How To Run an Advanced Threat Protection Proof of Concept

Posted on Leave a commentPosted in Advanced Threat Protection, ATP, malware, Office, Office 365, Office 365 ProPlus, Proof Of Concept, Safe Attachments, Safe Links

I put the following post together as I was asked this question from Microsoft themselves! This post covers what you need to put in place, and how you can test some of it (as testing the blocking of malware involves sending malware first!)

First, lets take a look at the Advanced Threat Protection steps for a proof of concept (PoC), and then later we will look at the new Office Smart Links feature.

You need to put the following in place:

  • Exchange Online Protection managed tenant. That is MX to EOP is required for simple PoC
  • Hybrid with MX on-premises and then mail flow to cloud is possible for an advanced PoC, but here it depends upon what the customer has in-front of on-premises. If this is the case, then a simple PoC with a new email namespace and MX to EOP is recommended before transitioning to protecting their actual mailbox.
  • Create ATP rules in wizard in Exchange Control Panel for both Safe Attachments and Safe Links. PowerShell is pointless for this, as there is not a lot to do, and there are more steps if do it via PowerShell!
    • Enable ATP for a selected mailbox(es) and not an entire domain. Mailboxes can be cloud or on-premises.
    • Enable Smart Links for same mailboxes. Mailboxes can be cloud or on-premises.
    • Do not enable Smart Links for Office documents (as this is a global setting) (see later)
  • Check if org has rules to block .exe attachments. If they do then exe’s will be blocked by this rule and not processed by ATP.
  • Test. I have sent the .NET Framework installer .exe in email before to test this. But at any given day or time the rules could change as to what is blocked or not. I used to have a “fake macro virus” document (see below), but OneDrive’s built in AV started detecting it and now I do not have the file anymore! The doc I used to test with had an autorun macro that set a regkey that included the words “I download stuff and drop files” or something like that! It might be possible to create your own document, but watch out for AV software and the like blocking it and/or deleting it, or it being filtered out before it arrives at the target mailbox. I did say above this PoC is quite hard to do when trying to send malware for detection!
  • For SafeLinks, send an email from external that contains a URL with www.spamlink.contoso.com in it. The link will be rewritten. Some common links are never rewritten (I think www.google.com falls into this category) and you can whitelist URLs as well company wide. So if you whitelist a URL, send an email from the internet containing that link. That is a useful addition to the PoC as well.
  • ATP now quarantines (or at least its coming soon) the failed attachments, so include that on a demo. I have found that forwarding failed attachments to another mailbox (like a shared mailbox) is a bit temperamental – hasn’t for at least a year in one of my tenants but does in another tenant.
  • If users are on-premises (EOP before an on-premises mailbox) then do not enable dynamic delivery. If PoC mailboxes are both on-premises and cloud then create two ATP rule sets, one rule for each type of mailbox, and enable dynamic delivery for cloud mailboxes only.
    • Dynamic delivery sends the message without attachment to the cloud mailbox and later writes the attachment into the message body. This works in the cloud as Microsoft manage ATP and Mailbox. It cannot work on-premises as Office 365 cannot write the modified message into Exchange Server at a later time.
    • Dynamic delivers the body but not the attachment instantly. Attachment, if safe, follows later (7 or so minutes I tend to find). I understand an option to view the content of the attachment in a web browser but not the attachment is coming, but I have not seen that yet) – suspect the link to this will be inside the “pending attachment notification” in the dynamic email, but am guessing at this.
    • Do not dynamic deliver to on-premises mailboxes.
  • Demo that internal emails do not SafeLink rewrite and attachments are not processed. That is, send an email between two internal mailboxes and show that it is not processed.
  • In hybrid, if the connectors to the cloud are set up correctly then internal email from on-premises to cloud should not rewrite links or process attachments. External emails are marked as such when they arrive on the first Exchange Server and so an external email to on-premises and then via the hybrid connectors to Exchange Online should be processes, as Exchange Online knows it is external!
  • Enable ATP for direct attachment links (i.e. link directly to an exe, pdf etc.). Then email and click that link. ATP with a yellow background will popup saying the file needs to be scanned. After a while (7 minute or so) click the link again and you will get to the file directly.
  • Safelink URLs are geo based. So EMEA tenant (or UK tenant) will get emea01.safelinks.protection.outlook.com rewritten URLs. UK tenants have EOP in EMEA, so the links for UK tenants are the same as EMEA tenants (at this time, not sure if this is changing).
  • Send emails that are both HTML based and Text based, and use the range of clients that the end customer users to see experiences. Rewriting text formatted emails appears different than html formatted emails.

