Microsoft has provided new update capabilities for administrators to help them automate monthly updates for key Microsoft 365 apps through Azure Active Directory (AD).
“Service Profiles” allow administrators to automatically deliver monthly Word, Excel, and other Office suite updates to specific users or groups. Microsoft has now provided tooling that allows administrators to align these updates with Windows Patch Tuesday updates.
The new capabilities, described as “top customer requested capabilities,” updated maintenance profiles for customization, rollback, device exclusions, global and exclusion targeting, and the ability to manage deployments on devices with less disk space than the previously available lower threshold of 5 GB.
“You’ve spoken, we’ve listened. Based on input from administrators around the world, we’ve added and expanded maintenance profile checks. The overall goal remains the same: Provide a modern and easy way to manage your Microsoft 365 Apps updates .” says Martin Nothnagel of Microsoft†
Microsoft thinks the administrators’ suggestion of “wave customization” was a good idea. This feature allows administrators to roll out updates to users in sequential waves to target priority devices instead of the default of updates being randomly deployed to selected devices over the course of four days.
“Rollout waves allow you to customize which devices/users should get the updates first, second, etc. Allows you to build deployment rings for e.g. testing, piloting, and full release by simply adding Azure AD groups to the respective waves Maintenance Profile will then perform the update deployment according to your settings every Patch Tuesday,” says Nothnagel.
Patch Tuesdays are busy times for Windows administrators every month, but Microsoft does not currently align monthly Office patches with Windows patches†
The company is trying to improve the Patch Tuesday experience for Windows and Office.
In July it will make the in-beta Windows Autopatch generally available as a free service for Windows Enterprise and Microsoft 365 on E3 or E5 licenses for devices managed through Microsoft Intune. To cover smaller customers, Microsoft recently rolled out new security standards for Azure AD tenantsenabling features such as multi-factor authentication for signing in to Office 365 apps as a security baseline.
Also coming to Microsoft’s Office software is a rollback function to support Azure AD groups.
Rollback is a “safety net” for security updates that: have caused grief for administrators in the past because making fixes for Redmond’s errors comes at the expense of system uptime.
Rollback gives you an extra safety net in case an update causes problems in your environment. “It allows you to easily roll back a selection of devices to a previous release. Instead of manually selecting individual devices, you can now also specify Azure AD groups with devices or users,” says Nothnagel.
Admins can also exclude specific devices through Azure AD or target them all.
Excluding some devices can be useful for administrators who need to manually update certain devices, through alternative processes such as Remote Shared Desktop (RDS) hosts. Admins can add the users or devices to Azure AD groups and then specify them in the profile for exclusion.
For those who need to target updates to all devices, maintenance profiles provide administrators with a way to manage updates to Microsoft 365 apps based on update channels, use of macros, and other filters.
“There is a new switch in the maintenance profile that simplifies configuration. Just disable the use of additional selection criteria and all your devices will be serviced (Azure AD group filtering is still available).
It has also changed the disk space check. Previously, the lower limit of the selection criteria for disk space was five gigabytes, which meant that devices with less free disk space were excluded from Maintenance Profiles that manage the monthly updates: “Most updates to Microsoft 365 Apps require less disk space during the update process, so we only have the lower bound. Now you can bring it down to zero, which means an update attempt will always be made.”