Deploying Microsoft Office 365 updates with Patch Management Solution
search cancel

Deploying Microsoft Office 365 updates with Patch Management Solution

book

Article ID: 184965

calendar_today

Updated On:

Products

Patch Management Solution IT Management Suite

Issue/Introduction

For more information about Patch Management Solution for Windows implementation, see IT Management Suite documentation page.

Resolution

Microsoft Office 365 Click-to-Run products use virtualization and streaming Microsoft Application Virtualization (App-V) technology. The Click-to-Run method of downloading and updating Office products differs from the traditional Windows Installer-based (MSI) method in the following way:

  • You do not need to download the whole Office product installer, and then update it to the current version with patches and service packs. With Click-to-Run, you download a single executable program that lets you initiate Click-to-Run streaming and application start processes. You can start using the product while the rest of it is being downloaded in the background to a network or HTTP share (the default location is Microsoft CDN). When you open an application that is not yet downloaded and installed, Click-to-Run immediately downloads it from there and installs it to the client computer.
  • By default, Click-to-Run products are updated automatically on client computers. You can disable automatic updating or invoke updating manually in Office menu. During the update process, the Office updater service (ClickToRunSvc) connects to the network location that stores the full image of the latest version of Office, and then downloads only the updates for the Office components that are installed in your environment. Thus the download size depends on the number of the installed Office components and the number of the Office files to be updated.

For more information, see Deployment guide for Office 365 ProPlus.

Microsoft uses update channels for Office 365 and releases a separate update for each version of a channel. The same update applies to all corresponding editions of Microsoft Office 365, such as ProPlus and Business Retail. For more information, see the following Microsoft articles:

Patch Management Solution provides the software bulletin for all supported Microsoft update channels. A separate bulletin is available for each date when Microsoft Office 365 updates are released for a specific channel.
The naming scheme for a bulletin is as follows:

  • MSYY-MM-0365 - for updates that are released before May 2018.
  • MSYY-MM-O365-CHANNEL_NAME - for updates that are released after May 2018.

For example, MS21-11-365-CHANNEL_NAME is the name of the bulletin that includes the November 2021 Office 365 updates and is presented in the Symantec Management Console as follows:
 


 

The patch management metadata for Windows contain five Microsoft Office 365 software products:

  • Microsoft Office Click to Run 2016 (Office 365 Deferred Channel)
  • Microsoft Office Click to Run 2016 (Office 365 Monthly Channel)
  • Microsoft Office Click to Run 2016 (Office 365 Monthly Enterprise Channel)
  • Microsoft Office Click to Run 2016 (Office 365 Semi-Annual Channel)
  • Microsoft Office Click to Run 2016 (Office 365 Semi-Annual Targeted Channel)

Each Microsoft Office 365 update is assigned to two software products:

  1. The software product that is common for all Microsoft Office 365 channels.
  2. The software product that corresponds to the specific update channel.

For example, the update for the Semi-Annual Channel of Microsoft Office 365 is associated to the software products Microsoft Office Click to Run 2016 and Microsoft Office Click to Run 2016 (Office 365 Semi-Annual Channel).

You use bulletins to create a software update policy that delivers and installs Microsoft Office 365 updates to the appropriate computers. You create the software update policy with the Distribute Software Updates wizard.
 

Before you deploy Microsoft Office 365 updates with Patch Management Solution, consider the following:

  • Ensure that you have imported the latest patch management metadata for Windows.

    By default, when you check the Microsoft bulletin on the Import Patch Data for Windows page, all Microsoft software is selected.
    If you want to exclude Microsoft Office 365 updates from the patch management metadata import for Microsoft software, on the Import Patch Data for Windows page, under Vendors and Software, check and expand Microsoft, scroll down the list, uncheck all software releases for Microsoft Office Click to Run 2016, and then click Save changes.
    For example, if you want to deploy only Microsoft Office 2016 updates, you may exclude Microsoft Office 365 updates that are stored in the same bulletin.

  • If you deploy only specific channels of Microsoft Office 365, on the Import Patch Data for Windows page, under Vendors and Software, check and expand Microsoft, scroll down the list, uncheck Microsoft Office Click to Run 2016, check only the channels that you want to update (for example, Microsoft Office Click to Run 2016 (Office 365 Monthly Channel)), and then click Save changes.



    If you have updated the list of available software products manually by clicking Update on the Import Patch Data for Windows page, under Vendors and Software, ensure that you have imported the latest patch management metadata for Windows before you change the selection of Microsoft Office 365 software products. Otherwise the existing Microsoft Office 365 advertisements may be deleted or disabled if the option Delete previously downloaded data for vendors, software and languages that are now excluded is checked on the Import Patch Data for Windows page.
    This happens because after the software products list is updated, the new software products are available in patch management metadata but have no associations with Microsoft Office 365 updates.

