Due to the dynamic situation with COVID-19 many IT pros are being challenged to assess ways to configure Office.com/setup 365 Client to update directly from Microsoft CDN. Today, the majority of customers I engage with manage updates using Configuration Manager (ConfigMgr), predominately on-premises. The objective of this posting is how to minimize internet egress through the customer VPN network for Office updates. We also have guidance for initial remote install and second installs (e.g. Visio/Project) of Office. Further, we offer an additional free security layer to protect machines whether they are on-premises or remote regardless if the machine is "managed" or not.
Network considerations
There is an infinite number of ways customers configure network access, no two customers are identical in configuration. Speaking generally, the VPN client needs to support split tunneling or be configured so network traffic destined for Office.com/setup 365 are directed to the internet and are not required to pass through VPN Server. Microsoft provides a list of all Office.com/setup 365 URLs and IP address ranges in the following document. Some customers have VPN clients dynamically aware of Office.com/setup 365 Services using Microsoft Graph API, some support URLs, and others only support IP exclusions. You’ll notice item(s) 90 and 92 which provide specific URLs used by the Office 365 Client to perform updates.
90 | Default | mrodevicemgr.officeapps.live.com (Description: Device Management Service (DMS) is used to advertise the C2R builds to the machines which are non-admin managed based on the metadata passed by the machine.) | TCP: 443 |
92 | Default | officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net (Description: Office CDN where content is downloaded) | TCP: 443, 80 |
Concerning Office updates, one challenge is that the CNAME officecdn.microsoft.com doesn't belong to the "optimize" category. Therefore, the IP addresses which may be defined for VPN Forced Tunnel with exceptions won't include OfficeCDN IP addresses (hosted by Akamai) so Office updates will be directed to the VPN tunnel and back to corporate. If you have VPN Selective Tunnel implemented, then all network traffic for Office updates will go directly to the internet. Reviewing common VPN scenarios and comparing it to your environment is an important first step.
Tip: Please review blog posting How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure
Tip: Please review blog posting Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager
Background on how Office 365 Client works by default
Office.com/setup 365 ProPlus is designed by default to update from CDN. A scheduled task called “Office Automatic Updates 2.0” uses a trigger to routinely check for updates as advertised by DMS service. The Office client will always move to the latest version\build available by assigned channel documented here. Documentation around what to expect from a user experience when updates are delivered from CDN can be found here. If ConfigMgr Office.com/setup 365 Client Management integration is enabled by Configuration.xml during initial installation, ConfigMgr Client settings, or Domain Policy, the scheduled task will continue to execute but will only perform software updates from ConfigMgr.
Options available to update from CDN
Option 1: Cloud-managed
Steps:
- Disable OfficeMgmtCOM (required if previously ConfigMgr managed)
- On the next restart of Microsoft Office Click-to-Run Service, Office COM application will de-registered. Allows Office Client to do its thing and get updates from the CDN.
- This can be done by changing client settings in ConfigMgr or by Group Policy.
- Set UpdatesEnabled GPO to True (optional)
- Allows the client to resume normal update checks from the CDN
- UpdateDeadline GPO as an integer (optional) in days (ex. 12) to ensure the client is updated to ensure compliance. Using an integer value allows the admin to not have to continually change the date to a future date/time for every update.
Option 2: SCCM managed but offload content distribution
Use normal deploy software updates wizard within ConfigMgr console selecting deploy option. When completing the deployment package screen, it is important to select the option “No deployment package”. In this way, clients will download content directly from CDN but keep existing controls and user experience during software update workflow.
Steps:
No comments:
Post a Comment