SafeLinks for Office

  • Once you/client is happy enable SafeLinks for Office option. This is a global setting. Though this only works if you have Office Click-to-Run June 2017 Current Branch and later in use. For this create a new document that was never emailed:
    • On a Win10 AAD joined machine, save the file anywhere or just create a new Word doc and do not save it
    • On a Win10 not AAD or legacy Windows client then save the file to OneDrive for Business sync folders or SharePoint sync folders. It needs to be saved to these folders to know that it is a cloud document.
    • Get a demo machine that syncs to multiple tenants and later save a copy of the file OneDrive sync folders for the unprotected tenant. In this scenario you will see a protected document become unprotected (or visa versa) as you change the folder where it is saved to.
  • Once you have the file start creating content in it (typing “=Rand(20)” without quotes is a good way to do this in Word) and then start adding some links to the document. Use the above mentioned test link as well.
  • Click each link.
    • If it is safe, then the webpage will open
    • If it is not, then the alert page will open, or a dialog will popup saying its not safe (I have seen both behaviours)
  • Note that links are not rewritten (unlike in the email client, where you cannot be sure what client is in use, so the link needs rewriting). In Office documents the link is checked at time of click, and only if the document is saved to a cloud location (sync folders included)

Installing Office 2016 Click To Run Via Group Policy

Posted on 95 CommentsPosted in 2016, Click To Run, Group Policy, Office, Office 365, Office 365 ProPlus

Office 2016 Click To Run (which comes with Office 365 subscriptions) can be deployed via Group Policy, but there are a few things that you need to know and do first. These are:

  1. You cannot use the “Software Installation” features of GPO’s to deploy the Office 2016 click to run software as this is an exe file, and “Software Installation” runs MSI files.
  2. You cannot run software with elevated installation rights, as the setup.exe shells out to other processes to run the installation (the officeclick2run.exe service).
  3. You cannot just drop the 2016 versions of the files in an existing 2013 deployment folder and expect the clients to update automatically – you must install 2016 to upgrade it and install it for the first time.

Therefore you need to deploy the software via a computer startup script. But this is not simple either as startup scripts run each time the computer starts up (obviously!) but will run regardless of whether the software is already installed. Therefore you need to run the installation by way of a startup script that first checks if Office 2016 click to run has already been installed or not.

To do this you need to following:

  1. A read only file share containing the Office 2016 click to run files. Not this folder should not be the folder that already contains the Office 2013 files if you have them on your network.
  2. A read/write file share to store log files on (the deployment script logs the start and completion of the installation in a central location)
  3. An XML file to install Office 2016 click to run customised to your environment and the fact that you are using GPO deployment
  4. A batch file to detect an existing Office 2016 click to run deployment and if not present to install Office 2016 click to run from your file share.
  5. And finally the Office 2016 Deployment Tool setup program. This is not the same as the 2013 version of this program.

Steps 1 and 4 are part of a standard Office 2016 click to run deployment process and so not covered in this blog post. But once you have downloaded the Office 2016 Deployment Tool and created the XML file in step 3 you can run the deployment tool with setup.exe /download config.xml to download the Office binaries to the file share mentioned in step 1. If you have Office 2013 already deployed via this method (see http://c7solutions.com/2014/09/installing-office-365-proplus-click-to-run-via-gpo-deployment for these steps) then make sure that this folder for the binaries is not the same folder as contains 2013 files. The Office 365 ProPlus installed (Office 2013 Click To Run) creates a subfolder called Office then another subfolder called Data. Into this it places v32.cab (or v64.cab) and other files. This cab file contains info relating to the version number of the software in this folder and if you download 2016 to the same folder it will replace this file, but 2013 installed machines will still try and upgrade from this folder and fail. Therefore create another folder. This is shown in the example scripts below.

