Microsoft IT Deploys and Manages Office 365 ProPlus

Technical White PaperPublished: June 2013

CONTENTS

Executive Summary............................................................................1

Introduction.......................................................................................1

Client Deployment Considerations......................................................1

Changes to Licensing and Activation 1

Available Deployment Methods 3

Automating the Provisioning Process with Windows PowerShell 4

Microsoft IT's Approach to Client Deployment 5

Client Deployment Best Practices 6

Management Considerations...............................................................6

Management Tools and Technologies 6

Reporting 8

Updates 8

Microsoft IT’s Approach to Management 9

Management Best Practices 9

Conclusions

.........................................................................................................

10

For More Information

.........................................................................................................

11

EXECUTIVE SUMMARY

With more than 150,000 users in 89 countries connecting 300,000 client systems to

Microsoft's corporate network, Microsoft Information Technology (Microsoft IT) is responsible

for managing one of the largest enterprise infrastructures in the world.

The intent of this white paper is to discuss the considerations and experiences of the

Microsoft IT team when deploying and managing the new Office in an enterprise

environment. Many of the techniques and best practices described in this paper can be

employed by other companies to help them determine how to best approach their own

managed Office deployments.

Note: This paper is based on Microsoft IT’s experience and recommendations and is not

intended to serve as a procedural guide. Each enterprise environment has unique

circumstances; therefore, each organization should adapt the best practices described in this

paper to meet its specific Office deployment and management needs.

INTRODUCTION

The newest version of the Microsoft Office suite—known as Office 365 ProPlus for

companies who have subscribed to Office 365—provides some new deployment, licensing,

and activation capabilities that enhance IT administrators’ ability to deploy and manage the

software in an enterprise environment.

In the following sections of this paper, we provide a summary of some of the important

changes in this newest version of Office that relate to its deployment and maintenance for the

enterprise. We also discuss Microsoft IT's enterprise strategy for deploying, managing, and

updating the new Office in a managed environment. Finally, each section also provides best

practices to help enterprises streamline how they manage Office 365 ProPlus deployment

and management within their own corporate network.

CLIENT DEPLOYMENT CONSIDERATIONS

This section of the paper discusses the changes to the new Office licensing, activation, and

deployment functionality for enterprise IT administrators.

Changes to Licensing and ActivationThe new Office licensing process is no longer computer-based. Instead, Office 365 ProPlus

is offered as a monthly subscription on a per-user basis. Of course, the number of available

licenses for Office 365 ProPlus depends on the organization’s Office 365 subscription level.

As illustrated in Figure 1, administrators can assign licenses to users in the Office 365 portal.

Once allocated a license, the user is able to install Office 365 ProPlus on up to five

computers.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 1

Situation

Microsoft® IT wanted to improve how the new Microsoft Office 365® ProPlus was deployed, licensed, and activated to employees.

Solution

Using the deployment and management tools for enterprise administrators that come with the new version of Office, Microsoft IT was able to configure installation images on distributed local servers and automate the provisioning process using Windows PowerShell® scripts.

Microsoft IT also simplified the update process by configuring the company’s managed systems to download Office updates automatically.

Benefits

Streamlined, automated provisioning speeds the deployment process

Custom images support multiple languages

Automatic updates ensure users have latest and greatest versions and reduce administrator overhead

Products & Technologies

Office 365 ProPlus

Office Deployment Tool

Windows PowerShell

Windows® Visual Basic

Windows Server® 2008 R2

Microsoft System Center Configuration Manager

Figure 1. The admin page for a user in the Office 365 portal showing check boxes for

assigning licenses for Office products.

Each installation is activated and kept activated automatically by a cloud-based service called

Office Licensing Service. This frees administrators from having to keep track of product keys

or needing to work with other activation methods such as Key Management Service or

Multiple Activation Key.

Office Licensing Service

The Office Licensing Service (OLS) is a cloud-based service that manages subscriptions,

users, and computers for use with Office Licensing Client (OLC). OLS manages the number

of computers on which an Office 365 ProPlus installation is activated.