    After you select a subset of Microsoft Office 365 software channels on the Import Patch Data for Windows page, Microsoft Office 365 installations of other channels will not be reported in compliance reports.

    For more information about staging a specific channel for Microsoft Office 365, see the KB article 184970.
     
  • If you deploy Microsoft Office 365 in multiple languages in your environment, you must select all the languages you need during the patch management metadata import on the Import Patch Data for Windows page, under Languages. Otherwise, the update process fails on the client computers that use Microsoft Office 365 with the unselected language.

    Note that selecting each new language increases the size of the update package.



    See additional details on how Office365 language packs are deployed under "Helpful Things to Know" section below.
     
  • The update process for Microsoft Office 365 does not succeed on the client computers where the software is currently running.  The error is typically Exit Code 1638.  After the user closes the software, Microsoft Office 365 will be updated according to the enabled automatic updating schedule or after the computer restart.
     
  • Microsoft Office 365 update may fail if the download of update files to endpoint requires more time than the default Office timeout settings allow (usually because of network throttling or low network speed).
    The following warning in the logs indicates that the download failure is caused by the download timeout:
    Failed to send HTTP response, error: An operation was attempted on a nonexistent network connection (0x000004CD)
    The warning appears before the errors:
    Office update installation failed
    Please execute Click2Run tool manually using command line [C:\xxxxx] for troubleshooting
    Workaround:
    184948: Modify the following registry value to change Office timeout parameter, for example, to 600000 milliseconds (10 minutes)
    • NOTE that In some environments, you may need to put in a higher value, such as 30 minutes):
  • ***************************************************
    Windows Registry Editor Version 5.00
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet]
    "documentsynctimeout"=dword:000927C0
     
  • Newly initiated Microsoft Office 365 update process may fail in the following scenario:
    • The data blocks that the Office updater service (ClickToRunSvc) requires are not available on peers of the Symantec Management Agent and are only available on the Notification Server or Package Server in other site.
    • You have configured the targeted site settings policy to limit the number of outbound data transfers from a site to which the Symantec Management Agent belongs.
    • The number of outbound connections has exceeded the limit configured in the other site.

The update installation process is as follows:

  1. Click to Run performs 3 connection attempts in less than a minute, and then update installation fails.
  2. Click to Run repeats update installation attempts 3 times with 1h intervals.
  3. If the data blocks are still not accessible, Click to Run performs new update installation attempt only after the Symantec Management Agent restarts or a software update policy changes.

Remediation:

  • Ensure that your sites have own site servers assigned so that download of the required data blocks occurs within site boundaries.
  • Increase limit of simultaneous data transfers between sites to match your actual usage pattern.

 

To deploy Microsoft Office 365 updates with Patch Management Solution

  1. In the Symantec Management Console, on the Actions menu, click Software > Patch Remediation Center.
     
  2. On the Patch Remediation Center page, in the right pane, in the Show drop-down box, click Windows Compliance by Bulletin, and then click the Refresh symbol.
    These reports let you see which updates the client computers require.
     
  3. Right-click the bulletin with Microsoft Office 365 updates that you want to download to the Notification Server computer, and then click Download Packages.
    For example, to download the November 10, 2016 Office 365 updates, right-click the O365-16-1110 bulletin.
    If you want to download many bulletins at once, you can select multiple items while holding down the Shift or Ctrl key, right-click one of them, and then click Download Packages.

    You can close the status dialog box or leave it open in a new window; the download continues in the background.

     
  4. After the download task succeeds, on the Patch Remediation Center page, in the right pane, right-click the bulletin that you want to distribute to client computers, and then click Distribute Packages.

     
  5. In the Distribute Software Updates wizard, click Step 1, ensure that the settings are configured as needed, and then click Next.

     
  6. On the second page of the wizard, check the updates that you want to distribute.


     
  7. To enable the software update policy, at the upper right of the second wizard page, click the colored circle, and then click On.
    You can also turn on the policy later.
  8. Click Distribute software updates
  9. In the status dialog box, click Close.
  10. You can view the results of software update policies in the Windows Software Update Delivery - Details report.


 

Optional Command Line Parameters for OfficeUpdater.exe

It is possible to use a Custom Command Line to pass optional parameters to OfficeUpdater.exe.  Note that Parameters begin with TWO dashes - -.

Recommendation: Copy the current Command Line and add additional parameters as desired. 

