Office 365 users can now download Office 2016 by default. Learn how to control and manage this, as well the latest on Office 365 ProPlus change management.
Microsoft released the Office 2016 Deferred Channel earlier this month.
At this time, Microsoft announced on the Feb 23rd this build would be available in the Office 365 User Software Page. True to their word, this has now kicked in.
If you haven't changed any admin settings, your users will now be able to download Office 2016. When they login to the portal they will see something like this, inviting them to download Office 2016:
Also, when opening the Office 365 User Software Page from Settings, Office 2016 is recommended:
Further down the page, Office 2013 is still available but well hidden.
The 'Why I would install Office 2013?' page, which I can't link to easily, has some useful info. It talks about:
As the administrator, your meant to provide your users with guidance on which version they should install.
There are new options in the admin portal, under Service Settings and then User software. In the new Office 365 Admin center, this can be found under Settings, then Services & add-ins and finally Software download settings.
Here you can control whether you want your users to be able to download Office 2016. This is what it looks like by default.
If you had previously set some options, you should revisit this page to see what it look like now. There have been some reports of a few oddities with these settings!
To stop users from being able to download Office 2016, untick 'Office (includes Skype for Business)' under the '2016 version' section.
To learn about the update branches or as they are called now channels, check out my Office 2016 Deferred Channel Released for Business post.
When deploying Office 2016 you will want to download Office 2016 in its entirety. You can get an offline copy of Office 2016, which for Office 365 ProPlus customers is the Click-to-run version.
Use the Office Deployment Tool (2016 version) for this, check this post for all the steps - How to download Office 365 Deferred Channel for Office 2016.
Here are the key dates you really need to know for your Office 365 ProPlus change management, all the way up to the end of Office 2013:
It's worth reiterating, by the end of June, any Office 365 ProPlus clients running Office 2013, getting updates directly from Microsoft will be upgraded. This is the criteria used to determine if Office can be upgraded successfully.
All these dates are subject to change, for the latest information check Microsoft's Office 365 ProPlus upgrade guide.
As this post illustrates Office 2016 is coming and administrators have some responsibility
Look out for more Office 2016 coverage, in the meantime, you could check out my other related posts.
Inoreader is your secret weapon, using RSS get the news before anyone else. In this review, you will learn about what Inoreader can do for you.
For any professional, being well informed is paramount, it can set you apart and give you the advantage you need. As an IT Professional, I have many web sites that I need to monitor for developments but it's increasingly difficult with today's pace of change.
If only there was a way to stay up-to-date with changes as they happen? Always be ahead, informed and the one in the know. Introducing Inoreader - 'the content reader for power users who want to save time'.
Read on for my in-depth review of Inoreader and why I think it's a must have service.Continue reading
If you have upgraded to Azure AD Connect 1.1, manual sync won’t work anymore but I’ll show you how to fix it. If you're getting a DirectorySyncClientCmd error, you will want to read this rest of this post.
Azure AD Connect (AAD Connect) 1.1 was released last week. I went through on how to upgrade to this version and why it’s an important release - Azure AD Connect 1.1 – How to upgrade.
One reason to upgrade is that the Azure AD Connect 1.1 automatic sync schedule has been reduced from 3 hours to 30 minutes. This is great but there will be times when you want to run a manual sync outside of that set schedule.
Microsoft has changed how scheduling working in Azure AD Connect 1.1. Previously you would run the DirectorySyncClientCmd.exe command:
Now with Azure AD Connect 1.1 this command won't work, mostly because DirectorySyncClientCmd.exe doesn’t exist anymore!
Microsoft explain this change with how scheduling is handled in AAD Connect 1.1:
In earlier releases the scheduler for objects and attributes was external to the sync engine and the Windows task scheduler or a separate Windows service was used to trigger the synchronization process.
With DirectorySyncClientCmd.exe gone, it's still thankfully simple to run a manual sync.
The scheduler will by default run every 30 minutes. It could be that you have an urgent change which must be synchronized immediately which is why you need to manually run a cycle.
The replacement for DirectorySyncClientCmd is to run is Start-ADSyncSyncCycle. Here is how to run a delta manual sync in Azure AD Connect 1.1:
Start-ADSyncSyncCycle -PolicyType Delta
If you ever need to run a full sync
Start-ADSyncSyncCycle -PolicyType Initial
Microsoft list the reasons when a full sync is needed:
I ran Start-ADSyncSyncCycle from the AAD Connect server in PowerShell.
