Enable Report Message Add-In For Office 365

Posted on Leave a commentPosted in add-in, EOP, exchange online, Exchange Online Protection, Office, Office 365, Office 365 ProPlus, phish, phishing, spam

There is a new add-in available for Outlook and OWA in Office 365 that can simplify spam and phishing reporting to Microsoft for content in your mailbox. I recommend rolling this add-in out to everyone in your Office 365 tenant and for Office 365 consultants to add this as part of the default steps in deploying a new tenant.

This can be done with the following steps:

In the Exchange Control Panel at https://outlook.office365.com/ecp/ go to the Organization > Add-Ins section

image

Click the + icon and choose “Add From Office Store”.

In the new tab that appears, search for “Report Message” via the search bar top right:

I’ve noticed that a set of search results appear, then the website notices I am logged in, logs me in and presents a second smaller list of results. It is in this small list that you should see Report Message by Microsoft Corporation

image

I’ve noticed that clicking “Get it now” does not seem to work all the time (the popup has a Continue button that does nothing)! So if that happens, cancel the popup, click the card for the app and install the add from the Get it now button rather than the get it now link on the card. The Report Message app page is shown below with a “Get It Now” button to the left:

image

Either the link or the button should work, and you should get this popup:

image

Click Continue. You are taken to Office 365 to continue. This is the step I eluded to above that sometimes does not work

image

You are asked to confirm the installation of the App into Office 365

image

Click Yes and wait a while. I’ve noticed also that sometimes you need to refresh this page manually for the process to continue, though waiting (with no indication that anything is happening for one or two minutes is usually enough as well)

image

The message above says that the add-in is now visible in the gray bar above your messages. For this add-in this is not correct as this add-in extends the menu in Outlook (2013 and later, as add-ins are not supported in Outlook 2010) and also the app is disabled by default.

Close this tab in your browser and return to the add-in page in Exchange Control Panel that is open in a previous tab.

Refresh the list of apps to see the new app:

image

From here you can enable the app, select a pilot audience, though this app is quite silent in the users view of Outlook and OWA so a pilot is not needed for determining impact to users, but can be useful for putting together quick documentation or informing the help desk of changes.

Select the app and click the edit button:

image

I recommend choosing “Mandatory, always enabled. Users can’t disable this add-in” and deploying to all users. Unchecking the option to make it available for all users makes it available for none. For a pilot choose “Optional, disabled by default”.

You are now done installing the add-in.

Users will now see the add-in in Outlook near the Store icon when a message is selected open:

image

Clicking the icon allows you to mark a messages as “junk”, “phishing” or “not junk” and options and help. Options gives the following:

image

Where the default is to ask before sending info to Microsoft.

Selecting Junk or Phishing will result in the message being moved to Junk Email folder in Outlook, and if in the Junk Email folder, marking a message “Not Junk” will return it to the inbox. All options will send info on the message, headers and other criteria to Microsoft to help adjust their machine learning algoriths for spam and phishing detection. This add-in replaces the need to email the message as an attachment to Microsoft.

For a pilot, users need to add the add-in themselves to Outlook. Mandatory deployment means it is rolled out to users (usually within a few days). To enable the add-in in OWA, click the options cog to the top right of the OWA interface:

image

Then click Manage Add-Ins and scroll down until you find the Report Message add-in (or search for it)

image

And turn the add-in on to view it in OWA as shown:

image

And also it will appear automatically in Outlook for iOS and Outlook for Android and Outlook (desktop, classic).

Once the app is enabled for all users, and recall the above where it takes a while to appear for all users, then your spam and phish reporting in Office 365 is very simple and easy to do and easy to remove from a helpdesk call and on to the end user directly to report and move messages.

How To Run an Advanced Threat Protection Proof of Concept

Posted on Leave a commentPosted in Advanced Threat Protection, ATP, malware, Office, Office 365, Office 365 ProPlus, Proof Of Concept, Safe Attachments, Safe Links

I put the following post together as I was asked this question from Microsoft themselves! This post covers what you need to put in place, and how you can test some of it (as testing the blocking of malware involves sending malware first!)

First, lets take a look at the Advanced Threat Protection steps for a proof of concept (PoC), and then later we will look at the new Office Smart Links feature.