A user's subscription allows the user to install Office products, which can include Office 365

ProPlus, Microsoft Project Pro for Office 365, Microsoft Visio® Pro for Office 365, Microsoft

Lync®, or Microsoft SharePoint® Designer 2013 on up to five computers. If the administrator

enables users to manage their own installations and a user tries to install Office on a sixth

computer, the user can use the software page on the Office 365 portal to deactivate one of

the first five computers on which Office is installed. This enables activation on the sixth

computer.

Activation occurs automatically the first time that a user runs Office 365 ProPlus. Although

the activation process initially requires Internet connectivity, after that the user only has to

connect to the Internet at least once every 30 days to check the status of the user’s

subscription. If the computer goes offline for more than 30 days, Office will enter a reduced

functionality mode until the next time a connection is made.

Important: Because of its online activation feature, Office 365 ProPlus won’t work on

computers that are completely disconnected from the Internet. To learn more about OLS and

its activation model, see http://technet.microsoft.com/en-us/library/gg982959.aspx.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 2

Available Deployment MethodsThe new installation process for Office 365 ProPlus is known as Click-to-Run, which is a

streaming and virtualization technology based on Microsoft Application Virtualization (App-V)

that significantly reduces the time required to download and use Office 365 ProPlus client

products. Streaming enables users to begin to use a Click-to-Run program before the

complete program has finished downloading. In Office 2010, Click-to-Run was available to

consumer users only. In this new release, Click-to-Run supports large enterprise

deployments. Another common way to introduce Office into the enterprise is within a

Windows image as part of a broader desktop refresh program.

As illustrated in Figure 2, administrators can either permit users to run Click-to-Run directly

from the Office 365 portal, or they can download the Office software to their local network,

customize it, and then deploy Office to users (up to the number of available user licenses):

A. Direct users to install Office 365 ProPlus directly from the Office 365 portal. This

option requires the least amount of administrative setup and can offer other licensed

products such as Project, Visio, and mobile apps. However, because users download

directly from the portal, administrators have less control over this deployment process.

This approach also drives the installation traffic through enterprise firewalls, which must

be taken into account during implementation planning.

B. Download the Office 365 ProPlus software to the corporate network and then

deploy it to end users. This option requires some planning and preparation, but it gives

administrators much more control over the deployment process, including:

From where on the network Office 365 ProPlus is installed

How Office 365 ProPlus is updated after it is installed

On which computers Office 365 ProPlus is installed

Which users, if any, get the 64-bit version of Office 365 ProPlus

Which languages are available to install

Microsoft IT Deploys and Manages Office 365 ProPlus Page 3

Figure 2. The two deployment options available to enterprise administrators for

Office 365 ProPlus.

We discuss these two deployment methods in the following sections.

Note: Office 365 ProPlus is installed and runs locally on the user's computer irrespective of

the deployment method. Office 365 ProPlus is not a web-based version of Office; users don't

need to be connected to the Internet all the time to use it.

Internet-Based Deployment

By default, an Office 365 user can use the Office 365 portal to install any of the Office

products that are part of their organization’s Office 365 subscription. When a user installs an

Office product from the Office 365 portal, Click-to-Run streams the necessary files from the

Internet to the user’s computer and installs the Office product.

Additionally, administrators use the Office 365 portal to configure which Office products are

available for users. For example, an administrator might allow users to install Office 365

ProPlus and Visio Pro for Office 365, but not Project Pro for Office 365.

Office on Demand is another type of Internet-based deployment that uses Click-to-Run

streaming technology to deliver Office 2013 to a Windows 7 or Windows 8 computer for

temporary use, such as on a shared, loaned, or public PC. Because Office on Demand is

designed as a temporary installation, Office on Demand does not count towards a user’s 5

PC license limit. All application processes run from the user's profile, and files are opened

from and saved to the user’s SkyDrive Pro account by default.

On-Premises-Based Deployments

In on-premises-based deployments, Click-to-Run streams the necessary files from the

corporate network to the user’s computer during the installation. Enterprise administrators

have several options for deploying Office 365 ProPlus from an on-premises location:

File Share: Administrators who do not want users to install Office products directly from

the Internet by using the Office 365 portal can download the Office product and language

files to their corporate network. The Office products and languages can then be

deployed to users from an on-premises location, such as a local network share.