So here are the steps and details for doing all this for GPO deployment:

Creating Deployment File Shares

Create a software deployment file share that you have read/write access to and everyone else read only and create a folder called Office365ProPlus inside this to store the binaries.

Create a second file share that everyone has read/write access to (or CREATOR OWNER has write so that only the creator of the file can write it to the share and others can read or not see it at all). Create a sub folder in InstallLogs called Office365ProPlus.

In my demo these two shares and subfolders are called \\server\Software\Office2016 and \\server\InstallLogs\Office2016.

Create an XML File for Office 2016 Click to Run Deployment

This XML file is as follows and is saved to \\server\Software\Office365ProPlus root folder. Call this file config.xml. You can create this XML file using the wizard at https://t.co/iKClyDgK3w

<Configuration>
<Add SourcePath="\\server\Software\Office2016\" OfficeClientEdition="32" Branch="Business" >
  <Product ID="O365ProPlusRetail">
    <Language ID="en-us" />
  </Product>
</Add>
<Updates Enabled="TRUE" UpdatePath="\\server\Software\Office2016\" Branch="Business"/>
<Display Level="None" AcceptEULA="TRUE" />
<Logging Path="%temp%" />
</Configuration>

The important entries of no display and the Extended User Licence Agreement having been accepted are important, as GPO deployment works as a system service and so cannot display anything to the screen. Also see http://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx for the XML reference file for other settings you can contain here such as updates from the Internet (UpdatePath=””) or no updates (Updates Enabled=”FALSE”), the 2016 Branch value and multiple languages (add more <Language ID=”xx-xx” /> nodes to the file), etc.

Download the Office 2016 Click to Run Binaries

Download the Office Deployment Tool from http://www.microsoft.com/en-us/download/details.aspx?id=49117 and if you downloaded this a few months ago, download it again as it changes frequently and improves the setup process.

Install this software to get setup.exe and some example XML files. Copy setup.exe to \\server\Software\Office2016.

Run \\server\Software\Office2016\setup.exe /download \\server\Software\Office2016\config.xml to download the latest version (or the specified version if you have added Version=”15.1.2.3″ to config.xml where 15.1.2.3 is the build number you want to install). This will create the Office\Data folder in the \\server\Office365ProPlus share and download the binaries and any languages specified in the XML to that location – do not modify the folder structure as the Office Deployment Tool will expect this structure to find the files under during installation.

Create A CMD File To Script The Install

In Notepad create a cmd file and save it to <strong\\server\Office365ProPlus as well. It will eventually go in the GPO folder location, but this will be your master copy. The cmd file will look like the following and for this demo is called _InstallOffice2016GPO.cmd

setlocal
REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************
REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=\\server\Software\Office2016
REM Set ConfigFile to the configuration file to be used for deployment (required)
set ConfigFile=\\server\Software\Office2016\config.xml
REM Set LogLocation to a central directory to collect script log files (install log files are set in XML file).
set LogLocation=\\server\InstallLogs\Office2016
REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line (check quotes are quotes though).
REM *********************************************************************
IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86)
REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 registry key
:ARP64
reg query HKLM\SOFTWARE\WOW6432NODE\Microsoft\Office\16.0\ClickToRunStore\Packages\{9AC08E99-230B-47e8-9721-4577B7F124EA}
if NOT %errorlevel%==1 (goto End)
REM Check for 32 and 64 bit versions of Office 2013 in regular registry key.(Office 64bit would also appear here on a 64bit OS)
:ARP86
reg query HKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\Packages\{9AC08E99-230B-47e8-9721-4577B7F124EA}
if %errorlevel%==1 (goto DeployOffice) else (goto End)
REM If 1 returned, the product was not found. Run setup here.
:DeployOffice
echo %date% %time% Setup started. >> %LogLocation%\%computername%.txt
pushd "%DeployServer%"
start /wait setup.exe /configure "%ConfigFile%"
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt
REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End
Endlocal

This will be run by GPO and at computer startup look for the Click To Run registry key that indicates Office has been installed. If not found for 64 or 32 bit OS’s and 64 or 32 bit installations of Office then it will deploy office.

