Patching Microsoft Office 365


ZENworks Patch Management now supports the deployment of Microsoft Office 365 updates (starting with Office 365 2016) from the Current Channel, Deferred Channel, and First Release for Deferred Channel. Patches for each of these channels can be seen in the Patches list in ZENworks Control Center.

Patch list with Office 365 Patch list with Office 365


How it works

With most Windows patches, ZENworks Patch Management orchestrates the entire patch process, including delivering the patches to the devices. With Office 365 updates, however, ZENworks Patch Management leaves the patch delivery to Office 365. This means that:

    • You use ZENworks Patch Management to discover which devices need an Office 365 update, to schedule when you want to deploy the update (via a Patch policy or a Patch remediation), and to track the Patched status for applicable devices.


    • You use Office 365 to deliver the patch content to devices. When ZENworks Patch Management initiates the Office 365 update, it respects the device's Office 365 configuration for update channel and source location. You use your standard Office 365 tools to configure the update channel and source location. For update channel, this can be any of the three channels--Current Channel, Deferred Channel, or First Release for Deferred Channel. For source location, this can be the Office 365 CDN (Content Delivery Network) or a UNC path if you are storing the updates in a local share location. Each device must be configured for either Internet or UNC access depending on your source location.


    • You disable Office Automatic Updates so that ZENworks Patch Management controls the update schedule and not Office 365. When Office 365 is installed, the Office Automatic Updates task is added to the Windows Task Scheduler and configured to check for updates at user login and at 3:00AM every Sunday, Tuesday, and Friday. You need to disable this task so that it is not run.

It's pretty simple -- let ZENworks Patch Management manage the update process and let Office 365 manage the content delivery.

An example

As always, I encourage you to set up a Patch policy to automate the deployment of your Office 365 updates. Here is what I did in my system:

    1. I filtered on the Patches list to see which Office 365 updates were applicable to the devices in my zone.I only have a couple of Windows devices in my test zone, and only one of them has Office 365 installed. The patch scan of my devices detected Office 365 on that device and that it is configured for the Deferred Channel, so my Patches list showed that I have one device that needs the Microsoft Office 365 Deferred Channel Version 1701 (16.0.7766.2099) for Windows patch.


    1. I created a policy called Office 365 Deferred Channel  Updates.


    1. In the policy, I used the Patch Name criteria in the Patch Policy Rules to include any patches that contain "Office 365 Deferred Channel" in the patch name.


    1. I chose to recalculate the policy every 30 days and have it rebuilt at that time.

      To decide how often I wanted to recalculate and rebuild the policy, I referenced a Microsoft-provided chart to see how frequently Deferred Channel patches are released. Based on the chart (shown below), you can see that Feature updates occur every four months for the Deferred Channel, but Security updates are released each month. To ensure that my policy includes any monthly Security updates, I choose to recalculate and rebuild the policy monthly.

      (Microsoft, Overview of update channels for Office 365 ProPlus)


    1. I assigned the policy to all of my Windows devices and published the policy.I chose to assign the policy to all of my devices because it was easy and the policy's patch is only applied only if it is applicable to the device. You can certainly be more selective if you want.


    1. On my device that has Office 365 installed, I refreshed the device to pull down the policy, then ran the zac pap command to apply the policy.I could have waited for the policy to be applied by my monthly policy enforcement schedule, but I wanted to apply it immediately to see the results. After the policy was applied, the new patch scan reported that the device had applied the update, as seen in ZENworks Control Center.



How To-Best Practice
Comment List