Image: dennizn/Adobe Stock Big changes are on the horizon for Office users and administrators. April 2023 will see security updates ending for Office 2013, while Office 2016 and 2019 will Continue Reading
Big changes are on the horizon for Office users and administrators. April 2023 will see security updates ending for Office 2013, while Office 2016 and 2019 will lose access to online Microsoft 365 services in October. That means it’s time to reconsider what versions of Office you’re using, and how you’re managing them.
Office 2013 and 2016 users can say goodbye to MSI installers
If you’ve stayed with Office 2013 or 2016, there are some big changes. The biggest is the end of MSI-based installers. With the release of Office 2019, Microsoft shifted to using its Click-to-Run installer technology for both subscription and perpetual releases, as well as delivering both 32- and 64-bit versions of its code to your PCs.
SEE: Google Workspace vs. Microsoft 365: A side-by-side analysis w/checklist (TechRepublic Premium)
With the MSI-based installers reaching end-of-life, you should start moving to Click-to-Run. Microsoft has long provided tools to build and test configuration files which can be used to customize installs.
Configuration is by relatively simple XML files that control the applications that are installed. For example, one group of users can be issued installers that only install Microsoft Word and Outlook, while others get Excel and Access. That way you can control the Office apps that are deployed, and if you’ve got additional licenses for tools like Visio, how many of those licenses are used. It would also allow you to deploy preview releases to testers.
Introducing the Microsoft 365 Apps admin center
While it was easy to build Office deployment configuration files using any text editor or an online tool that let you use a web form to choose the elements installed, distribution channel used and any local distribution hosts, you still needed to deliver those files to users. Microsoft has recently released a new tool for managing the Office apps on users’ desktops called the Microsoft 365 Apps admin center.
The Microsoft 365 Apps admin center brings together several different tools into one portal, providing a one stop shop for managing and delivering desktop apps to users. As well as customizing installs, it adds new ways to manage devices and users, as well as providing ways of understanding app health. The resulting tools fill a big gap in the Microsoft 365 story, giving it the servicing platform it needs.
Only admins have access to this tool, logging into it like any of Microsoft’s growing fleet of web portals. Once logged in, you’re prompted to enroll your Microsoft 365 tenant in the service. This can take some time, but once the tenant is enabled, you have access to tools to help deploy, manage and monitor a suite of Microsoft 365 apps across your fleet of devices.
As it’s based on Azure Active Directory, Microsoft Graph and Microsoft’s own content delivery network, there’s no reliance on on-premises services, making it ideal for modern hybrid workforces where users may be working from home or in the office.
Apps admin center comes with deployment options
It’s important to note that you don’t have to use this tool. If you already have a process built around using the existing Office Deployment Tool, you can use the admin center in much the same way as the original Office Customization Tool, building and managing a library of deployment configuration files and taking advantage of Microsoft’s pre-built sample configurations.
However, there is an alternative option: Using the admin center to manage and run updates for a group of users, starting small and eventually working with a sizable portion of your fleet. At the heart of this approach is the new Servicing section of the portal, where you can define servicing profiles for your managed devices and assign them to users and devices automating updates. This is not an approach for everyone; it currently only supports the Monthly Enterprise update channel.
Users on slower release cycles or using Insider builds will need alternate ways of managing their Microsoft 365 apps — most likely using the Office Deployment Tool to configure and then either managing updates from Intune or letting their apps handle updates from the Microsoft CDN directly. You will still be able to use the Microsoft 365 Apps admin center to monitor installations and users.
Using servicing profiles
Once you have a servicing profile in place, it becomes the default management tool for Microsoft 365 users assigned to a profile, and it will automatically replace Endpoint Manager or any Office Deployment Tool settings. All you need to do is make sure that machines that are to be managed by the new tools can connect to the service endpoints.
You can test that devices are visible using the built-in inventory tools which show the specifications of scanned machines, the version of Office they’re running and what add-ins may have been installed.
How to set up the Servicing Profile
Setting up a Servicing Profile is relatively simple.
First, you need to choose what devices it applies to. The default is to manage all devices, which may be fine for smaller and simpler deployments. More complex deployments can use Azure AD groups to select specific users or devices.
If you’re going to take this approach, you need to define the groups you’re using in advance. You can use additional criteria to refine the profiles used — for example, by excluding specific subgroups or users who are already on alternate version channels. This approach allows you to keep beta and preview users on their channels, as well as ensuring that devices on slower release cadences stay on them. You can ensure that devices running critical macros and add-ins are avoided, so you can test them before deploying updates using other tools.
The next step is to define the number of days that an update can be paused before it’s automatically installed. Microsoft’s aim with the new portal is to ensure that copies of Office are as secure as possible and keeping this pause to a minimum makes sense. The default is three days, but you can make it shorter if you want.
With these steps complete, you can now create and enable your servicing profiles with a summary of the criteria being used and the number of devices that they apply to.
More than a deployment tool
Once a profile is in use, the portal gives you additional information, showing what devices have which version, if there have been any issues and if you need to roll-back any deployments.
Microsoft will keep you informed of when updates are due and what they will include. Updates are scheduled for the second Tuesday of every month, allowing users to schedule them alongside other tasks. If a release date coincides with important events on your corporate calendar, you can set exclusions around them, so that, for example, quarterly results can be posted without any interruptions.
You can use Azure AD groups to schedule up to three deployment waves, ensuring that new releases are tested first by IT and then by different groups of users before finally being deployed to everyone. Waves can be staggered by between one and five days, with the same gap between each wave.
As old versions of Office need to be replaced with Microsoft 365 apps, tools like Microsoft’s admin center are likely to be increasingly important. By simplifying deployment and providing basic inventory and diagnostic services, you’re able to manage them within a Microsoft 365 subscription and without needing additional tools, services and additional infrastructure.
Keep your team secure and running smoothly with a Microsoft 365 Services Usage Policy.