For more information check out Microsoft's page - Azure AD Connect sync: Scheduler. I hope this post was of use, it caught us out when we upgraded. As you can see it's simple to use the new command instead.
Azure AD Connect 1.1 is out, now with much faster sync times and other cool new features. Read on to see how the upgrade works and why you should probably upgrade too.
UPDATE: You won't be able to run manual sync once you have upgraded. Read all about it here along with the solution - DirectorySyncClientCmd manual sync error Azure AD Connect Upgrade.
UPDATE 2: If you recently upgraded to version 1.1, make sure you have version 220.127.116.11, which was released on the 26th February. This fixes some bugs in the initial version. See resources section for links.
Azure AD Connect syncs account information from your on-premise Active Directory into the cloud. If you're still using the older Directory Synchronization (DirSync) tool, you really should look into Azure AD Connect.
Azure AD Connect is the tool to integrate your on-premises identity system such as Windows Server Active Directory with Azure Active Directory and connect your users to Office 365, Azure and 1000’s of SaaS applications.
Microsoft announced Azure AD Connect 1.1 yesterday, with these new features
What stood out for me was the faster sync times. Up until now the shortest supported frequency was syncing every three hours, with Azure AD Connect 1.1 it's now 30 minutes.
The faster sync times are really welcome, as it means any changes you make on-premise will be reflected in the cloud that much sooner. When setting up new staff especially on Office 365, the faster sync will make a big difference.
I already have a recent version of AAD Connect installed, so an in-place upgrade is a breeze. See the resource section below for a link on how to upgrade from DirSync.
The setup recognizes this is an upgrade:
Then connect to Azure AD. I did have one issue with this, where I specified the username to connect to Azure AD, it said the account had an expired password.
After resetting the password and checking out this guidance 'Office 365 Service Accounts–How do I stop DIRSYNC from breaking every 90 days…' I continued.
Then upgrade is ready to go:
That was quick, after a few minutes the upgrade had completed successfully:
Now let's make sure we have that 30 minute sync schedule that's newly supported in this version. From your AAD Connect server run this PowerShell command
This reports back something like this:
After checking out what this means, it confirms we have the shorted permissible sync time
AllowedSyncCycleInterval: The most frequently Azure AD will allow synchronizations to occur. You cannot synchronize more frequently than this and still be supported.
CurrentlyEffectiveSyncCycleInterval: The schedule currently in effect. It will have the same value as CustomizedSyncInterval (if set) if it is not more frequent than AllowedSyncInterval. If you change CustomizedSyncCycleInterval, this will take effect after next synchronization cycle
Syncing with version 1.1 is now built-in to the sync engine rather than being external.
There are lots of other new features, support for Modern Authentication when specifying an MFA enabled admin account during installation, Domain/OU filtering and more. Check out the release history for lots more details.
Nano Server, a new feature of Windows Server 2016 is going to be huge, or actually very small. Let's find out what the big deal is all about.
Microsoft has been enthusing about this new installation option for around a year. By the end of this post, you will know why Nano Server is so significant and why Microsoft belives it is the future of Windows Server.
Nano Server is Windows Server re-imagined for a cloud world. Nano Server is lean, it's fast and secure. It's 25 times smaller for starters than the conventional Windows Server. This all means less patching, a better uptime and lightening fast installation.
The journey started with Server core which has been around since Windows Server 2008. Microsoft began to reduce the footprint substantially by removing features that should be unnecessary on a server. This still left a lot of bloat in the
Now starting with Windows Server 2016, Microsoft is going further with Nano Server. Microsoft has removed even more components. There is no GUl, meaning no option to remote desktop to manage Nano Servers for example.
Even when locally attached to the console, all you can do is reconfigure the network and firewall settings. Nano Server is intended to be 100% managed remotely
You can use Nano Server to provide many of the same services as before. This includes workloads such as for an IIS web server, Hyper-V host, or a File or DNS server.
Nano Server can be used with:
This may seem radical but I'll let you into a secret, Microsoft doesn't want you to remote desktop onto any server for administration. It's a security risk, it's inefficient and it doesn't scale.
Jeffrey Snover, Microsoft Chief Architect, Enterprise Cloud even goes as far as comparing using remote desktop into servers akin to drug addiction. If you regularly remote desktop into servers, Microsoft wants you to break that habit.
Most of your usual management tools should continue to work as normal. Simply point tools like Server Manager' & 'Hyper-V Manager' and remotely connect to a Nano Server. Traditional MMC snap-ins will continue to work when remotely connected to Nano Server.
Full PowerShell support is being added. PowerShell Desired State Configuration look like an interesting new feature. The new web-based Server Management tools will work as well. There are plenty of options.