You need to put the following in place:

  • Exchange Online Protection managed tenant. That is MX to EOP is required for simple PoC
  • Hybrid with MX on-premises and then mail flow to cloud is possible for an advanced PoC, but here it depends upon what the customer has in-front of on-premises. If this is the case, then a simple PoC with a new email namespace and MX to EOP is recommended before transitioning to protecting their actual mailbox.
  • Create ATP rules in wizard in Exchange Control Panel for both Safe Attachments and Safe Links. PowerShell is pointless for this, as there is not a lot to do, and there are more steps if do it via PowerShell!
    • Enable ATP for a selected mailbox(es) and not an entire domain. Mailboxes can be cloud or on-premises.
    • Enable Smart Links for same mailboxes. Mailboxes can be cloud or on-premises.
    • Do not enable Smart Links for Office documents (as this is a global setting) (see later)
  • Check if org has rules to block .exe attachments. If they do then exe’s will be blocked by this rule and not processed by ATP.
  • Test. I have sent the .NET Framework installer .exe in email before to test this. But at any given day or time the rules could change as to what is blocked or not. I used to have a “fake macro virus” document (see below), but OneDrive’s built in AV started detecting it and now I do not have the file anymore! The doc I used to test with had an autorun macro that set a regkey that included the words “I download stuff and drop files” or something like that! It might be possible to create your own document, but watch out for AV software and the like blocking it and/or deleting it, or it being filtered out before it arrives at the target mailbox. I did say above this PoC is quite hard to do when trying to send malware for detection!
  • For SafeLinks, send an email from external that contains a URL with www.spamlink.contoso.com in it. The link will be rewritten. Some common links are never rewritten (I think www.google.com falls into this category) and you can whitelist URLs as well company wide. So if you whitelist a URL, send an email from the internet containing that link. That is a useful addition to the PoC as well.
  • ATP now quarantines (or at least its coming soon) the failed attachments, so include that on a demo. I have found that forwarding failed attachments to another mailbox (like a shared mailbox) is a bit temperamental – hasn’t for at least a year in one of my tenants but does in another tenant.
  • If users are on-premises (EOP before an on-premises mailbox) then do not enable dynamic delivery. If PoC mailboxes are both on-premises and cloud then create two ATP rule sets, one rule for each type of mailbox, and enable dynamic delivery for cloud mailboxes only.
    • Dynamic delivery sends the message without attachment to the cloud mailbox and later writes the attachment into the message body. This works in the cloud as Microsoft manage ATP and Mailbox. It cannot work on-premises as Office 365 cannot write the modified message into Exchange Server at a later time.
    • Dynamic delivers the body but not the attachment instantly. Attachment, if safe, follows later (7 or so minutes I tend to find). I understand an option to view the content of the attachment in a web browser but not the attachment is coming, but I have not seen that yet) – suspect the link to this will be inside the “pending attachment notification” in the dynamic email, but am guessing at this.
    • Do not dynamic deliver to on-premises mailboxes.
  • Demo that internal emails do not SafeLink rewrite and attachments are not processed. That is, send an email between two internal mailboxes and show that it is not processed.
  • In hybrid mode, if the connectors to the cloud are set up correctly then internal email from on-premises to cloud should not rewrite links. External emails are marked as such when they arrive on the first Exchange Server and so an external email to on-premises and then via the hybrid connectors to Exchange Online should be processed, as Exchange Online knows it is external!
  • Attachments are always scanned when sent between senders, even in hybrid mode (on-premises to cloud) or within two mailboxes the cloud.
  • Enable ATP for direct attachment links (i.e. link directly to an exe, pdf etc.). Then email and click that link. ATP with a yellow background will popup saying the file needs to be scanned. After a while (7 minute or so) click the link again and you will get to the file directly.
  • Safelink URLs are geo based. So EMEA tenant (or UK tenant) will get emea01.safelinks.protection.outlook.com rewritten URLs. UK tenants have EOP in EMEA, so the links for UK tenants are the same as EMEA tenants (at this time, not sure if this is changing).
  • Send emails that are both HTML based and Text based, and use the range of clients that the end customer users to see experiences. Rewriting text formatted emails appears different than html formatted emails.

