Microsoft has delivered new updating capabilities for admins to help them automate monthly updates for its core Microsoft 365 apps via Azure Active Directory (AD).
"Servicing profiles" let admins automatically deliver monthly Word, Excel and other Office suite updates for specific users or groups. Microsoft has now delivered tooling that allows admins to align these updates with Windows Patch Tuesday updates.
The new capabilities, described as 'top customer asked capabilities', updated servicing profiles to cover customization, rollbacks, device exclusions, blanket and exclusion targeting, and the ability to control deployments to devices with a smaller disk space than the 5GB lower threshold previously available.
"You spoke, we listened. Based on input from admins from around the world, we added and extended controls for Servicing profiles. The overall goal remains unchanged: Provide a modern and easy way to manage your Microsoft 365 Apps updates," says Microsoft's Martin Nothnagel.
SEE: Windows 11: Microsoft gives Notepad an update it thinks you will enjoy
Microsoft thinks admins' suggestion of "wave customization" was a good idea. The feature lets admins roll out updates to users in consecutive waves to target priority devices instead of the default of deploying updates randomly to selected devices over the course of four days.
"With Rollout waves, you can customize which devices/users should get the updates first, second, etc. This allows you to build deployment rings for e.g. testing, piloting and full release by simply adding Azure AD groups to the respective waves. Servicing profile will then execute the update deployment according to your settings each Patch Tuesday," says Nothnagel.
Patch Tuesdays are busy periods for Windows admins each month, but Microsoft doesn't currently align monthly Office patches with Windows patches.
The company is trying to improve the Patch Tuesday experience across Windows and Office.
In July, it will make its in-beta Windows Autopatch generally available as a free service for Windows Enterprise and Microsoft 365 on E3 or E5 licenses to handle devices managed through Microsoft Intune. To cover smaller customers, Microsoft recently rolled out new security defaults to Azure AD tenants, enabling features like multi-factor authentication for signing into Office 365 apps as a security baseline.
Also coming to Microsoft's Office software is a rollback feature to support Azure AD groups.
Rollback is a "safety net" for security updates that have caused grief for admins in the past because applying fixes for flaws from the Redmond firm come at the expense of system uptime.
Rollback gives you an extra safety net in case an update is causing issues in your environment. "It allows you to easily roll a selection of devices back to a previous release. Now, instead of manually selecting individual devices, you can now also specify Azure AD groups with devices or users," says Nothnagel.
Admins can also exclude specific devices via Azure AD or target all of them.
Excluding some devices might be useful for admins that need to update certain devices manually, through alternative processes such as Remoted Shared Desktop (RDS) hosts. Admins can add the users or devices to Azure AD groups, and then specify them in the profile for exclusion.
For those who need to target updates for all devices, servicing profiles gives admins a way to control updates for Microsoft 365 apps based on update channels, the use of macros, and other filters.
SEE: Cloud computing security: Where it is, where it's going
"There is a new toggle in the Servicing profile which simplifies the configuration. Just disable the use of additional selection criteria and all your devices will be serviced (Azure AD group filtering is still available).
It has also changed disk space control. Previously the lower limit of the disk space selection criteria was five gigabytes which meant devices with less free disk space were excluded from Servicing profiles managing the monthly updates: "Most Microsoft 365 Apps updates require less space on disk during the update process, that's why we adjust the lower limit. Now you can bring it down to zero, meaning an update attempt will always be performed."