Here is a Server Management Tools demo:
Learn about this new web-based GUI management tool that is hosted in Azure and available for no charge.
Especially useful when managing headless servers such as Nano Server and Server Core, it can be used to manage on-premises infrastructure alongside Azure resources.
Compared to the conventional version of Windows Server, there are these benefits:
For a good summary and some demos, check out this video from the Microsoft Mechanics show:
Initially Microsoft is focused on these two scenarios
Infrastructure servers are a definitely a winner, who wants to reboot a Hyper-V server loaded with VMs unless you really have to?
For the things you can't do with Nano Server today, Server Core becomes your standard option:
"The Server Core installation option removes the client UI from the server, providing an installation that runs the majority of the roles and features on a lighter install. Server Core does not include MMC or Server Manager, which can be used remotely, but does include limited local graphical tools such as Task Manager as well as PowerShell for local or remote management."
One of the few remaining reasons to use the full version of Windows Server is Remote Desktop Services (RDS) and supporting third-party apps that just won't work on anything else. Server with Desktop Experience is what Microsoft call the full version of Windows Server 2016.
Since writing this article, Microsoft has provided more specifics on how Nano Server is to be made available. There are two really important things to point out from this announcement:
Firstly, Software Assurance is mandatory:
Software Assurance is also required to deploy and operate Nano Server in production.
Secondly, Nano Server will follow a Current Branch for Business (CBB) service model:
Our goal is to provide feature updates approximately two or three times per year for Nano Server. Because Nano Server will be updated on a more frequent basis, customers can be no more than two Nano Server CBB releases behind.
What does this actually mean though?
Only two CBB releases will be serviced at any given time, therefore when the third Nano Server release comes out, you will need to move off of #1 as it will no longer be serviced. When #4 comes out, you will need to move off of #2, and so on.
Ultimately this means you will have to update Nano Server every 6 to 8 months. This will be a manual process.
This won't always be ideal but that's the price you pay for all the benefits I have discussed. This does mean Microsoft will rapidly improve Nano Server making it more suitable for additional workloads.
Finally, Windows Server 2016 Technical Preview 5 is available now and it's your opportunity to get an early look at Nano Server. Microsoft has a 'Getting Started with Nano Server' that is well worth checking out.
Windows Server 2016 will be officially launched at the Microsoft Ignite Conference in Atlanta on September 26-30.
Learn how to use Docker to host WordPress websites and blogs in this comprehensive guide. Docker is the perfect platform to host WordPress websites but it’s not without its complications. This guide will put you on the right track from the start.Continue reading
Is shadow IT making IT departments increasingly irrelevant? When users can source their own IT product or system independently, could it be said this is a symptom of IT departments that are out of touch or that is not providing the right services?
Let's delve in with some examples and my take on what a modern IT department should do to be more responsive, possibly avoiding some of these pitfalls in the first place. We will also check out what Microsoft Azure Cloud App Discovery can bring to the table.
It can start innocently enough, when users start going directly to their preferred service, it could be Dropbox or Slack or some other killer app and then before you know it, your IT department is looking out of kilter. It can be a slippery slope as IT departments can then become an afterthought, where your staff don't even think to consult when commissioning projects.
They might even send their own staff on IT training and employee a contractor even to get an IT system up and running, bypassing their IT department entirely.
I am painting a worst case scenario admittedly but one I don't think is that uncommon in some ways. I have seen it first hand, where there was a significant delay in implementing SharePoint Online.
Pockets of staff started adopting SharePoint Online anyway in the meantime. Power users spread the technology and know-how, all with no support or sanction of the IT Department. It got to the point where outside of IT, managers were sending their staff to SharePoint training courses.
This did get caught in the end and redirected to an official project but it just shows you how staff will find a way if you're not meeting a need, they will go just work around it.
Another example, around three months back, we got asked if we knew anything about a Rackspace server, which none of us did. What transpired was someone in the organization had commissioned a hosted server to setup a WordPress website. This server was unknown to the responsible staff in the IT department who would as a matter, of course, secure and maintain systems.
This Rackspace server unsurprisingly left unmaintained instead was hacked and used to launch an attack against a third party. The third party thought the hack originated from us. Rackspace actually were the ones to spot and notify us that one of "our" servers had been compromised. A pretty poor situation I think we can agree.
You could call this rogue IT or as Microsoft tend to call it, shadow IT. It's unapproved invariable unsanctioned IT services or products introduced into an organization. Rather than be fearful of shadow IT, another tact is to embrace it and listen to what it's telling you and why people went elsewhere in the first place.