SafeLinks for Office

  • Once you/client is happy enable SafeLinks for Office option. This is a global setting. Though this only works if you have Office Click-to-Run June 2017 Current Branch and later in use. For this create a new document that was never emailed:
    • On a Win10 AAD joined machine, save the file anywhere or just create a new Word doc and do not save it
    • On a Win10 not AAD or legacy Windows client then save the file to OneDrive for Business sync folders or SharePoint sync folders. It needs to be saved to these folders to know that it is a cloud document.
    • Get a demo machine that syncs to multiple tenants and later save a copy of the file OneDrive sync folders for the unprotected tenant. In this scenario you will see a protected document become unprotected (or visa versa) as you change the folder where it is saved to.
  • Once you have the file start creating content in it (typing “=Rand(20)” without quotes is a good way to do this in Word) and then start adding some links to the document. Use the above mentioned test link as well.
  • Click each link.
    • If it is safe, then the webpage will open
    • If it is not, then the alert page will open, or a dialog will popup saying its not safe (I have seen both behaviours)
  • Note that links are not rewritten (unlike in the email client, where you cannot be sure what client is in use, so the link needs rewriting). In Office documents the link is checked at time of click, and only if the document is saved to a cloud location (sync folders included)

Installing Office 2016 Click To Run Via Group Policy

Posted on 107 CommentsPosted in 2016, Click To Run, Group Policy, Office, Office 365, Office 365 ProPlus

Note: Article updated April 2018 to support the new Channel names and XML updates

Office 2016 Click To Run (which comes with Office 365 subscriptions) can be deployed via Group Policy, but there are a few things that you need to know and do first. These are:

  1. You cannot use the “Software Installation” features of GPO’s to deploy the Office 2016 click to run software as this is an exe file, and “Software Installation” runs MSI files.
  2. You cannot run software with elevated installation rights, as the setup.exe shells out to other processes to run the installation (the officeclick2run.exe service).
  3. You cannot just drop the 2016 versions of the files in an existing 2013 deployment folder and expect the clients to update automatically – you must install 2016 to upgrade it and install it for the first time.

Therefore you need to deploy the software via a computer startup script. But this is not simple either as startup scripts run each time the computer starts up (obviously!) but will run regardless of whether the software is already installed. Therefore you need to run the installation by way of a startup script that first checks if Office 2016 click to run has already been installed or not.

To do this you need to following:

  1. A read only file share containing the Office 2016 click to run files. Not this folder should not be the folder that already contains the Office 2013 files if you have them on your network.
  2. A read/write file share to store log files on (the deployment script logs the start and completion of the installation in a central location)
  3. An XML file to install Office 2016 click to run customised to your environment and the fact that you are using GPO deployment
  4. A batch file to detect an existing Office 2016 click to run deployment and if not present to install Office 2016 click to run from your file share.
  5. And finally the Office 2016 Deployment Tool setup program. This is not the same as the 2013 version of this program.

Steps 1 and 4 are part of a standard Office 2016 click to run deployment process and so not covered in this blog post. But once you have downloaded the Office 2016 Deployment Tool and created the XML file in step 3 you can run the deployment tool with setup.exe /download config.xml to download the Office binaries to the file share mentioned in step 1. If you have Office 2013 already deployed via this method (see http://c7solutions.com/2014/09/installing-office-365-proplus-click-to-run-via-gpo-deployment for these steps) then make sure that this folder for the binaries is not the same folder as contains 2013 files. The Office 365 ProPlus installed (Office 2013 Click To Run) creates a subfolder called Office then another subfolder called Data. Into this it places v32.cab (or v64.cab) and other files. This cab file contains info relating to the version number of the software in this folder and if you download 2016 to the same folder it will replace this file, but 2013 installed machines will still try and upgrade from this folder and fail. Therefore create another folder. This is shown in the example scripts below.

So here are the steps and details for doing all this for GPO deployment:

Creating Deployment File Shares

Create a software deployment file share that you have read/write access to and everyone else read only and create a folder called Office365ProPlus inside this to store the binaries.

Create a second file share that everyone has read/write access to (or CREATOR OWNER has write so that only the creator of the file can write it to the share and others can read or not see it at all). Create a sub folder in InstallLogs called Office365ProPlus.

