Patch Management Group

I'm starting to test deployment and patching for Office 2019.

Am I reading the microsoft docs correctly that Symantec will no longer be capable of patching because msi updates will no longer be pushed?

Enterprise customers who install the volumed license versions will need to decide to either allow updates via Microsoft CDNs, or manually make patches accessible on a share (to alleviate bandwidth concerns).  

More info here: https://docs.microsoft.com/en-us/deployoffice/office2019/update

I have seen Microsoft bork windows updates plenty in the last year or two, but office updates have been pretty stable.  Are Symantec customers allowing updates to happen via the CDN?  It's usually our internal preference to test updates before they go out, but even if I download them and put them on the share, it seems like all machines would be getting updates at the same time without a way for me to scope updates to a test group of PCs.

Thoughts?  What are you planning to do in your environment (if you're not moving to the cloud)?

Thanks!

Found this in the patch titles.  I assume this is for office 365, I wonder if it works as well for volume licensed office 2019 since it's similar click to run technology?

I found this very thorough Symantec doc about patching O365, but no mention of it working or not working for volume activation 2019 installs. I'm guessing not since volume activation don't have a concept of "rings/channels."

https://support.symantec.com/en_US/article.DOC9673.html

I'll put a ticket in for more info unless anyone here happens to have any info specific to office 2019 (via volume activation)?

Thanks

{subscribed}

we are on Office 2016 at the moment - but going Office 2019 eventually...

Also moving to Office 2019 soon with the same questions.

I asked my support request to get escalated to back line.  I understand it's not supported now, but I am hoping they can give roadmap idea that it's coming.  If it's not planned to be supported by this summer (our upgrade timeline), I need to know ASAP since patch is a big reason we're using CMS.  We really don't want to do office patching via the Microsoft CDN where there is no offered test ring for volume license customers.

Please put tickets in if you haven't already if you're interested in this so they know it's not just me :)

I agree this should be added, and Symantec should have an estimated release so we know how to plan our rollouts of Office 2019. 

Microsoft would surely like everyone to subscribe to Office365 instead of buying the perpetual Office licenses, but that's just not for everyone. 

I learned something interesting about Office 2019 at the Ignite conference last month and something you should ensure to understand fully before you purchase it.  Office 2019 is a fork from Office 365 and will never receive any feature updates, only security patches.  Microsoft is pushing everyone towards a user-based subscription of Office 365 plan in which you receive security and feature updates on an ongoing basis.  Office 2019 is intended for those who can't (or won't) swtich to user-based licensing but I'm not sure how long support will run on 2019 before yuu need to purchase the next version. 

Both Office 365 and Office 2019 use Microsoft's click-to-run technology.  This means the app resides in a virtual layer which creates a number of challenges.  the primary one is that only the app itself can perform any type of updates.   Symantec has found an interesting way around this by using a local proxy server on the machine to direct the machine to pull updates from the nearest package server so you still can use your ITMS infrastructure to host the patches.  They recently added support for peer to peer downloads as well as part of ITMS 8.5

More info:

Deploying Microsoft Office 365 updates with Patch Management Solution  https://support.symantec.com/en_US/article.DOC9673.html 

8.5 announcement including Office 365 C2R peer to peer support https://www.brighttalk.com/webcast/13361/331834/symantec-launches-it-management-suite-8-5-and-ghost-solution-suite-3-3 

Hi Sally,

> but no mention of it working or not working for volume activation 2019 installs. I'm guessing not since volume activation don't have a concept of "rings/channels."

Actually Microsoft introduced channel for Office 2019 named “PerpetualVL2019” (you can check more details here: https://docs.microsoft.com/en-us/deployoffice/office2019/update).
So our current expectation is to handle it in a way similar to Office 365 patching support - we're doing the research at the moment, will keep you updated.

Thanks for the update @dmitri.  I'm aware of the PerpetualVL2019 channel, what  I meant was if we have to use Microsoft CDN for updates, there is no ring model for volume license installs... updates are either on or off without a way for us to test them internally first.

@JoeVan - thanks for the info.  I can't remember the last feature added to Microsoft Office (or Windows for that matter) that any of my users cared about.  We just want security updates on a stable release.

@dmitri or anyone at symantec, any updates?  We are rolling out office 2019 next week.  Thanks!

any updates on office 2019 support?

Hi Sally,

sorry, I missed your previous question.

We finalized our implementation and plan to roll it into production soon.
It's going to be very similar to the current Office 365 support in terms of implementation details (you stage Office image to the management server and Altris Agent emulates its availability locally on endpoint so Click-to-Run tool grabs only required pieces from the image without a need to copy the whole package locally).

awesome, can't wait to see it implemented.  thanks @Dmitri

Hi Sally, Office 2019 patching support is added starting from PMImport 7.3.277.
Please check DOC11334 for details.

great news, looking forward to testing it out, thanks!

