Managing Updates for Office 365 ProPlus – Part 1

Automatic Updates streamlines the way administrators deploy updates to Office 365 ProPlus. This post comes courtesy of our resident Office compatibility and deployment expert, Curtis Sawin.

Overview

Over the past several months, we’ve received tons of questions about the update model in Office 365 ProPlus. Many of the conversations start with “It’s different and I don’t like it so please change it back” and often end in “that makes sense and now I can see a path forward that’s manageable for my organization.” (I’m paraphrasing, as most conversations don’t involve such run-on sentences). 

However, the feedback has been consistent: While the new servicing model seems to make sense from a macro perspective, it just doesn’t fit into MY environment. The result: Many organizations are thinking of passing on Office 365 ProPlus for now, as updates just don’t make sense. Passing on Office 365 ProPlus will rob you of benefits like being able to install Office on 5 devices, Office on iOS and Android devices, roaming settings, and exclusive Office 365 ProPlus features like PowerMap for Excel or Office Mobile.

The goal of this article is to help you see how automatic updates can be managed in your environment, by providing a FAQ about the new update model in Office 365 ProPlus. Hopefully, this information may help you in your journey to adopting Office 365 ProPlus.

Frequently asked questions about Automatic Updates in Office 365 ProPlus

Q1. Well...how do automatic updates work? Can I control them?

A1. A default install of Office 365 ProPlus is configured to update automatically from the cloud. Separately, each month a new build of Office 365 ProPlus is released in the cloud. When a computer with Office 365 ProPlus detects that a new build is available, the difference – or delta – between the new build and the existing one is streamed down in the background. Updates are then installed when Office apps/processes aren’t running. So, with the default configuration Office 365 ProPlus, you will always be up-to-date. IT Pros can customize the configuration by controlling if updates are searched and applied automatically and/or from which source this will happen. (More on this in Managing Updates for Office 365 ProPlus - Part 2.)

Q2. Are local administrative rights required?

A2. No. Automatic updates are run under the system context, so end-users do not need local administrative rights

Q3. So what kind of stuff is in each monthly build?

A3. Now that we’ve streamlined our update process, each monthly build may contain security updates, non-security updates, and functionality improvements. All updates are cumulative, so each build contains all the other changes from previous builds.

Further, when Service Pack 1 (SP1) is released, it will be provided as a monthly build. In fact, when the next “major” version of Office 365 ProPlus is released, it will be available as a monthly build as well.

For more information about the changes that are included in each build, check out the following article: https://support.microsoft.com/gp/office-2013-365-update.

Q4. I use WSUS and/or System Center Configuration Manager to manage Office updates today. Can I continue to use these products to update Office 365 ProPlus?

A4. Automatic updates is a servicing model built into Office 365 ProPlus, and provides the ability to be always up to date, or “evergreen”, with security and functionality enhancements. Office 365 ProPlus updates are not provided via Windows Update. Some environments may prefer to use their existing software distribution tool to manage updates for Office 365 ProPlus, and this can be facilitated using the Office Deployment Tool. Check out the References section below for more information.

Q5. I need to test updates before I approve them in my environment. Can I do this?

A5. Certainly. The default configuration is that automatic updates use the cloud as the “update source.” Which basically provides an effort-saving zero-touch update experience. However, you can configure Office 365 ProPlus to use a different update source, like an internal UNC or HTTP path. This provides you the ability to control when the Office 365 ProPlus installations will “see” the updates for the first time and download and apply them. That enables you to test them beforehand. Downloading, testing and publishing the updates will generate additional administrative effort, but gives you more control about what will be applied compared to the default Automatic Update approach. (More on this in Managing Updates for Office 365 ProPlus - Part 2.)

Q6. Why are both non-security and security updates included? This increases my risk!

A6. The update model is our way to provide the most secure experience and the most value to Office 365 ProPlus users. In a services world, we are constantly providing small, incremental enhancements to our Office 365 service, and Office 365 ProPlus is the client-side extension of our Office 365 service. By providing multiple ways to apply updates, IT organizations have more control over when these updates are provided to their customers. In fact providing one consistent build each month reduces the risk of facing any issues caused by the high number of possible combinations of security/non-security and updates.

Q7. You didn’t really address my concern about risk. Can’t you separate non-security and security updates so my risk is lower?