In my demo these two shares and subfolders are called \\server\Software\Office2016 and \\server\InstallLogs\Office2016.

Create an XML File for Office 2016 Click to Run Deployment

This XML file is as follows and is saved to \\server\Software\Office365ProPlus root folder. Call this file config.xml. You can create this XML file using the wizard at https://t.co/iKClyDgK3w

<Configuration>
<Add SourcePath="\\server\Software\Office2016\" OfficeClientEdition="32" Channel="Broad" AllowCdnFallback="True" >
  <Product ID="O365ProPlusRetail">
    <Language ID="en-us" />
    <Language ID="MatchOS" Fallback="en-us" />
  </Product>
</Add>
<Updates Enabled="TRUE" UpdatePath="\\server\Software\Office2016\" Channel="Broad"/>
<Display Level="None" AcceptEULA="TRUE" />
<Logging Level="Standard" Path="%temp%" />
<Property Name="PinIconsToTaskbar" Value="TRUE" />
</Configuration>

The important entries of no display and the Extended User Licence Agreement having been accepted are important, as GPO deployment works as a system service and so cannot display anything to the screen. Also see http://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx for the XML reference file for other settings you can contain here such as updates from the Internet (UpdatePath=””) or no updates (Updates Enabled=”FALSE”), the Channel value names and multiple languages (add more <Language ID=”xx-xx” /> nodes to the file) or to match the language to the OS (MatchOS, with Fallback language and allowing internet download if the language is not available with AllowCdnFallback), etc.

Download the Office 2016 Click to Run Binaries

Download the Office Deployment Tool from http://www.microsoft.com/en-us/download/details.aspx?id=49117 and if you downloaded this a few months ago, download it again as it changes frequently and improves the setup process.

Install this software to get setup.exe and some example XML files. Copy setup.exe to \\server\Software\Office2016.

Run \\server\Software\Office2016\setup.exe /download \\server\Software\Office2016\config.xml to download the latest version (or the specified version if you have added Version=”15.1.2.3″ to config.xml where 15.1.2.3 is the build number you want to install). This will create the Office\Data folder in the \\server\Office365ProPlus share and download the binaries and any languages specified in the XML to that location – do not modify the folder structure as the Office Deployment Tool will expect this structure to find the files under during installation.

Create A CMD File To Script The Install

In Notepad create a cmd file and save it to <strong\\server\Office365ProPlus as well. It will eventually go in the GPO folder location, but this will be your master copy. The cmd file will look like the following and for this demo is called _InstallOffice2016GPO.cmd

setlocal
REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************
REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=\\server\Software\Office2016
REM Set ConfigFile to the configuration file to be used for deployment (required)
set ConfigFile=\\server\Software\Office2016\config.xml
REM Set LogLocation to a central directory to collect script log files (install log files are set in XML file).
set LogLocation=\\server\InstallLogs\Office2016
REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line (check quotes are quotes though).
REM *********************************************************************
IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86)
REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 registry key
:ARP64
reg query HKLM\SOFTWARE\WOW6432NODE\Microsoft\Office\16.0\ClickToRunStore\Packages\{9AC08E99-230B-47e8-9721-4577B7F124EA}
if NOT %errorlevel%==1 (goto End)
REM Check for 32 and 64 bit versions of Office 2013 in regular registry key.(Office 64bit would also appear here on a 64bit OS)
:ARP86
reg query HKLM\SOFTWARE\Microsoft\Office\16.0\ClickToRunStore\Packages\{9AC08E99-230B-47e8-9721-4577B7F124EA}
if %errorlevel%==1 (goto DeployOffice) else (goto End)
REM If 1 returned, the product was not found. Run setup here.
:DeployOffice
echo %date% %time% Setup started. >> %LogLocation%\%computername%.txt
pushd "%DeployServer%"
start /wait setup.exe /configure "%ConfigFile%"
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt
REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End
Endlocal

This will be run by GPO and at computer startup look for the Click To Run registry key that indicates Office has been installed. If not found for 64 or 32 bit OS’s and 64 or 32 bit installations of Office then it will deploy office.