Create A Group Policy Object

Create in your domain a GPO object over an OU that contains the computers you want to install Office 2016 click to run on. This will run on all computers in this OU, so start with a test OU containing one or a few computers or use permissions to lock the GPO object down to specific computer accounts.

In this GPO set the following:

  1. A startup script that runs _InstallOffice2016GPO.cmd. A startup script will have a folder the script is located in (click Show Files button in the GPO editor) and copy the above cmd file from the Office deployment share to this folder.
  2. Then click Add and select the file – there are no script parameters.
  3. Your GPO object will look like this.
    image
  4. In Adminstrative Templates/System/Scripts set the Maximum wait time for Group Policy scripts to 1800 seconds. This is 30 minutes. The default is 10 minutes (600 seconds) but I have found Office installs take just over ten minutes on a LAN and longer if the fileshare is remote to the client computer. The script will be cancelled if it takes over 30 minutes, so you may need a higher value for your network.

Deploy Office 2016 Click to Run Click To Run

Run gpupdate /force on a test computer that is under the scope of your GPO object and then reboot the computer. The installation will start automatically and Office will be ready to use a few minutes after reboot. Office takes about 10 minutes to fully install on a LAN but can be used about 2 or 3 minutes after installation starts. Though in my lab with a low resourced file server it took 30 minutes to install. Do not reboot the PC in that time.

Check \\server\InstallLogs\Office2016 for a file named after the computer. This will have two lines, one for the start of the deployment and one at the end (with “Setup ended with error code 0” if successful).

The Case of the Disappearing Folders

Posted on 3 CommentsPosted in 2013, exchange online, IAmMEC, MVP, Office, Office 365 ProPlus, Outlook

Here is a issue I have come across at one of my current clients – you create a folder in Outlook 2013 when in the “Mail” view (showing only mail folders – your typical default view) and the folder does not get created. For example, in the below picture the user is in the middle of creating a folder called “Test Inline” as a child of the “SO” folder:

image

Upon pressing Enter, the folder disappears and fails to be created:

image

So where does one see this issue? It happens when the parent folder in question, in this case the “SO” folder is created by Microsoft’s PST Capture Tool. The PST Capture Tool creates a parent folder in the Online Archive in Exchange (in this case Exchange Online but it does not matter which Exchange Server) named after the PST file, so in this case SO.pst was uploaded by the PST Capture Tool. Any attempt to create folders inline below this parent folder fails! If you drag content into this folder it will not allow you to drop the content in, and the folder appears to be read-only.

If you change Outlooks view to Folder view (click the … on the Outlook 2013 view bar to the right) then you can create folders (using a dialog) and that works fine – this is how “Test Dialog” was made in the above pictures.

In Outlook 2010 all works as expected! In Outlook 2013 the issue appears to be the way Outlook handles folders that have a MAPI property on the folder created with a null value. In tools such as MFCMapi and OutlookSpy you can view the MAPI properties of a folder and the folder created by PST Capture Tool has a property call PR_CONTAINER_CLASS_W with a null (empty) value. Normally, Outlook will make folders that have “IPF.Note” as the value of this folder, if this is a mail and notes folder (i.e. not a calendar or contact etc folder). But clearly there is a problem, as Folder view allows you to create subfolders when the parent’s PR_CONTAINER_CLASS_W value is null and so does Outlook 2010 and coincidently does OWA!

The fix, but I do not have it ready yet, is to run an EWS script to reset the PR_CONTAINER_CLASS_W property of this folder to IPF.Note or wait for an update to Outlook from Microsoft, and for that I have contacted them.

With thanks to fellow MVP Jaap Wesselius for double-checking this for me and testing it in Outlook 2010.

Installing Office 365 ProPlus Click To Run via GPO Deployment

Posted on 61 CommentsPosted in Click To Run, Click2Run, Deployment, GPO, Group Policy, Office, Office 365, Office 365 ProPlus

Update: Steps for doing this with Office 2016 can be found at http://c7solutions.com/2015/10/installing-office-2016-click-to-run-via-group-policy

Office 365 ProPlus can be deployed via Group Policy, but there are a few things that you need to know and do first. These are:

  1. You cannot use the “Software Installation” features of GPO’s to deploy the Office 365 ProPlus click to run software as this is an exe file, and “Software Installation” runs MSI files.
  2. You cannot run software with elevated installation rights, as the setup.exe shells out to other processes to run the installation (the officeclick2run.exe service).