Administrators can also save storage space by combining different languages into a

single build folder that contains language-neutral components that are common across

all localized source folders.

Scripts or Batch Files: Administrators can use scripts or batch files to simplify and

automate the deployment process for users. The script or batch file can also be used by

a software distribution product such as System Center Configuration Manager.

Automating the Provisioning Process with Windows PowerShellThe primary means by which enterprise administrators can automate Office licensing is

through Windows PowerShell. Using Windows PowerShell scripts, administrators can

automate the following tasks:

Microsoft IT Deploys and Manages Office 365 ProPlus Page 4

Obtain information about their organization’s number of Office 365 ProPlus licenses

owned, consumed, and available

Assign licenses

List information about mailboxes and users

Generate random passwords and set user passwords

And much more

Scenario: Script an Automated Provisioning and Licensing Process for New Hires

In this example scenario, an administrator who is familiar with Windows PowerShell wants to

automate the Office 365 ProPlus provisioning and licensing process for new hires. To do so,

the administrator performs the following steps:

1. Confirm that the system used to run Windows PowerShell meets the following

prerequisites:

Operating System is Windows 8, Windows 7, or Windows Server 2008 R2 or newer.

Microsoft .NET Framework version 3.5.1 is installed.

Microsoft Online Services Sign-In Assistant is installed.

Either the 32-bit or 64-bit version of the PowerShell Module for Microsoft Services

Online Needs is installed.

2. Use Windows PowerShell to generate a list of employees, export the list to a comma-

separated value text file (.csv), and do a runtime provision by assigning everyone an

initial set of licenses based on the appropriate Office subscription SKUs.

3. Automate the provisioning by:

a. Configuring a virtual machine (VM) running on Windows Server 2008 R2.

b. Deploying the items listed in steps 1 and 2 to the VM.

c. Composing a set of scripts that use get-msoluser –all –unlicensedusersonly to

pull the net-new unlicensed users and provide them with all the licenses

provided in the one-time run performed in step 2.

d. Setting the scripts to run on a timer using Windows Server 2008 R2’s Task

Scheduler service.

Note: Sample PowerShell scripts for Office 365 deployment are available at

http://technet.microsoft.com/en-us/library/hh974317.aspx.

Microsoft IT's Approach to Client DeploymentAs the company’s first and best customer, Microsoft IT regularly adopts early releases of

Microsoft technologies, tests them in a real-world environment, and provides critical feedback

to improve products before they are generally available to the public.

Microsoft IT worked closely with the product group on various pre-release versions of the

new Office, hosting product images on geographically distributed product servers to provide

Microsoft IT Deploys and Manages Office 365 ProPlus Page 5

clients with a locally available (LAN) installation source. The deployment was hosted from a

site on an internal portal that included custom Microsoft Visual Basic® Scripting (VBScript)

scripts to detect and block installs when older beta builds were detected.

The level of customization applied by group policy objects (GPOs) was minimal, due to

Microsoft IT’s requirement to validate the Out Of Box Experience (OOBE) for the Office

product group.

Note: Microsoft IT also developed an efficient approach to LOB application compatibility

testing, and prepared the user community and support channels for the new Office.

For more information about application compatibility testing with the new Office, see

“Microsoft IT Tests LOB Compatibility with Office 365 ProPlus” at

http://technet.microsoft.com/library/dn283376.aspx.

For more information about preparing users and support channels for the new Office, see

“Microsoft IT Helps Users Embrace Office 365 ProPlus” at

http://technet.microsoft.com/library/dn283375.aspx.

Client Deployment Best Practices Determine when local on-premises vs. Internet-based installation is best: Consider

the scale of your deployment when choosing between a locally hosted installation source

compared to the clients pulling directly from the Office 365 portal. Larger numbers of

users can impact network and firewall bandwidth for the Internet-based installation

process.

Review your permissions model in light of your installation process. Click-to-Run

will require system context access, so be sure your permissions model is configured to

allow this if you are hosting on internal servers.

MANAGEMENT CONSIDERATIONS

This section of the paper discusses what tools and processes enterprise IT administrators

can use to manage Office 365 ProPlus.

Management Tools and TechnologiesThis section introduces some of the key tools and technologies IT administrators can use to

manage Office 365 ProPlus in an enterprise environment.