Create A Group Policy Object

Create in your domain a GPO object over an OU that contains the computers you want to install Office 2016 click to run on. This will run on all computers in this OU, so start with a test OU containing one or a few computers or use permissions to lock the GPO object down to specific computer accounts.

In this GPO set the following:

  1. A startup script that runs _InstallOffice2016GPO.cmd. A startup script will have a folder the script is located in (click Show Files button in the GPO editor) and copy the above cmd file from the Office deployment share to this folder.
  2. Then click Add and select the file – there are no script parameters.
  3. Your GPO object will look like this.
    image
  4. In Adminstrative Templates/System/Scripts set the Maximum wait time for Group Policy scripts to 1800 seconds. This is 30 minutes. The default is 10 minutes (600 seconds) but I have found Office installs take just over ten minutes on a LAN and longer if the fileshare is remote to the client computer. The script will be cancelled if it takes over 30 minutes, so you may need a higher value for your network.

Deploy Office 2016 Click to Run Click To Run

Run gpupdate /force on a test computer that is under the scope of your GPO object and then reboot the computer. The installation will start automatically and Office will be ready to use a few minutes after reboot. Office takes about 10 minutes to fully install on a LAN but can be used about 2 or 3 minutes after installation starts. Though in my lab with a low resourced file server it took 30 minutes to install. Do not reboot the PC in that time.

Check \\server\InstallLogs\Office2016 for a file named after the computer. This will have two lines, one for the start of the deployment and one at the end (with “Setup ended with error code 0” if successful).

The Case of the Disappearing Folders

Posted on 3 CommentsPosted in 2013, exchange online, IAmMEC, MVP, Office, Office 365 ProPlus, Outlook

Here is a issue I have come across at one of my current clients – you create a folder in Outlook 2013 when in the “Mail” view (showing only mail folders – your typical default view) and the folder does not get created. For example, in the below picture the user is in the middle of creating a folder called “Test Inline” as a child of the “SO” folder:

image

Upon pressing Enter, the folder disappears and fails to be created:

image

So where does one see this issue? It happens when the parent folder in question, in this case the “SO” folder is created by Microsoft’s PST Capture Tool. The PST Capture Tool creates a parent folder in the Online Archive in Exchange (in this case Exchange Online but it does not matter which Exchange Server) named after the PST file, so in this case SO.pst was uploaded by the PST Capture Tool. Any attempt to create folders inline below this parent folder fails! If you drag content into this folder it will not allow you to drop the content in, and the folder appears to be read-only.

If you change Outlooks view to Folder view (click the … on the Outlook 2013 view bar to the right) then you can create folders (using a dialog) and that works fine – this is how “Test Dialog” was made in the above pictures.

In Outlook 2010 all works as expected! In Outlook 2013 the issue appears to be the way Outlook handles folders that have a MAPI property on the folder created with a null value. In tools such as MFCMapi and OutlookSpy you can view the MAPI properties of a folder and the folder created by PST Capture Tool has a property call PR_CONTAINER_CLASS_W with a null (empty) value. Normally, Outlook will make folders that have “IPF.Note” as the value of this folder, if this is a mail and notes folder (i.e. not a calendar or contact etc folder). But clearly there is a problem, as Folder view allows you to create subfolders when the parent’s PR_CONTAINER_CLASS_W value is null and so does Outlook 2010 and coincidently does OWA!

The fix, but I do not have it ready yet, is to run an EWS script to reset the PR_CONTAINER_CLASS_W property of this folder to IPF.Note or wait for an update to Outlook from Microsoft, and for that I have contacted them.

With thanks to fellow MVP Jaap Wesselius for double-checking this for me and testing it in Outlook 2010.

Installing Office 365 ProPlus Click To Run via GPO Deployment

Posted on 63 CommentsPosted in Click To Run, Click2Run, Deployment, GPO, Group Policy, Office, Office 365, Office 365 ProPlus

Update: Steps for doing this with Office 2016 can be found at http://c7solutions.com/2015/10/installing-office-2016-click-to-run-via-group-policy

Office 365 ProPlus can be deployed via Group Policy, but there are a few things that you need to know and do first. These are:

  1. You cannot use the “Software Installation” features of GPO’s to deploy the Office 365 ProPlus click to run software as this is an exe file, and “Software Installation” runs MSI files.
  2. You cannot run software with elevated installation rights, as the setup.exe shells out to other processes to run the installation (the officeclick2run.exe service).