@dmitri - Tested and staged the bulletin, but it's failing to install.  I'm not sure why yet, I put a ticket in but posting here to share my experience.

Logs report it was downloaded, but I'm not seeing the large .cab file in usual patch location (C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\GUID).  Is patch going to download or run the click2run installer from the altiris share?

Also, on the Office 365 Doc it says "The update process for Microsoft Office 365 does not succeed on the client computers where the software is currently running. After the user closes the software, Microsoft Office 365 will be updated according to the enabled automatic updating schedule or after the computer restart."

Our users have Outlook opened for 95%+ of their day and reopen it on restart rather quickly.  I can see how this is going to be an issue.  In my symantec software update plug in policy settings, I have it set to default "reinstallatoin attempgs after task failure to 3.  Does this mean patch will stop trying to install if user has Outlook opened after 3 attempts?  Seems like anyone patching Office 365 or Office 2019 should have this set to a much higher number, if so.

Also, the quote above mentions the "enabled automatic updating schedule" but we have disabled automatic updates, otherwise I'm not understanding how we can manage updates from coming from Altiris server instead of the Microsoft cloud.

Any thoughts appreciated.  I will post back once support gets me squared away.

Hi Sally,

our implementation of Office 365/Office 2019 patching doesn't require Office image to be downloaded to the endpoint - it stays on NS or Package Server and Altiris Agent integrates with Microsoft Click-To-Run utility to allow it to grab only required pieces of image to perform update as it would be available locally.

When Microsoft Click-To-Run utility is started by Patch plug-in to perform the update installation and update is not possible right now because of Office applications are opened Microsoft Click-To-Run utility would create "repeat schedule" to attempt update installation later - if Office applications will be closed by that time update would execute successfully.
https://www.symantec.com/docs/TECH246925 has more details for this functionality. It also contains information about command line parameters that you can add to command line of update in Console so your users will be asked to close Office applications to allow update to happen.

Hey Dmitri,

I can't get the office 2019 patching working.  

Can you help me understand how OfficeC2RClient.exe behaves vs setup.exe /configure behaves?

With group policy disabled, this fails immediately with error code 30125-27 (12029)

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user promptuser=false forceappshutdown=false displaylevel=true updatetoversion=16.0.10341.20010

This is successful 100% of the time whether the xml points to CDN or my altiris patch share point

setup.exe /configure altiristest.xml

Since setup.exe works, it seems like my install isn't corrupted and no office apps are opened during my testing.  I tried changing the registry key for timeout, it didn't change anything.  Click2run logs are awful to read I'm finding out.

Any ideas?

By the way, if I set group policy to let office auto update.. it works fine.  I don't know if that's using OfficeC2RClient.exe or not.

> This is successful 100% of the time whether the xml points to CDN or my altiris patch share point
> setup.exe /configure altiristest.xml

As far as I know this would actually reinstall your Office using new version, not just update.

> With group policy disabled

May you share more information what exact group policy you're talking about?

> this fails immediately with error code 30125-27 (12029)

May you share screenshot of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration registry contents from problematic machine?
And try to reproduce the problem with verbose and debug level logging enabled for Altiris Agent?

@Dmitri - agree setup.exe is reinstall, but I think it eliminates the thought that my install is corrupted or an opened app or telemetry is causing the update to fail.

Regarding group policy being disabled, we have various group policy settings (applocker, among other things), but in this context I wondered if my group policy setting disabling office auto updates could possibly be breaking the altiris workflow.  The problem with disabling this group policy and testing the Altiris workflow is catching it before MS auto updates via CDN.  I will attach a screenshot showing our default office 2019 updates disabled settings.  

Attaching registry screenshot.   Does that UpdateURL look right?

Thanks for any thoughts.  I'd really like to get this working so we have a non MS CDN option.  

I disabled the patch policy, freshly imaged a different PC and took screenshot of the fresh registry item (attached).   

I then ran

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user promptuser=false forceappshutdown=false displaylevel=true updatetoversion=16.0.10341.20010

It downloaded and upgraded office fine.

I think this means this is not a Microsoft issue, and instead something to do with how Altiris is trying to do the updates.  I'd love to get this working.  Sending logs in to the ticket, too.  Appreciate any ideas.

@dmitri - can you confirm that once an office 2019 bulletin is stage and the registry item is replaced, that the Microsoft update schedule is ignored?  I was hoping that patch worked in that it still used the microsoft updating task schedule, and that the symantec piece was just proxying the file update location.  The reason that would be helpful is that it attempts to run as soon as the machine logs in or when idle when the Office apps are likely to be updated.

I see the task still running in my task scheduler... but the updates only seem to try to install when my software updates try to install which isn't helpful since by then the user has Outlook opened 99% of the time.  I don't want to modify the software update monthly to prompt users to close the apps when they install, this isn't practical when you have VIPs presenting, etc.