Therefore you need to deploy the software via a computer startup script. But this is not simple either as startup scripts run each time the computer starts up (obviously!) but will run regardless of whether the software is already installed. Therefore you need to run the installation by way of a startup script that first checks if Office 365 ProPlus Click To Run has already been installed or not.

To do this you need to following:

  1. A read only file share containing the Office 365 ProPlus Click To Run files
  2. A read/write file share to store log files on (the deployment script logs the start and completion of the installation in a central location)
  3. An XML file to install Office 365 ProPlus Click To Run customised to your environment and the fact that you are using GPO deployment
  4. A batch file to detect an existing Office 365 ProPlus Click To Run deployment and if not present to install Office 365 ProPlus Click To Run from your file share.
  5. And finally the Office Deployment Tool setup program.

Steps 1 and 4 are part of a standard Office 365 ProPlus Click To Run deployment process and so not covered in this blog post. But once you have downloaded the Office Deployment Tool and created the XML file in step 3 you can run the deployment tool with setup.exe /download config.xml to download the Office binaries to the file share mentioned in step 1.

So here are the steps and details for doing all this for GPO deployment:

Creating Deployment File Shares

Create a software deployment file share that you have read/write access to and everyone else read only and create a folder called Office365ProPlus inside this to store the binaries.

Create a second file share that everyone has read/write access to (or CREATOR OWNER has write so that only the creator of the file can write it to the share and others can read or not see it at all). Create a sub folder in InstallLogs called Office365ProPlus.

In my demo these two shares and subfolders are called \\server\Software\Office365ProPlus and \\server\InstallLogs\Office365ProPlus.

Create an XML File for Office 365 ProPlus Click To Run Deployment

This XML file is as follows and is saved to \\server\Software\Office365ProPlus root folder. Call this file config.xml.

 
<Configuration>
 <Add SourcePath="\\server\Software\Office365ProPlus\" OfficeClientEdition="32" >
   <Product ID="O365ProPlusRetail">
     <Language ID="en-us" />
   </Product>
 </Add>
 <Updates Enabled="TRUE" UpdatePath="\\server\Software\Office365ProPlus\" />
 <Display Level="None" AcceptEULA="TRUE" />
 <Logging Path="%temp%" />
 </Configuration>

The important entries of no display and the Extended User Licence Agreement having been accepted are important, as GPO deployment works as a system service and so cannot display anything to the screen. Also see http://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx for the XML reference file for other settings you can contain here such as updates from the Internet (UpdatePath=””) or no updates (Updates Enabled=”FALSE”), multiple languages (add more <Language ID=”xx-xx” /> nodes to the file), etc.

Download the Office 365 ProPlus Click To Run Binaries

Download the Office Deployment Tool from http://www.microsoft.com/en-gb/download/details.aspx?id=36778 and if you downloaded this a few months ago, download it again as it changes frequently and improves the setup process.

Install this software to get setup.exe and some example XML files. Copy setup.exe to \\server\Office365ProPlus.

Run \\server\Office365ProPlus\setup.exe /download \\server\Office365ProPlus\config.xml to download the latest version (or the specified version if you have added Version=”15.1.2.3″ to config.xml where 15.1.2.3 is the build number you want to install). This will create the Office\Data folder in the \\server\Office365ProPlus share and download the binaries and any languages specified in the XML to that location – do not modify the folder structure as the Office Deployment Tool will expect this structure to find the files under during installation.