Therefore you need to deploy the software via a computer startup script. But this is not simple either as startup scripts run each time the computer starts up (obviously!) but will run regardless of whether the software is already installed. Therefore you need to run the installation by way of a startup script that first checks if Office 365 ProPlus Click To Run has already been installed or not.

To do this you need to following:

  1. A read only file share containing the Office 365 ProPlus Click To Run files
  2. A read/write file share to store log files on (the deployment script logs the start and completion of the installation in a central location)
  3. An XML file to install Office 365 ProPlus Click To Run customised to your environment and the fact that you are using GPO deployment
  4. A batch file to detect an existing Office 365 ProPlus Click To Run deployment and if not present to install Office 365 ProPlus Click To Run from your file share.
  5. And finally the Office Deployment Tool setup program.

Steps 1 and 4 are part of a standard Office 365 ProPlus Click To Run deployment process and so not covered in this blog post. But once you have downloaded the Office Deployment Tool and created the XML file in step 3 you can run the deployment tool with setup.exe /download config.xml to download the Office binaries to the file share mentioned in step 1.

So here are the steps and details for doing all this for GPO deployment:

Creating Deployment File Shares

Create a software deployment file share that you have read/write access to and everyone else read only and create a folder called Office365ProPlus inside this to store the binaries.

Create a second file share that everyone has read/write access to (or CREATOR OWNER has write so that only the creator of the file can write it to the share and others can read or not see it at all). Create a sub folder in InstallLogs called Office365ProPlus.

In my demo these two shares and subfolders are called \\server\Software\Office365ProPlus and \\server\InstallLogs\Office365ProPlus.

Create an XML File for Office 365 ProPlus Click To Run Deployment

This XML file is as follows and is saved to \\server\Software\Office365ProPlus root folder. Call this file config.xml.

 
<Configuration>
 <Add SourcePath="\\server\Software\Office365ProPlus\" OfficeClientEdition="32" >
   <Product ID="O365ProPlusRetail">
     <Language ID="en-us" />
   </Product>
 </Add>
 <Updates Enabled="TRUE" UpdatePath="\\server\Software\Office365ProPlus\" />
 <Display Level="None" AcceptEULA="TRUE" />
 <Logging Path="%temp%" />
 </Configuration>

The important entries of no display and the Extended User Licence Agreement having been accepted are important, as GPO deployment works as a system service and so cannot display anything to the screen. Also see http://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx for the XML reference file for other settings you can contain here such as updates from the Internet (UpdatePath=””) or no updates (Updates Enabled=”FALSE”), multiple languages (add more <Language ID=”xx-xx” /> nodes to the file), etc.

Download the Office 365 ProPlus Click To Run Binaries

Download the Office Deployment Tool from http://www.microsoft.com/en-gb/download/details.aspx?id=36778 and if you downloaded this a few months ago, download it again as it changes frequently and improves the setup process.

Install this software to get setup.exe and some example XML files. Copy setup.exe to \\server\Office365ProPlus.

Run \\server\Office365ProPlus\setup.exe /download \\server\Office365ProPlus\config.xml to download the latest version (or the specified version if you have added Version=”15.1.2.3″ to config.xml where 15.1.2.3 is the build number you want to install). This will create the Office\Data folder in the \\server\Office365ProPlus share and download the binaries and any languages specified in the XML to that location – do not modify the folder structure as the Office Deployment Tool will expect this structure to find the files under during installation.