Usage: OfficeUpdater.exe <--help|other mandatory parameters> [optional parameters]
  --help show help
  --forceappshutdown =<false> if true, force shut down running instance of Office
  --promptuser =<false> if true, ask user to continue
  --showui =<false> show UI
  --loglevel =<3> log level, 0..3, 3 = high, 0=no logging
  --updatetoversion =VERSION version to update to
  --updateurl =URL URL with update source. This option has priority above GUID and PATH
  --path =PATH relative path in URL with update source
  --omitsmf don't request SMF to force download
  --guid =GUID GUID of software package

Example: OfficeUpdater.exe --forceappshutdown --showui=true --promptuser=true --guid=<guid> --updatetoversion=<version> --loglevel = 3

To update the Command Line, select the Patch Policy you have created, click the Advanced Tab, and then click on the Command Line.

 

 

 

Helpful things to know:

To check the integrity of software update packages

  1. In the Symantec Management Console, on the Manage menu, click Jobs and Tasks
  2. In the left pane, expand System Jobs and Tasks > Software > Patch Management, and then click Check Software Update Package Integrity
  3. To relocate downloaded updates to the new location specified on the Core Services page, check Relocate existing packages if default Software Update package location on Core Services page has changed, and then click Save changes. 
  4. Under Task Status, click New Schedule, specify a schedule on which to run the task, and then click Schedule.

 

To recreate the packages for software bulletins

  1. In the Symantec Management Console, on the Actions menu, click Software > Patch Remediation Center.


     
  2. On the Patch Remediation Center page, in the right pane, in the Show drop-down box, click All Software Bulletins, and then click the Refresh symbol. 
  3. Select the bulletins that you want to revise. You can select multiple items while holding down the Shift or Ctrl key.
  4. Right-click the selected bulletin(s), and then click Recreate Packages
  5. On the Download Software Update Package page, click Close.

 

To import patch management metadata for Windows

  1. In the Symantec Management Console, on the Manage menu, click Jobs and Tasks
  2. In the left pane, expand Jobs and Tasks > System Jobs and Tasks > Software > Patch Management > Import Patch Data for Windows
  3. In the right pane, under Vendors and Software, click Update
  4. When the available products list import is complete, under Vendors and Software, check the software for which you want to download the patch management metadata.
  5. (Optional) Make any other necessary changes, and then click Save changes
  6. Under Task Status, click New Schedule.
  7. In the New Schedule dialog box, click Now, and then click Schedule.

Working with Languages packages

As mentioned before, Office 365 patching is implemented differently in comparison with other updates. Even with additional languages selected there would still be only one update shown in the Software Update policy details.

You can check in the corresponding folder on SMP Server that additional packages were staged after running the PMImport with those extra language selected:


https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=uEWozmWXNN0fQD4YW4lDvw==

 
You can find the location on SMP Server where the given bulletin was staged by clicking on Package link in the UI:

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=+szQlfzMs0H4crMzkVv3/A==

and then switching to Package tab (check Package location there):

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=fO7MH2BJVokJsy56xtrDeQ==

Consider the following:

1. Office 365 behaves differently from other vendors patches as far as how the language patch will be displayed. If you have the language selected in PMImport, Microsoft's click-to-run (which is actually in control on the endpoints during patching) installs those elements it needs. The bulletin name remains the same (xxx-365-CURRENT, xxx-365-ENTERPRISE, etc. For Office 365 at least there is no 365-CURRENT-Algerian for example) so there is no other option to select that is different from Office languages.

2. Again, there are no additional files for Office 365 with additional languages selected. Some products have language packs but no Office. So, following the "To deploy Microsoft Office 365 updates with Patch Management Solution" section should be sufficient to get Office updates in place as needed.

3. If languages specific files are staged on the SMP server (and replicated to package servers if needed) then you don't need any additional steps from ITMS point of view. Our assessment functionality doesn't detect the languages specific to the Office 365 installed on the endpoint - we leave this to the Microsoft native servicing tool (Click-To-Run).

We just detect that there is the Office 365 installation that needs updating on a given computer and assigns the corresponding Office 365 bulletin to it.
The Command line associated with the update in this bulletin starts our OfficeUpdater utility with two main parameters specified - GUID of the package on the package server and the version of Office 365 to update to.
OfficeUpdater utility re-configures Office 365 installation to get updates from package server instead of Microsoft CDN and executes Microsoft Click-To-Run utility to facilitate the actual update.
Microsoft Click-To-Run utility has some limitations so at this stage we utilize functionality implemented in Altiris Agent to pretend that Office 365 image is stored locally on the patched endpoint but in reality we would intercept calls from Click-To-Run utility and transfer bits of Office 365 images that it requests from package server to endpoint.
Click-To-Run utility itself detects what language package given installation of Office 365 has applied and grabs corresponding files from the package server (via tunnel established by Altiris Agent).
Powered by Wolken Software