Many IT professionals are faced with the difficulty of determining how to set up Office 365 Client to update straight from the Microsoft CDN because of the dynamic scenario with COVID-19. Today, the majority of the clients I work with handle updates mostly on-premises using Configuration Manager (ConfigMgr). The purpose of this blog is to explain how to reduce internet egress for Office updates across the client VPN network. We also provide instructions for the initial remote installation of Office and subsequent Office installations (like Visio or Project). Additionally, we provide a free extra security layer to safeguard machines whether they are located on-site or remotely, regardless of whether they are “managed” or not.
Network-related factors
Customers can customise network access in an endless number of different ways; no two customers’ configurations are the same. Generally speaking, the VPN client must be able to handle split tunnelling or be set up such that network traffic going to Office 365 is routed to the internet and does not need to go via the VPN server. The following document from Microsoft contains a list of all Office 365 URLs and IP address ranges. Microsoft Graph API is used by certain customers’ VPN clients, some of which are dynamically aware of Office 365 Services and support URLs while others merely allow IP exclusions. You’ll see that items 90 and 92 specify particular URLs that the Office 365 Client uses to carry out upgrades.
The fact that the CNAME officecdn.microsoft.com does not fall under the “optimise” category presents a problem with regard to Office upgrades. Therefore, OfficeCDN IP addresses (hosted by Akamai) won’t be included in the IP addresses that may be configured for VPN Forced Tunnel with exceptions, causing Office updates to be routed through the VPN tunnel and back to corporate. All network traffic for Office updates will travel straight to the internet if VPN Selective Tunnel is enabled. A crucial initial step is to review typical VPN circumstances and compare them to your environment.
Background on the default operations of the Office 365 Client
Office 365 ProPlus is built with the ability to update from CDN by default. The “Office Automatic Updates 2.0” scheduled job employs a trigger to automatically check for updates as promised by the DMS service. The Office client will always update to the most recent build or version made available through the designated channel listed above. You may find information here on what to anticipate in terms of a user experience when updates are provided through CDN. The scheduled activity will continue to run but will only apply software updates from ConfigMgr if ConfigMgr Office 365 Client Management integration is enabled by Configuration.xml at initial installation, ConfigMgr Client settings, or Domain Policy.
Option 1: Cloud-managed options for updating from CDN
Steps:
Disable OfficeMgmtCOM (required if previously ConfigMgr managed)
Office COM applications will be de-registered upon Microsoft Office Click-to-Run Service’s subsequent restart. enables the Office Client to function and get updates from the CDN.
Changing client settings in ConfigMgr or using Group Policy can do this.
Make UpdatesEnabled GPO true
Enables the client to restart routine CDN update checks
To make sure the client is updated to assure compliance, include the UpdateDeadline GPO as an integer (optional) in days (for example, 12). The admin can avoid constantly setting the date and time for every update by using an integer number.
Option 2: Offload content delivery while SCCM is controlled.
Using the deploy option in the ConfigMgr interface, use the standard deploy software updates procedure. It is crucial to choose “No deployment package” on the deployment package selection screen. Clients will do this to directly download material from CDN while preserving their current software update procedure controls and user experience.
Steps:
How can I confirm that ConfigMgr integration is turned off?
Using Start -> Run -> dcomcnfg.exe, check to see if the OfficeC2Rcom application is present.
Where in the Office logs can I get a confirmation that CDN is the source of Office updates?
To gather Office logs, go to http://aka.ms/office365logcollector or look for files with your NetBIOS name, such as MININT-314VFT4-20200318-0857.log, in C:windowstemp. There will be a large number of them. To find strings like “officecdn.microsoft.com” or the build number you deployed, use your preferred text editor.