Office 365 Portal

As shown in Figure 3, the Office 365 portal provides an intuitive interface that administrators

can use to allocate licenses, choose which Office software users can install from the portal,

and more.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 6

Figure 3. Administrators can use the Office 365 portal to allocate licenses and choose

which Office software users can install from the portal.

Office Deployment Tool

In managed enterprise environments, end users might not have permission to install software

from the Office 365 portal. In this situation, administrators can use the Office Deployment

Tool to manage Click-to-Run installations, including specifying which languages or which

edition (32-bit or 64-bit) of Office that users can install.

The Office Deployment Tool includes an .exe file, dynamic link library resources (dlls), and a

sample configuration file, configuration.xml. To customize an installation, administrators run

the Office Deployment Tool and provide a customized version of the Configuration.xml file.

Using the Office Deployment Tool, administrators can perform the following tasks:

Download an Office installation source to a network share location

Configure an installation to use a network share as the installation source instead of the

Internet

Configure an installation to suppress all UI

Configure the logging for an installations

Configure whether Office will automatically update or not

Configure which products and languages to install

Remove Office Click-to-Run products

Scenario: Customize Deployment Images for Multi-Language Support

In this example scenario, an administrator in the IT department of a global enterprise needs

to customize the new Office Click-to-Run, building a few different images that contain

Microsoft IT Deploys and Manages Office 365 ProPlus Page 7

language sets that will support the company’s European and Asian regions. To do so, the

administrator performs the following steps:

1. Use the Office Deployment Tool to download the Click-to-Run for Office 365 installation

sources.

2. Modify the Configuration.xml file for Click-to-Run, specifying the specific set of

languages that will be installed for a particular region.

3. Use the Office Deployment Tool with the /configure command and the customized

Configuration.xml file to install Click-to-Run for Office 365 products and languages on a

user’s computer.

4. For instances where Office 365 ProPlus must be installed to a number of new hires, the

administrator uses an appropriate deployment tool such as System Center 2012

Configuration Manager or Windows PowerShell to deploy the specially configured Click-

to-Run to the designated client systems.

5. Repeat these steps for as many different language installations as required.

Group Policy

Administrators can use group policies for both Windows Installer-based Office 2013 and

Click-to-Run for Office 365 ProPlus. It is the recommended tool for managing the user and

computer settings that enterprise administrators want to enforce in Office.

Administrators can use group policies to:

Control entry points to the Internet from Office 365 ProPlus applications.

Manage security in the Office 365 ProPlus applications.

Hide settings and options that are unnecessary for users to perform their jobs and that

might distract them or result in unnecessary support calls.

Create a highly managed standard configuration on users’ computers.

ReportingBecause Click-to-Run is not managed by Windows Server Update Services (WSUS),

enterprise administrators who want to maintain visibility into the compliance state of their

Office clients might need to consider using other reporting and management technologies

such as System Center Configuration Manager to collect and report information about the

deployed Click-to-Run versions.

UpdatesBy default, Click-to-Run for Office 365 installations are updated automatically, detecting and

downloading updates in the background. Although Click-to-Run installs and updates the

Office suite as a single, complete package (there is no option to install only Word, for

example), the updates are kept as small as possible, and they download only when changes

are required to keep the installation up-to-date. In addition, updates occur only when the

affected Office applications aren’t being used, and they don’t require a computer restart.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 8

In an enterprise environment, administrators can use this default update process, or they can

instead use the Office Deployment Tool to stage and deploy Click-to-Run updates from a

specified on-premises location. This process enables administrators to roll out specific Office

builds that are based on organizational testing and validation. A range of the most recent

Office Click-to-Run builds are provided to Office 365 administrators to help them remain

current, and to provide the flexibility to allow for testing before new builds are deployed into

their production environment.

Administrators can configure Click-to-Run’s update behavior by using the Configuration.xml

file. The following Updates element attributes are available:

Enabled: If set to TRUE, Click-to-Run will automatically detect, download, and install

updates. This is the default. If Enabled is set to FALSE, Office won’t check for updates

and will remain at the installed version.