A7. When managed properly, the new update model actually reduces your risk…and it significantly reduces your testing efforts. Meaning, if you are an organization that performs testing of Office updates prior to distributing them to your end-users, then you’re going to perform the same testing regardless of what’s inside the update. So having a consistent testing process is the best way to manage your risk. 

And really…isn’t testing Office updates generally involve the same three steps: (1) Install update. (2) Use Office. (3) Make sure Office works…for me. So having a single update to test is much easier than reviewing all the updates that are released each month, determining which ones to install, and then installing them all.

Q8. I’m not buying it. Since non-security and security updates are bundled together in a monthly build, if a non-security update in a monthly build causes a problem…then I have to make a decision to either:

  • Back out people with the update which will leave me potentially vulnerable
  • Live with the problem until it's correct so that I'm most secure.

That’s not a trade-off I want to make.

A8. The scenario laid out is valid and is applicable. But the scenario described above is only fully valid when multiple things happens at the same time:

  • An update causes an issue AND
  • This issue has a business impact which is greater than the expected business impact of leaving a specific security flaw unpatched

However, this scenario is not specific to Office. This kind of risk has existed since the first security update was ever released for any software product and will continue to exist. Any software update involves changing code, regardless of the type of update, and there is the same inherent risk when applying this type of change.

Since security is all about identifying, mitigating, and managing risks to your environment, make sure you’re using a fact-based approach to managing risk. Otherwise, you might be caught by managing risks based on assumptions (or worse…imaginationJ), and this often results in the inability to react to changes in the environment, industry, or technology.

So consider the following questions:

  • How often has this happened in the past in your organization
  • Do you have an action plan in place if it happens?

The best way to manage this risk is to test updates before they are released to your environment. With automatic updates in Office, what we’re providing is a single vehicle to provide all kinds of updates. This provides IT groups the ability to leverage a single process to manage change in their environment, regardless of what the change is. Having fewer processes to manage makes introducing change more consistent, increases your ability to automate such processes, and greatly reduces your risk that comes with managing variance in your IT environment.

Q9. What if a problem is found in the middle of the month? For example, what if a new, severe exploit is found? Are you saying that Microsoft won’t address it until the next monthly build?

A9. Our ability to respond to severe issues will not change with our new servicing process. We have the ability to deploy “out-of-band” builds that can be released outside of the normal monthly builds. Since the first Office 365 ProPlus build was released over a year ago, we have released one (1) out-of-band build. We expect to perform this rarely, which follows our existing release process for updates.

Q10. Go back to what you said about Service Pack 1. Now that updates will be provided as monthly builds, how will Service Packs be released?**

A10. For Office 365 ProPlus, Service Pack 1 is really just a milestone. Meaning, it will be treated like every other cumulative build. Customers who use automatic updates will download the deltas just like any other monthly build. Since monthly builds are cumulative, the amount of change in include the Service Pack 1 will be A TON less than a traditional service pack.

If you have a consistent method for testing and deploying updates, you can continue to use this same process to test SP1…and now you’ll start to see the value of using automatic updates.

Q11. Are there any other options to manage updating Office 365 ProPlus besides using automatic updates?

A11. You bet. You can always use the Office Deployment Tool to tailor how updates are managed to your specific needs. This fits well with customers that are comfortable using their existing software distribution tools. Check out this Office Garage Series article and video about integrating your software distribution tools to deploy and manage Office 365 ProPlus.

Summary

While we strongly believe the new update model for Office 365 ProPlus will benefit our customers and facilitate a consistent way to manage change in your environment, we understand the new approach might raise some questions and eyebrows and it takes some time to wrap your head around it. With the rate of change in our services world rapidly increasing, automatic updates provides the means to be the most secure, stay up-to-date, and provide the control that you need.

For more information

Check out our recently released training, Office 365 ProPlus Deployment for IT Pros on Microsoft Virtual Academy, where we deliver 7 modules about various Office 365 ProPlus topics. For more information about how to manage automatic updates, check out the “Notes from the field” section in Module 6 – Click-to-Run Deep Dive.

Also, stay tuned for Part 2 of this topic, where we will provide a sample testing and update process that will show you how the information in the article might fit into your environment.

References
Overview of Click-to-Run for Office 365 setup architecture (Updates) The new Office Garage Series: Anatomy of Office Software Updates in Click-to-Run The new Office Garage Series: Click-to-Run CustomRefization and Deployment Deep Dive Part 3 - Integration and Automation with Software Distribution Tools