Here is my approach to shadow IT, it's meant to be a holistic systematic approach that puts the IT department in control of technology.
Be open to questions and thinking out of the box
Have a technology roadmap so everyone knows what to expect down the line
Be honest with staff explaining why particular decisions are made and why certain technology can't be approved
Give staff a way out when they go off track and help them to utilize the right tools
Help staff navigate and pick which is the right tool, one that works well for their particular needs. Keep staff informed regularly with new developments .
Recognize power users that are interested in technology , can endorse change and help with it's introduction across an organization
Have a IT department structure that cultivates innovation and allows IT staff to have the time to work in new ways and be at the forefront.
Of course there will be times when you can't entertain the requests at all, they will be so left-field, there just not going to fly. Also in highly regulated fields, healthcare, finance etc., your hands may be tied to a large extent.
Moving on to one tool that can help with managing one aspect of shadow IT, Microsoft have a tool, Azure Cloud App Discovery. It can help unearth cloud applications in an organization.
In modern enterprises, IT departments are often not aware of all the cloud applications that members of their organization use to do their work. It is easy to see why administrators would have concerns about unauthorized access to corporate data, possible data leakage and other security risks. This lack of awareness can make creating a plan for dealing with these security risks seem daunting.
Azure Cloud App Discovery uses an easy to deploy PC agent that reports back telemetry to Azure.
It doesn't take long as data is collected in a matter of hours, you get a nice easy to interpret Azure dashboard. Very quickly you can identify applications you may have otherwise known were in use.
You can do a lot more than reporting, apps can be managed, brought into the fold, with enhanced security, single sign-on, support for Multi-factor Authentication, integration with the Office 365 app launcher and more.
That was my insights into shadow IT, with first-hand experience of this and at least one tool that helps. I'll have further posts on similar topics in the near future, look out for these if this is of interest.
If you’re not using two-factor authentication for cloud applications in your organization in the UK, you may be risking a fine.
See my 'No two-factor authentication is like asking to be hacked?' post for further insights on securing cloud apps, especially using Multi-factor authentication (MFA).
The ICO revised their ‘A Practical Guide to IT Security' document while aimed at small businesses the advice is really universal.
The ICO have provided this guidance with “10 practical ways to keep your IT systems safe and secure”.
A reminder of the ICO’s authority and reach with these matters:
Breaches of data protection legislation could lead to your business incurring a fine – up to £500,000 in serious cases. The reputation of your business could also be damaged if inadequate security contributes to high profile incidents of data loss or theft.
Most businesses are using cloud applications in some capacity or are considering doing so with services like Microsoft Office 365 or Salesforce being very popular. The ICO have a section on “Secure your data in the cloud” with guidance on how to protect these systems.
There are a wide range of online services, many incorporated within today’s smartphones and tablets that require users to transfer data to remote computing facilities – commonly known as the cloud.
Processing data in the cloud represents a risk because the personal data for which you are responsible will leave your network and be processed in those systems managed by your cloud provider. You therefore need to assess the security measures that the cloud provider has in place to ensure that they are appropriate.
While I think however simplified, most of us would agree with this assertion as well as what the ICO suggest businesses can do about this:
Make sure you know what data is being stored in the cloud as modern computing devices, especially those targeted at consumers, can have cloud backup or sync services switched on by default. Consider the use of two-factor authentication especially for remote access to your data in the cloud.
The last sentence is what sparked my interest, bear in mind this is advice for small businesses, which typically comprise of 50 staff or less.
The ICO are effectively recommending two-factor authentication even for these small entities. That being the case, surely bigger enterprises must seriously consider two-factor authentication for cloud applications as well.
Without getting into the finer points of the Data Protection Act organizations have to have an appropriate level of security for the type of personal information they hold. Principle 7 is all about security.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Two-factor authentication is an entirely proportionate security measure, that is well placed to protect access to cloud-based applications.
The ICO will rarely dictate all the security measures you have to have in place, that's your job! You as an organization and a data controller must put in the right measures to mitigate potential data breaches.
With daily news of fresh data beaches, isn't it time you secure your cloud applications and enable your staff the ability to truly work from anywhere securely?
See the ICO - A Practical Guide to IT Security document for more top tips on security.
Image credits: ICO ‘A Practical Guide to IT Security’ cover & '8 data protection principles' postcard
Here you will see how to control the Office 365 ProPlus Update Channels. These were called branches previously but are now known as channels. Let's go through how you can control these channels.
