locked
patch management for Office 2013 on MDT RRS feed

  • Question

  • Hello,

    on current MDT 2012, Office 2013 is added as an app. MSP was created for customization and placed in Update folder (did it a while ago)

    I am preparing new MDT 2013. Deployed OS will be patched with latest updates. So Windows update will not take initially any time for applying patches after deployment from WSUS.

    I would like to know best practices for Updating Office 2013 on Deployment Share.

    Please provide a link or instructions: where to get latest O2013 Update Packages (at least security and critical) and how to place them properly in Update folder. Can it coexist with Customization.msp?

    1. What is the right thing to manage this? No SCCM in place.

    2. Does somebody includes Office 2013 in the image and then use GPO for customization?

    Is it a valid scenario? I see at least 2 advantages: no additional time after deployment and full patches for the moment of image creation. Than it could be updated in the moment of image update.

    Does it make sense? What are disadvantages of this approach?

    thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Saturday, April 25, 2015 9:48 PM
    Saturday, April 25, 2015 9:41 PM

Answers

  • 00. Please provide a link or instructions: where to get latest O2013 Update Packages (at least security and critical) and how to place them properly in Update folder.

    0. Can it coexist with Customization.msp?

    1. What is the right thing to manage this? No SCCM in place.

    2. Does somebody includes Office 2013 in the image and then use GPO for customization?


    00. There isn't really any such link. Neither is there such a link for Windows. You can use the monthly Security Bulletins as a guide, for both Windows and Office.

    0. Yes. This is recommended and documented on TechNet Library http://technet.microsoft.com/en-us/library/cc178995.aspx

    1. It's typically advised that you create your reference image and include Office in that, also include Windows Updates and Office Updates. Use WSUS or MU/WU for that. Make sure that you use OSPPREARM.EXE or OSPP.VBS /rearm, as the last step before shutdown & capture of the image.

    2. Yes, that's what we do. We do use a couple of settings in customization.msp, but most settings we do in Domain GP.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Proposed as answer by Ty Glander Monday, April 27, 2015 9:34 PM
    • Marked as answer by pob579 Tuesday, April 28, 2015 12:26 PM
    Monday, April 27, 2015 9:31 PM
  • Hi,

    Have you reviewed the following link?

    https://technet.microsoft.com/en-gb/library/cc178995.aspx?f=255&MSPPError=-2147217396#BKMK_UpdatesFolder

    Other methods are also listed but this explains how the updates folder works and how to name your customisation msp files.

    If you don't have SCCM presumably WSUS would be an option? this can also integrate with MDT for pre and post application installation including office updates. Again this method could be used whether you install office into your base WIM or your deployment TS. Whether or not you bake the Office install in to your image depends on your requirements and your environment. Regardless your customisation msp is still valid.

    I tend to always apply settings via GPO... again, that's a preference. if you want it all in your msp that's a decision based on your environment and requirements.

    Thanks,

    Adam

    • Marked as answer by pob579 Monday, April 27, 2015 9:30 PM
    Monday, April 27, 2015 3:55 PM
  • Yes they coexist in the same folder.  So what you are doing is kind of how that works :)

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by pob579 Monday, April 27, 2015 9:30 PM
    Monday, April 27, 2015 5:13 PM
  • With Don's suggestions and: http://deploymentresearch.com/Research/Post/357/Building-reference-images-like-a-boss

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by pob579 Tuesday, April 28, 2015 12:26 PM
    Monday, April 27, 2015 9:35 PM
  • Don't remember if I can manage by GPO applications appearance in the Office. (Example want to exclude Publisher and Access from being used on client PC).

    Can somebody point where is the option in GPO for selecting individual apps within the Office.


    "Applications appearance" ??

    Do you mean "hide/disallow an Office application e.g. Access" by using GPO ?

    If so, no, GP can't do that. There are no interfaces in Office that allow GP to do that.

    You could use something like AppLocker to forbid msaccess.exe from executing but you can't "hide" nor "not install/uninstall".

    To reconfigure settings/features after Office is already installed, you can use
    "setup.exe /modify PROPLUS /config config.xml"

    You can also do that with "msiexec /p customisation.msp", but we found that changes feature states from not-installed > installed, doesn't always work reliably using the second method, so we use the first method (config.xml)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by pob579 Tuesday, April 28, 2015 9:36 PM
    Tuesday, April 28, 2015 9:20 PM

All replies

  • Hi,

    Have you reviewed the following link?

    https://technet.microsoft.com/en-gb/library/cc178995.aspx?f=255&MSPPError=-2147217396#BKMK_UpdatesFolder

    Other methods are also listed but this explains how the updates folder works and how to name your customisation msp files.