Create A CMD File To Script The Install

In Notepad create a cmd file and save it to <strong\\server\Office365ProPlus as well. It will eventually go in the GPO folder location, but this will be your master copy. The cmd file will look like the following and for this demo is called _InstallOfficeGPO.cmd

 
setlocal 
REM ********************************************************************* 
REM Environment customization begins here. Modify variables below. 
REM ********************************************************************* 
REM Set DeployServer to a network-accessible location containing the Office source files. 
set DeployServer=\\server\Software\Office365ProPlus
REM Set ConfigFile to the configuration file to be used for deployment (required) 
set ConfigFile=\\server\Software\Office365ProPlus\config.xml
REM Set LogLocation to a central directory to collect script log files (install log files are set in XML file). 
set LogLocation=\\server\InstallLogs\Office365ProPlus
REM ********************************************************************* 
REM Deployment code begins here. Do not modify anything below this line (check quotes are quotes though). 
REM ********************************************************************* 
IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86) 
REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 registry key 
:ARP64 
reg query HKLM\SOFTWARE\WOW6432NODE\Microsoft\Office\15.0\ClickToRun\propertybag 
if NOT %errorlevel%==1 (goto End) 
REM Check for 32 and 64 bit versions of Office 2013 in regular registry key.(Office 64bit would also appear here on a 64bit OS) 
:ARP86 
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\propertybag 
if %errorlevel%==1 (goto DeployOffice) else (goto End) 
REM If 1 returned, the product was not found. Run setup here. 
:DeployOffice 
echo %date% %time% Setup started. >> %LogLocation%\%computername%.txt 
pushd "%DeployServer%"
start /wait setup.exe /configure "%ConfigFile%"
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt 
REM If 0 or other was returned, the product was found or another error occurred. Do nothing. 
:End
Endlocal

This will be run by GPO and at computer startup look for the Click To Run registry key that indicates Office has been installed. If not found for 64 or 32 bit OS’s and 64 or 32 bit installations of Office then it will deploy office.

Create A Group Policy Object

Create in your domain a GPO object over an OU that contains the computers you want to install Office 365 ProPlus Click To Run on. This will run on all computers in this OU, so start with a test OU containing one or a few computers or use permissions to lock the GPO object down to specific computer accounts.

In this GPO set the following:

  1. A startup script that runs _InstallOfficeGPO.cmd. A startup script will have a folder the script is located in (click Show Files button in the GPO editor) and copy the above cmd file from the Office deployment share to this folder.
  2. Then click Add and select the file – there are no script parameters.
  3. Your GPO object will look like this.
    image
  4. In Adminstrative Templates/System/Scripts set the Maximum wait time for Group Policy scripts to 1800 seconds. This is 30 minutes. The default is 10 minutes (600 seconds) but I have found Office installs take just over ten minutes on a LAN and longer if the fileshare is remote to the client computer. The script will be cancelled if it takes over 30 minutes, so you may need a higher value for your network.

Deploy Office 365 ProPlus Click To Run

Run gpupdate /force on a test computer that is under the scope of your GPO object and then reboot the computer. The installation will start automatically and Office will be ready to use a few minutes after reboot. Office takes about 10 minutes to fully install on a LAN but can be used about 2 or 3 minutes after installation starts. Do not reboot the PC in those 10 minutes.

Check \\server\InstallLogs\Office365ProPlus for a file named after the computer. This will have two lines, one for the start of the deployment and one at the end (with “Setup ended with error code 0” if successful).

Office 365 ProPlus XML Config Files Are Case Sensitive

Posted on 1 CommentPosted in 2013, Click To Run, Click2Run, Office, Office 365, Office 365 ProPlus

The XML file used for the configuration of Office 365 ProPlus is case sensitive. In a client I have been working with the UpdatePath value in the install XML file was accidently specified using “Updatepath” and not “UpdatePath” (case sensitive). This resulted in the UpdateUrl in the registry (HKLM\Software\Microsoft\Office\15.0\ClickToRun\Scenario\INSTALL\UpdateUrl) not being set correctly, and even though an update path was specified in the install XML, Office was still going to the internet to do updates.

This results in users getting prompted to update Office themselves even though you have pointed the XML file Office was installed with to go to a file share or specific path:

image

If you want to see if you have a working copy of Office that updates from the file share correctly then please open the registry editor and view the following location: HKLM\Software\Microsoft\Office\15.0\ClickToRun\Scenario\INSTALL

In this registry location look for the UpdateUrl key. This key should be present and pointing to the file share where Office is deployed from (the UpdatePath value in the XML should be listed here). If it is missing then you need to run the Office installation file again (setup /configure updated.xml) with UpdatePath correctly specified for this to be reset – do not change the registry keys by hand as this does not work.

clip_image007