With this, you can manage how you receive feature updates in Office 365 ProPlus across your organization.
For additional information check out my "Office 2016 Deferred Channel Released for Business" post.
Note much of Microsoft's documentation and settings still refer to branches, which will change over time to match the rebranding.
Here are the five options to manage Office 365 ProPlus Update Channels.
Set the Click-to-Run configuration.xml file, which is used to manage a deployment. Use the 'Branch' option. To download or install for example, in this case with the deferred channel, use Branch=“Business” setting.
Here are the valid settings you can use:
xml branch setting
First Release for Deferred Channel
First Release for Current Channel
See my "How to download Deferred Channel Office 365 ProPlus" post to see this in much more detail.
Again edit the Click-to-Run configuration.xml file, use the 'Updates' element to specify which channel to use. Use the same settings available in Option 1, refer to the table above.
This changes the update branch for an already installed product like Office 365 ProPlus. You can switch an Office 365 ProPlus installation from one update branch to another this way.
<Updates Enabled="TRUE" Deadline="02/26/2016, 00:00" Branch="DeferredChannel" UpdatePath="\\Server\Share"/>
If you allow your Office 365 end users to download Office 365 ProPlus from the User Software Page, you now have more options.
In the 'User software' section of the admin portal, with the introduction of the deferred channel, there are now some enhanced admin controls.
Starting today, IT admins also have the ability to further customize the User Software page. Admins now have the option to select the Office version and update channel (for 2016 apps only) a user can see and download directly from the Office 365 User Software Page. The changes IT admins make on the Admin Center will go into effect on February 23, 2016, giving admins the opportunity to change the default update channel and decide which install links to expose to their users.
Here you can select the default channel, with the deferred channel selected but the current channel is also an option:
Note if you previously disallowed users to download Office, these new settings in the admin portal may have overridden that preference, which you may need to revisit.
With the Office 2016 Administrative Templates in Group Policy, you can set the Office 365 ProPlus channel. With this it's possible to override the channel from what was installed originally.
Start by download the "Office 2016 Administrative Template files (ADMX/ADML)" and install these as usual.
Then in your Group Policy Object navigate to the setting:
The name of the Group Policy setting is Update Branch. You can find this policy setting under Computer ConfigurationAdministrative TemplatesMicrosoftOffice 2016 (Machine)Updates. The relevant choices when you enable the Group Policy setting are Current, Business, and Validation.
Remember 'Current' is the Current Channel, 'Business' is the Deferred Channel, while 'Validation' is First Release for Deferred Channel.
You can also use First release for select people. This then allows access to the First Release for Deferred Channel on the software download page. First release allows administrators to designate particular users to try out features in advance:
You can also provide users with First Release for Current Branch for Business by selecting them for the First Release program for Office 365. If you do this, those users can install First Release for Current Branch for Business directly from the Software page in the Office 365 portal.
There is an important note if Visio or Project for Office 365 is installed alongside Office 2016, that's a bit of a gotcha.
If you have Visio Pro for Office 365 or Project Pro for Office 365 installed on the same computer as Office 365 ProPlus, they all must use the same update branch. You can't have a mix of update branches on the same computer.
The effects of this are quite pronounced according to reports I have read. Say you're using the current channel with Office 2016, you later install Visio Click-to-Run. The Visio installation will change your Office channel to the Deferred Channel, so it matches with Visio.
Here is how you can download the new deferred channel of Office 365 ProPlus, which I talked about yesterday.
Download the Office 2016 Deployment Tool, the current version being 16.0.6612.6353.
Run the file you just downloaded, in my example 'officedeploymenttool_6612-6353.exe' or whatever the latest version is called.
Accept the prompts and chose where to extract the files. With this complete you will have a setup.exe and configuration.xml file in your chosen folder.
Leave configuration.xml as it is and create a new xml file in notepad called 'download_deferred.xml'
Here is the contents for 'download_deferred.xml', change the SourcePath to a folder on your PC
<Add SourcePath="C:\\ODT Latest\\Deferred" OfficeClientEdition="32" Branch="Business">
<Language ID="en-us" />
We are specifying the 'Business Branch" in the xml file, which is now known as the Deferred Channel. Here are the other valid settings.
xml branch setting
First Release for Deferred Channel
First Release for Current Channel
Now lets download the deferred channel of Office 365 ProPlus
setup /download download_deferred.xml
You should then see the Deferred folder appear almost immediately, as all the files are downloaded. This amounts to around 1.13 GB of data, which could take a while depending on your internet speed to download. It took a solid 20-25 minutes for me.