a bug which is under investigation.  Workaround is to ensure Distribution Points used by VPN clients do not host Office 365 Client updates resulting in error 404.  If the software deployment has selection ‘If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates', this should allow new location of CDN fallback to be used.  I will update this item with updates when available.

 

The Authors

This blog post is brought to you by Dave Guenthner and Martin Nothnagel, two ProPlus Rangers at Microsoft.  We’re looking forward to your questions and feedback in the comments below.

Published on:

Learn more
Office 365 Blog articles
Office 365 Blog articles

Office 365 Blog articles

Share post:

Related posts

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy