Microsoft IT Deploys and Manages Office 365 ProPlus
Technical White Paper
Published: July 2013
This white paper discusses the considerations and experiences of the Microsoft IT team when deploying and managing the new Office in an enterprise environment. Many of the techniques and best practices described in this paper can be employed by other companies to help them determine how to best approach their own managed Office deployments.
Technical White Paper, 534KB, Microsoft Word file
Products & Technologies
Microsoft IT wanted to improve how the new Microsoft Office 365® ProPlus was deployed, licensed, and activated to employees.
Using the deployment and management tools for enterprise administrators that come with the new version of Office, Microsoft IT was able to configure installation images on distributed local servers and automate the provisioning process using Windows PowerShell scripts.
Microsoft IT also simplified the update process by configuring the company’s managed systems to download Office updates automatically.
With more than 150,000 users in 89 countries connecting 300,000 client systems to Microsoft's corporate network, Microsoft Information Technology (Microsoft IT) is responsible for managing one of the largest enterprise infrastructures in the world.
The intent of this white paper is to discuss the considerations and experiences of the Microsoft IT team when deploying and managing the new Office in an enterprise environment. Many of the techniques and best practices described in this paper can be employed by other companies to help them determine how to best approach their own managed Office deployments.
Note: This paper is based on Microsoft IT’s experience and recommendations and is not intended to serve as a procedural guide. Each enterprise environment has unique circumstances; therefore, each organization should adapt the best practices described in this paper to meet its specific Office deployment and management needs.
The newest version of the Microsoft Office suite—known as Office 365 ProPlus for companies who have subscribed to Office 365—provides some new deployment, licensing, and activation capabilities that enhance IT administrators’ ability to deploy and manage the software in an enterprise environment.
In the following sections of this paper, we provide a summary of some of the important changes in this newest version of Office that relate to its deployment and maintenance for the enterprise. We also discuss Microsoft IT's enterprise strategy for deploying, managing, and updating the new Office in a managed environment. Finally, each section also provides best practices to help enterprises streamline how they manage Office 365 ProPlus deployment and management within their own corporate network.
This section of the paper discusses the changes to the new Office licensing, activation, and deployment functionality for enterprise IT administrators.
The new Office licensing process is no longer computer-based. Instead, Office 365 ProPlus is offered as a monthly subscription on a per-user basis. Of course, the number of available licenses for Office 365 ProPlus depends on the organization’s Office 365 subscription level. As illustrated in Figure 1, administrators can assign licenses to users in the Office 365 portal. Once allocated a license, the user is able to install Office 365 ProPlus on up to five computers.
Each installation is activated and kept activated automatically by a cloud-based service called Office Licensing Service. This frees administrators from having to keep track of product keys or needing to work with other activation methods such as Key Management Service or Multiple Activation Key.
Office Licensing Service
The Office Licensing Service (OLS) is a cloud-based service that manages subscriptions, users, and computers for use with Office Licensing Client (OLC). OLS manages the number of computers on which an Office 365 ProPlus installation is activated.
A user's subscription allows the user to install Office products, which can include Office 365 ProPlus, Microsoft Project Pro for Office 365, Microsoft Visio® Pro for Office 365, Microsoft Lync®, or Microsoft SharePoint® Designer 2013 on up to five computers. If the administrator enables users to manage their own installations and a user tries to install Office on a sixth computer, the user can use the software page on the Office 365 portal to deactivate one of the first five computers on which Office is installed. This enables activation on the sixth computer.
Activation occurs automatically the first time that a user runs Office 365 ProPlus. Although the activation process initially requires Internet connectivity, after that the user only has to connect to the Internet at least once every 30 days to check the status of the user’s subscription. If the computer goes offline for more than 30 days, Office will enter a reduced functionality mode until the next time a connection is made.
Important: Because of its online activation feature, Office 365 ProPlus won’t work on computers that are completely disconnected from the Internet. To learn more about OLS and its activation model, see http://technet.microsoft.com/library/gg982959.aspx.
The new installation process for Office 365 ProPlus is known as Click-to-Run, which is a streaming and virtualization technology based on Microsoft Application Virtualization (App-V) that significantly reduces the time required to download and use Office 365 ProPlus client products. Streaming enables users to begin to use a Click-to-Run program before the complete program has finished downloading. In Office 2010, Click-to-Run was available to consumer users only. In this new release, Click-to-Run supports large enterprise deployments. Another common way to introduce Office into the enterprise is within a Windows image as part of a broader desktop refresh program.
As illustrated in Figure 2, administrators can either permit users to run Click-to-Run directly from the Office 365 portal, or they can download the Office software to their local network, customize it, and then deploy Office to users (up to the number of available user licenses):
- Direct users to install Office 365 ProPlus directly from the Office 365 portal. This option requires the least amount of administrative setup and can offer other licensed products such as Project, Visio, and mobile apps. However, because users download directly from the portal, administrators have less control over this deployment process. This approach also drives the installation traffic through enterprise firewalls, which must be taken into account during implementation planning.
- Download the Office 365 ProPlus software to the corporate network and then deploy it to end users. This option requires some planning and preparation, but it gives administrators much more control over the deployment process, including:
- From where on the network Office 365 ProPlus is installed
- How Office 365 ProPlus is updated after it is installed
- On which computers Office 365 ProPlus is installed
- Which users, if any, get the 64-bit version of Office 365 ProPlus
- Which languages are available to install
We discuss these two deployment methods in the following sections.
Note: Office 365 ProPlus is installed and runs locally on the user's computer irrespective of the deployment method. Office 365 ProPlus is not a web-based version of Office; users don't need to be connected to the Internet all the time to use it.
By default, an Office 365 user can use the Office 365 portal to install any of the Office products that are part of their organization’s Office 365 subscription. When a user installs an Office product from the Office 365 portal, Click-to-Run streams the necessary files from the Internet to the user’s computer and installs the Office product.
Additionally, administrators use the Office 365 portal to configure which Office products are available for users. For example, an administrator might allow users to install Office 365 ProPlus and Visio Pro for Office 365, but not Project Pro for Office 365.
Office on Demand is another type of Internet-based deployment that uses Click-to-Run streaming technology to deliver Office 2013 to a Windows 7 or Windows 8 computer for temporary use, such as on a shared, loaned, or public PC. Because Office on Demand is designed as a temporary installation, Office on Demand does not count towards a user’s 5 PC license limit. All application processes run from the user's profile, and files are opened from and saved to the user’s SkyDrive Pro account by default.
In on-premises-based deployments, Click-to-Run streams the necessary files from the corporate network to the user’s computer during the installation. Enterprise administrators have several options for deploying Office 365 ProPlus from an on-premises location:
- File Share: Administrators who do not want users to install Office products directly from the Internet by using the Office 365 portal can download the Office product and language files to their corporate network. The Office products and languages can then be deployed to users from an on-premises location, such as a local network share. Administrators can also save storage space by combining different languages into a single build folder that contains language-neutral components that are common across all localized source folders.
- Scripts or Batch Files: Administrators can use scripts or batch files to simplify and automate the deployment process for users. The script or batch file can also be used by a software distribution product such as System Center Configuration Manager.
The primary means by which enterprise administrators can automate Office licensing is through Windows PowerShell. Using Windows PowerShell scripts, administrators can automate the following tasks:
- Obtain information about their organization’s number of Office 365 ProPlus licenses owned, consumed, and available
- Assign licenses
- List information about mailboxes and users
- Generate random passwords and set user passwords
- And much more
Scenario: Script an Automated Provisioning and Licensing Process for New Hires
In this example scenario, an administrator who is familiar with Windows PowerShell wants to automate the Office 365 ProPlus provisioning and licensing process for new hires. To do so, the administrator performs the following steps:
- Confirm that the system used to run Windows PowerShell meets the following prerequisites:
- Operating System is Windows 8, Windows 7, or Windows Server 2008 R2 or newer.
- Microsoft .NET Framework version 3.5.1 is installed.
- Microsoft Online Services Sign-In Assistant is installed.
- Either the 32-bit or 64-bit version of the PowerShell Module for Microsoft Services Online Needs is installed.
- Use Windows PowerShell to generate a list of employees, export the list to a comma-separated value text file (.csv), and do a runtime provision by assigning everyone an initial set of licenses based on the appropriate Office subscription SKUs.
- Automate the provisioning by:
- Configuring a virtual machine (VM) running on Windows Server 2008 R2.
- Deploying the items listed in steps 1 and 2 to the VM.
- Composing a set of scripts that use get-msoluser –all –unlicensedusersonly to pull the net-new unlicensed users and provide them with all the licenses provided in the one-time run performed in step 2.
- Setting the scripts to run on a timer using Windows Server 2008 R2’s Task Scheduler service.
Note: Sample PowerShell scripts for Office 365 deployment are available at http://technet.microsoft.com/library/hh974317.aspx.
As the company’s first and best customer, Microsoft IT regularly adopts early releases of Microsoft technologies, tests them in a real-world environment, and provides critical feedback to improve products before they are generally available to the public.
Microsoft IT worked closely with the product group on various pre-release versions of the new Office, hosting product images on geographically distributed product servers to provide clients with a locally available (LAN) installation source. The deployment was hosted from a site on an internal portal that included custom Microsoft Visual Basic® Scripting (VBScript) scripts to detect and block installs when older beta builds were detected.
The level of customization applied by group policy objects (GPOs) was minimal, due to Microsoft IT’s requirement to validate the Out Of Box Experience (OOBE) for the Office product group.
Note: Microsoft IT also developed an efficient approach to LOB application compatibility testing, and prepared the user community and support channels for the new Office.
For more information about application compatibility testing with the new Office, see “Microsoft IT Tests LOB Compatibility with Office 365 ProPlus” at http://technet.microsoft.com/library/dn283376.aspx.
For more information about preparing users and support channels for the new Office, see “Microsoft IT Helps Users Embrace Office 365 ProPlus” at http://technet.microsoft.com/library/dn283375.aspx.
- Determine when local on-premises vs. Internet-based installation is best: Consider the scale of your deployment when choosing between a locally hosted installation source compared to the clients pulling directly from the Office 365 portal. Larger numbers of users can impact network and firewall bandwidth for the Internet-based installation process.
- Review your permissions model in light of your installation process. Click-to-Run will require system context access, so be sure your permissions model is configured to allow this if you are hosting on internal servers.
This section of the paper discusses what tools and processes enterprise IT administrators can use to manage Office 365 ProPlus.
This section introduces some of the key tools and technologies IT administrators can use to manage Office 365 ProPlus in an enterprise environment.
Office 365 Portal
As shown in Figure 3, the Office 365 portal provides an intuitive interface that administrators can use to allocate licenses, choose which Office software users can install from the portal, and more.
Office Deployment Tool
In managed enterprise environments, end users might not have permission to install software from the Office 365 portal. In this situation, administrators can use the Office Deployment Tool to manage Click-to-Run installations, including specifying which languages or which edition (32-bit or 64-bit) of Office that users can install.
The Office Deployment Tool includes an .exe file, dynamic link library resources (dlls), and a sample configuration file, configuration.xml. To customize an installation, administrators run the Office Deployment Tool and provide a customized version of the Configuration.xml file.
Using the Office Deployment Tool, administrators can perform the following tasks:
- Download an Office installation source to a network share location
- Configure an installation to use a network share as the installation source instead of the Internet
- Configure an installation to suppress all UI
- Configure the logging for an installations
- Configure whether Office will automatically update or not
- Configure which products and languages to install
- Remove Office Click-to-Run products
Scenario: Customize Deployment Images for Multi-Language Support
In this example scenario, an administrator in the IT department of a global enterprise needs to customize the new Office Click-to-Run, building a few different images that contain language sets that will support the company’s European and Asian regions. To do so, the administrator performs the following steps:
- Use the Office Deployment Tool to download the Click-to-Run for Office 365 installation sources.
- Modify the Configuration.xml file for Click-to-Run, specifying the specific set of languages that will be installed for a particular region.
- Use the Office Deployment Tool with the /configure command and the customized Configuration.xml file to install Click-to-Run for Office 365 products and languages on a user’s computer.
- For instances where Office 365 ProPlus must be installed to a number of new hires, the administrator uses an appropriate deployment tool such as System Center 2012 Configuration Manager or Windows PowerShell to deploy the specially configured Click-to-Run to the designated client systems.
- Repeat these steps for as many different language installations as required.
Administrators can use group policies for both Windows Installer-based Office 2013 and Click-to-Run for Office 365 ProPlus. It is the recommended tool for managing the user and computer settings that enterprise administrators want to enforce in Office.
Administrators can use group policies to:
- Control entry points to the Internet from Office 365 ProPlus applications.
- Manage security in the Office 365 ProPlus applications.
- Hide settings and options that are unnecessary for users to perform their jobs and that might distract them or result in unnecessary support calls.
- Create a highly managed standard configuration on users’ computers.
Because Click-to-Run is not managed by Windows Server Update Services (WSUS), enterprise administrators who want to maintain visibility into the compliance state of their Office clients might need to consider using other reporting and management technologies such as System Center Configuration Manager to collect and report information about the deployed Click-to-Run versions.
By default, Click-to-Run for Office 365 installations are updated automatically, detecting and downloading updates in the background. Although Click-to-Run installs and updates the Office suite as a single, complete package (there is no option to install only Word, for example), the updates are kept as small as possible, and they download only when changes are required to keep the installation up-to-date. In addition, updates occur only when the affected Office applications aren’t being used, and they don’t require a computer restart.
In an enterprise environment, administrators can use this default update process, or they can instead use the Office Deployment Tool to stage and deploy Click-to-Run updates from a specified on-premises location. This process enables administrators to roll out specific Office builds that are based on organizational testing and validation. A range of the most recent Office Click-to-Run builds are provided to Office 365 administrators to help them remain current, and to provide the flexibility to allow for testing before new builds are deployed into their production environment.
Administrators can configure Click-to-Run’s update behavior by using the Configuration.xml file. The following Updates element attributes are available:
- Enabled: If set to TRUE, Click-to-Run will automatically detect, download, and install updates. This is the default. If Enabled is set to FALSE, Office won’t check for updates and will remain at the installed version.
- UpdatePath: Used to specify a network, local, or HTTP path for a Click-to-Run installation source to use for updates. If UpdatePath isn’t set, or is set to special value “default”, the Microsoft Click-to-Run source on the Internet will be used.
- TargetVersion: Used to set a Click-to-Run for Office 365 product build number, for example, 18.104.22.168. When the version is set, Click-to-Run for Office 365 attempts to update to the specified version in the next update cycle. If TargetVersion isn’t set or is set to special value "default," Click-to-Run for Office 365 updates to the latest version advertised at the Click-to-Run source.
Microsoft IT uses GPOs as its primary Office management tool but also customizes Click-to-Run using the Office Deployment.
For reporting, Microsoft IT has implemented System Center 2012 Configuration Manager to help make decisions concerning client software deployment, including tracking compliance of the Click-to-Run updates.
Because Click-to-Run is not managed by existing models such as Microsoft Update or Windows Server Update Services, enterprise administrators who need to enforce a given build of Office need to determine what update mechanism their organization will use. Microsoft IT wants to ensure employees have the best user experience with Office, so it configures the company’s managed systems to download the Office updates automatically with no interaction required by the user. Only when an Office app is running will the user be prompted about the update.
Use Administrative Template files to control your Click-to-Run installations. Review and download the complete set of ADMX templates available to you for configuring the Office clients.
Design an inventory model to monitor your deployment model. Use reporting functionality from a management suite such as System Center to give your IT organization insight into the current state of the builds that are deployed throughout your company—and, therefore, the health of the Click-to-Run update model.
Always update to the latest version of Office. Although administrators might want to test a particular build before deploying it across the organization, expedite deployment of the newest bits to help ensure users have the latest releases and functionality.
Determine the best approach for updates: The default update process of allowing Office to automatically download and apply updates each month from the Internet is the simplest approach, but it does not provide for a granular level of control. If your organization needs to control certain aspects of the upgrade process (such as controlling what builds you make available to your clients), consider deploying updates via a server hosted within the company.
Consider the overhead of your users installing from the Internet versus an internal file share: When a client installs Office directly from the Office 365 portal, it can create an overhead on your corporate firewall(s) because the whole build is streamed to the client. If you are deploying Office to a large number of clients, consider pulling the build down to a local server within your corporate network and then deploying it using a software distribution technology such as System Center 2012 Configuration Manager, or by simply having your clients run the installation directly from the local \\server\share.
The new version of Office 365 ProPlus has added tools and features that, for the first time, enable enterprise administrators to customize the suite’s Click-to-Run deployment and installation technology, including deploying it from an on-premises location. This is especially valuable in managed environments where end users do not have permission to install software from the Office 365 portal onto their machines.
Global enterprises who need to support multilanguage deployment of their Office installations can create different installation images that can be distributed to regional servers and from there, deployed to client systems that need to work with the different language(s).
Administrators now have a choice of allowing simplified direct download, installation, and updates of Office on users’ systems, or customized control of the deployment, licensing, and activation process.
For Microsoft IT, automating provisioning through Windows PowerShell scripts and configuring client machines to download updates automatically has streamlined the process and reduced administrative overhead. Microsoft IT hopes that the considerations and best practices offered in this paper might help you improve your own Office 365 ProPlus provisioning and management processes.
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary.
For more information about the various subjects discussed in this paper, visit the following locations on the World Wide Web:
- Microsoft main site: http://www.microsoft.com
- Microsoft IT Showcase: http://www.microsoft.com/technet/itshowcase
- Content roadmap for deploying Office 365 ProPlus: http://technet.microsoft.com/library/jj839718.aspx
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2013 Microsoft Corporation. All rights reserved.
Microsoft, Lync, Office 365, SharePoint, Visio, Visual Basic, Windows, Windows PowerShell, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.