UpdatePath: Used to specify a network, local, or HTTP path for a Click-to-Run

installation source to use for updates. If UpdatePath isn’t set, or is set to special value

“default”, the Microsoft Click-to-Run source on the Internet will be used.

TargetVersion: Used to set a Click-to-Run for Office 365 product build number, for

example, 15.1.2.3. When the version is set, Click-to-Run for Office 365 attempts to

update to the specified version in the next update cycle. If TargetVersion isn’t set or is

set to special value "default," Click-to-Run for Office 365 updates to the latest version

advertised at the Click-to-Run source.

Microsoft IT’s Approach to ManagementMicrosoft IT uses GPOs as its primary Office management tool but also customizes Click-to-

Run using the Office Deployment.

For reporting, Microsoft IT has implemented System Center 2012 Configuration Manager to

help make decisions concerning client software deployment, including tracking compliance of

the Click-to-Run updates.

Because Click-to-Run is not managed by existing models such as Microsoft Update or

Windows Server Update Services, enterprise administrators who need to enforce a given

build of Office need to determine what update mechanism their organization will use.

Microsoft IT wants to ensure employees have the best user experience with Office, so it

configures the company’s managed systems to download the Office updates automatically

with no interaction required by the user. Only when an Office app is running will the user be

prompted about the update.

Management Best Practices Use Administrative Template files to control your Click-to-Run installations.

Review and download the complete set of ADMX templates available to you for

configuring the Office clients.

Design an inventory model to monitor your deployment model. Use reporting

functionality from a management suite such as System Center to give your IT

organization insight into the current state of the builds that are deployed throughout your

company—and, therefore, the health of the Click-to-Run update model.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 9

Always update to the latest version of Office. Although administrators might want to

test a particular build before deploying it across the organization, expedite deployment of

the newest bits to help ensure users have the latest releases and functionality.

Determine the best approach for updates: The default update process of allowing

Office to automatically download and apply updates each month from the Internet is the

simplest approach, but it does not provide for a granular level of control. If your

organization needs to control certain aspects of the upgrade process (such as controlling

what builds you make available to your clients), consider deploying updates via a server

hosted within the company.

Consider the overhead of your users installing from the Internet versus an internal

file share: When a client installs Office directly from the Office 365 portal, it can create

an overhead on your corporate firewall(s) because the whole build is streamed to the

client. If you are deploying Office to a large number of clients, consider pulling the build

down to a local server within your corporate network and then deploying it using a

software distribution technology such as System Center 2012 Configuration Manager, or

by simply having your clients run the installation directly from the local \\server\share.

CONCLUSIONS

The new version of Office 365 ProPlus has added tools and features that, for the first time,

enable enterprise administrators to customize the suite’s Click-to-Run deployment and

installation technology, including deploying it from an on-premises location. This is especially

valuable in managed environments where end users do not have permission to install

software from the Office 365 portal onto their machines.

Global enterprises who need to support multilanguage deployment of their Office installations

can create different installation images that can be distributed to regional servers and from

there, deployed to client systems that need to work with the different language(s).

Administrators now have a choice of allowing simplified direct download, installation, and

updates of Office on users’ systems, or customized control of the deployment, licensing, and

activation process.

For Microsoft IT, automating provisioning through Windows PowerShell scripts and

configuring client machines to download updates automatically has streamlined the process

and reduced administrative overhead. Microsoft IT hopes that the considerations and best

practices offered in this paper might help you improve your own Office 365 ProPlus

provisioning and management processes.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 10

FOR MORE INFORMATION

For more information about Microsoft products or services, call the Microsoft Sales

Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information

Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your

local Microsoft subsidiary.

For more information about the various subjects discussed in this paper, visit the following

locations on the World Wide Web:

Microsoft main site: http://www.microsoft.com

Microsoft IT Showcase: http://www.microsoft.com/technet/itshowcase

Content roadmap for deploying Office 365 ProPlus:

http://technet.microsoft.com/en-us/library/jj839718.aspx

 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

 This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

 Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

 Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2013 Microsoft Corporation. All rights reserved.

 Microsoft, Lync, Office 365, SharePoint, Visio, Visual Basic, Windows, Windows PowerShell, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

 All other trademarks are property of their respective owners.

Microsoft IT Deploys and Manages Office 365 ProPlus Page 11