Create A CMD File To Script The Install

In Notepad create a cmd file and save it to <strong\\server\Office365ProPlus as well. It will eventually go in the GPO folder location, but this will be your master copy. The cmd file will look like the following and for this demo is called _InstallOfficeGPO.cmd

 
setlocal 
REM ********************************************************************* 
REM Environment customization begins here. Modify variables below. 
REM ********************************************************************* 
REM Set DeployServer to a network-accessible location containing the Office source files. 
set DeployServer=\\server\Software\Office365ProPlus
REM Set ConfigFile to the configuration file to be used for deployment (required) 
set ConfigFile=\\server\Software\Office365ProPlus\config.xml
REM Set LogLocation to a central directory to collect script log files (install log files are set in XML file). 
set LogLocation=\\server\InstallLogs\Office365ProPlus
REM ********************************************************************* 
REM Deployment code begins here. Do not modify anything below this line (check quotes are quotes though). 
REM ********************************************************************* 
IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86) 
REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 registry key 
:ARP64 
reg query HKLM\SOFTWARE\WOW6432NODE\Microsoft\Office\15.0\ClickToRun\propertybag 
if NOT %errorlevel%==1 (goto End) 
REM Check for 32 and 64 bit versions of Office 2013 in regular registry key.(Office 64bit would also appear here on a 64bit OS) 
:ARP86 
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\propertybag 
if %errorlevel%==1 (goto DeployOffice) else (goto End) 
REM If 1 returned, the product was not found. Run setup here. 
:DeployOffice 
echo %date% %time% Setup started. >> %LogLocation%\%computername%.txt 
pushd "%DeployServer%"
start /wait setup.exe /configure "%ConfigFile%"
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt 
REM If 0 or other was returned, the product was found or another error occurred. Do nothing. 
:End
Endlocal

This will be run by GPO and at computer startup look for the Click To Run registry key that indicates Office has been installed. If not found for 64 or 32 bit OS’s and 64 or 32 bit installations of Office then it will deploy office.

Create A Group Policy Object

Create in your domain a GPO object over an OU that contains the computers you want to install Office 365 ProPlus Click To Run on. This will run on all computers in this OU, so start with a test OU containing one or a few computers or use permissions to lock the GPO object down to specific computer accounts.

In this GPO set the following:

  1. A startup script that runs _InstallOfficeGPO.cmd. A startup script will have a folder the script is located in (click Show Files button in the GPO editor) and copy the above cmd file from the Office deployment share to this folder.
  2. Then click Add and select the file – there are no script parameters.
  3. Your GPO object will look like this.
    image
  4. In Adminstrative Templates/System/Scripts set the Maximum wait time for Group Policy scripts to 1800 seconds. This is 30 minutes. The default is 10 minutes (600 seconds) but I have found Office installs take just over ten minutes on a LAN and longer if the fileshare is remote to the client computer. The script will be cancelled if it takes over 30 minutes, so you may need a higher value for your network.

Deploy Office 365 ProPlus Click To Run

Run gpupdate /force on a test computer that is under the scope of your GPO object and then reboot the computer. The installation will start automatically and Office will be ready to use a few minutes after reboot. Office takes about 10 minutes to fully install on a LAN but can be used about 2 or 3 minutes after installation starts. Do not reboot the PC in those 10 minutes.

Check \\server\InstallLogs\Office365ProPlus for a file named after the computer. This will have two lines, one for the start of the deployment and one at the end (with “Setup ended with error code 0” if successful).

Office 365 ProPlus XML Config Files Are Case Sensitive

Posted on 1 CommentPosted in 2013, Click To Run, Click2Run, Office, Office 365, Office 365 ProPlus

The XML file used for the configuration of Office 365 ProPlus is case sensitive. In a client I have been working with the UpdatePath value in the install XML file was accidently specified using “Updatepath” and not “UpdatePath” (case sensitive). This resulted in the UpdateUrl in the registry (HKLM\Software\Microsoft\Office\15.0\ClickToRun\Scenario\INSTALL\UpdateUrl) not being set correctly, and even though an update path was specified in the install XML, Office was still going to the internet to do updates.

This results in users getting prompted to update Office themselves even though you have pointed the XML file Office was installed with to go to a file share or specific path:

image

If you want to see if you have a working copy of Office that updates from the file share correctly then please open the registry editor and view the following location: HKLM\Software\Microsoft\Office\15.0\ClickToRun\Scenario\INSTALL

In this registry location look for the UpdateUrl key. This key should be present and pointing to the file share where Office is deployed from (the UpdatePath value in the XML should be listed here). If it is missing then you need to run the Office installation file again (setup /configure updated.xml) with UpdatePath correctly specified for this to be reset – do not change the registry keys by hand as this does not work.

clip_image007