    If you don't have SCCM presumably WSUS would be an option? this can also integrate with MDT for pre and post application installation including office updates. Again this method could be used whether you install office into your base WIM or your deployment TS. Whether or not you bake the Office install in to your image depends on your requirements and your environment. Regardless your customisation msp is still valid.

    I tend to always apply settings via GPO... again, that's a preference. if you want it all in your msp that's a decision based on your environment and requirements.

    Thanks,

    Adam

    • Marked as answer by pob579 Monday, April 27, 2015 9:30 PM
    Monday, April 27, 2015 3:55 PM
  • Yes they coexist in the same folder.  So what you are doing is kind of how that works :)

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by pob579 Monday, April 27, 2015 9:30 PM
    Monday, April 27, 2015 5:13 PM
  • 00. Please provide a link or instructions: where to get latest O2013 Update Packages (at least security and critical) and how to place them properly in Update folder.

    0. Can it coexist with Customization.msp?

    1. What is the right thing to manage this? No SCCM in place.

    2. Does somebody includes Office 2013 in the image and then use GPO for customization?


    00. There isn't really any such link. Neither is there such a link for Windows. You can use the monthly Security Bulletins as a guide, for both Windows and Office.

    0. Yes. This is recommended and documented on TechNet Library http://technet.microsoft.com/en-us/library/cc178995.aspx

    1. It's typically advised that you create your reference image and include Office in that, also include Windows Updates and Office Updates. Use WSUS or MU/WU for that. Make sure that you use OSPPREARM.EXE or OSPP.VBS /rearm, as the last step before shutdown & capture of the image.

    2. Yes, that's what we do. We do use a couple of settings in customization.msp, but most settings we do in Domain GP.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Proposed as answer by Ty Glander Monday, April 27, 2015 9:34 PM
    • Marked as answer by pob579 Tuesday, April 28, 2015 12:26 PM
    Monday, April 27, 2015 9:31 PM
  • With Don's suggestions and: http://deploymentresearch.com/Research/Post/357/Building-reference-images-like-a-boss

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by pob579 Tuesday, April 28, 2015 12:26 PM
    Monday, April 27, 2015 9:35 PM
  • Thanks to all!

    Ty, I added a lot to my knowledgebase during bombing :) you with the questions since last week :) ... Thanks for the answers...

    I purchased Johan's Fundamentals V4 (found it more applicable to my current needs).

    A bit in pressure this week need to push 2 models deployment quickly and correctly as possible.

    So don't have time to Deep Dive.

    What I achieved Driver Group approach works find for tons of drivers. Tried just on model now...

    Have to solve sudden issue with WinPE that was working fine and suddenly stopped working.

    For O2013...

    Just to make things fast I installed O2013 in reference image.

    If I understand correctly I cannot use MSP file after the installation is made. I suppose to create it and add to Updates folder of the O2013 source.

    So now my option is to work with GPO. I have a configured one for O2013 APPV deployment.

    It works great.

    Don't remember if I can manage by GPO applications appearance in the Office. (Example want to exclude Publisher and Access from being used on client PC).

    Can somebody point where is the option in GPO for selecting individual apps within the Office.

    In my MDT2012 I use O2013 deployment as App and use MSP.

    For Appv Office I use apps selection from APPV manager. So not sure if it is doable from Office GPO.

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Tuesday, April 28, 2015 6:36 PM
    Tuesday, April 28, 2015 3:33 PM
  • Don't remember if I can manage by GPO applications appearance in the Office. (Example want to exclude Publisher and Access from being used on client PC).

    Can somebody point where is the option in GPO for selecting individual apps within the Office.


    "Applications appearance" ??

    Do you mean "hide/disallow an Office application e.g. Access" by using GPO ?

    If so, no, GP can't do that. There are no interfaces in Office that allow GP to do that.

    You could use something like AppLocker to forbid msaccess.exe from executing but you can't "hide" nor "not install/uninstall".

    To reconfigure settings/features after Office is already installed, you can use
    "setup.exe /modify PROPLUS /config config.xml"

    You can also do that with "msiexec /p customisation.msp", but we found that changes feature states from not-installed > installed, doesn't always work reliably using the second method, so we use the first method (config.xml)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by pob579 Tuesday, April 28, 2015 9:36 PM
    Tuesday, April 28, 2015 9:20 PM
  • "Application appearance" :)

    Yes I meant hide.

    Where it is described?

     


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Tuesday, April 28, 2015 9:39 PM
  • Want to add here a link To OFFICE Rearm importance in Reference image mentioned by Don.

    https://technet.microsoft.com/en-us/library/dn385362.aspx?f=255&MSPPError=-2147217396


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Wednesday, April 29, 2015 2:13 AM
  • If I understand correctly I cannot use MSP file after the installation is made.

    You can install them seperately with msiexec as any other *.msp file of course.
    But the updates folder takes all the work from you, why should you want to do this manually?

    Wednesday, May 13, 2015 9:50 PM