Microsoft Outlines ConfigMan Kludge for Managing Office 365 Updates
Microsoft offered some helpful hints this month for IT pros who still want to test Office 365 updates before rolling them out to end users.
A small degree of control over Office 365 updates can be carried out by making some obscure tweaks to System Center 2012 Configuration Manager (ConfigMan). Those steps are outlined in this Sept. 5 Microsoft blog post. However, Microsoft's advice in the blog post seems more like a kludge-like afterthought for IT pros, since Office 365 offerings do not appear to have been built with strong traditional patch management considerations in mind. Office 365 is designed to automatically deliver updates to end users, without much IT oversight, at least in its default setting.
The steps to enable management of Office 365 updates via ConfigMan involve "disabling" Office 365's automatic update process. That's done using Group Policy and template files to customize some settings. The last step is to specify the timing for rolling out updates to end users. Essentially, ConfigMan can be used to delay the Office 365 update rollout for a few weeks to enable testing by IT pros or by a designated test group within the organization.
For instance, the update rollout could be set to take effect on the last Friday of the month, according to Microsoft's blog post. The rationale for that timing isn't well explained in the post, but presumably that sort of schedule adds a testing interval between Microsoft's patch Tuesday update releases (released on the second Tuesday of every month) and the actual rollout of the Office 365 updates to end users.
Implicitly, though, the assumption is that an organization will have to accept Office 365 updates at least every month, if not more frequently. There is a rollback option, but it involves manually configuring a "downgrade.xml" file and specifying a version attribute for it.
However, knowing and tracking the version numbers of Office 365 updates wasn't really part of Microsoft's overall Office 365 concept. At least that was the view expressed in an old "Microsoft Office 365 Overview for IT" jumpstart video, which noted that the names of Office 365 services (such as "Office ProPlus," "SharePoint Online," "Exchange Online," etc.) deliberately lacked version numbers, unlike Microsoft's more traditional software releases. The idea is that Office 365 subscribers are getting a continuously updated service, rather than buying traditional installed software.
Managing Office 365 Updates
Office 365 updates arrive via a streaming technology that Microsoft calls "click-to-run." With Office 365 click-to-run technology, updates get automatically installed directly onto an organization's client machines by default.
At best, organizations can change the default Office 365 settings to divert the update rollout process for testing purposes, such as diverting the update to a particular workstation, rather than all workstations. Changes to Office 365 settings can be made either through the ConfigMan kludge described above or by using the Office Deployment Tool to manually configure the update process. Manual configuration is done using the click-to-run configuration.xml file, along with Office 2013 Group Policy Administrative Templates. The click-to-run configuration.xml file specifies which Office 365 software gets download, while the Group Policy templates can be used to customize individual settings.
Manual management of the Office 365 ProPlus update process is described in Part 1 and Part 2 of an Office IT pro blog, dating back to January. These blog posts appear to be the best available quick resources from Microsoft on how to manage Office 365 updates. Microsoft also published an Office 365 ProPlus deployment roadmap for IT pros that is fairly extensive.
Surprisingly, Microsoft also recommends using a combination of App-V 5.0 with ConfigMan as providing the "best experience" for enterprises in deploying or updating Office 365. App-V 5.0 is added to ConfigMan to enable IT pros to "control the Office 365 click-to-run updates" and run multiple versions of Office 365 applications side by side. Doing that requires having a certain level of expertise with Microsoft's application virtualization solution, as well as ConfigMan. In addition, App-V is typically available only to organizations that have purchased Software Assurance on top of a volume licensing agreement, so it's not a viable management approach for smaller organizations, perhaps.
Faster Release Cycle
Microsoft's Office 365 update release schedule used to be monthly, but a Microsoft spokesperson recently claimed that "there is no set schedule of releases [for Office 365] -- not quarterly, monthly, etc." In other words, organizations can't necessarily depend on a regular release cycle when subscribing to Office 365 services.
In June, Microsoft initiated a new notification process that alerts organizations about Office 365 changes to come using the Message Center in Office 365. Some Office 365 users who have opted into a "first release" program will get Office 365 updates two weeks in advance of "standard release" users, under this scheme. Microsoft has promised that everyone will get a one-year advance notice of any disruptive changes, though. The concept seems to be that organizations can generally trust Microsoft's update process, without the usual IT oversight.
Lately, though, faulty patch releases from Microsoft have seemed more like a regular occurrence, prompting go-slow advice from Microsoft MVP Aiden Finn. He advocates waiting a full month before applying updates from Microsoft, although he was mostly referring to premises-installed server software releases, rather than Office 365 update releases. However, waiting a full month to update Office 365 doesn't seem too easy to pull off, given Microsoft's descriptions of the management process and its nonspecific update release timeline.
Microsoft releases a combination of security and nonsecurity fixes with its Office 365 update releases, even though some IT pros don't favor that practice. It's argued that mixing security and nonsecurity updates can make rollbacks harder to perform when patching goes bad in a computing environment. Even though Microsoft is aware of that concern, it seems to be maintaining the practice of delivering both fixes in its Office 365 updates.
In essence, Microsoft appears to have a different role envisioned for IT pros when it comes to managing Office 365 services. That idea was partly described back in January. In essence, there is no more picking and choosing between updates and service packs with Office 365. Ultimately, organizations will have to accept what's coming down the pipe via Office 365 streaming update technology or they will have to make various manual tweaks to XML files to gain control over the update process.
Traditional patch management seems to have been written out of the Office 365 services concept, although organizations still may have strong reasons for wanting to continue those practices. Microsoft's documentation doesn't offer much guidance. For instance, trying to find Office 365 management information via Microsoft's TechCenter portal page for IT pros mostly leads to dead ends. While that portal page lists "change management" plans, the materials there seem to be old. They mostly describe deploying Office 365 services, rather than managing them.