While we normally don't cover this type of content on the Core Infrastructure and Security Blog, we thought this was important enough to provide our readers in order to support many Microsoft security capabilities.
Hello everyone, I am Dave Guenthner, a Senior FastTrack Architect (FTA) at Microsoft. The purpose of this blog is to share a concern from multiple customers and provide suggestions and reference documentation for resolution. The issue is that after October 10, 2023, older perpetual versions of Office 2016 and Office 2019, which are no longer in mainstream support, are not supported connecting to Microsoft 365 services. While this sounds dire, please note “Microsoft won't take any active measures to block older Office versions from connecting to Microsoft 365 services if they're in extended support and are kept up to date”. While Microsoft communicated these changes and offered guidance back in February 2018 and again in September 2018 for Microsoft 365 Apps (then “Office 365 ProPlus”) regarding lifecycle, that doesn't mean the transition is a trivial one for customers. I've found the Windows and Office Support Matrix as the best way to see all relevant information visually in one place. The formal explanation I've obtained is “Microsoft 365 Apps, the cloud-connected version of Office, delivers the most productive and most secure Office experience—with the lowest total cost of ownership for deployment and management.”
OneDrive Foundational Consideration
Every customer's cloud journey starts with moving user data from on-premises file shares and home drives into OneDrive. Regardless of licensing scenario, data will always be available and will help drive down costs by eliminating on-premises infrastructure. For most subscription plans, the default storage space for each user's OneDrive is 1 TB. While many customers I speak with have indeed enabled OneDrive and turned-on Known Folder Move (KFM), majority have not decommissioned their on-premises file servers or NAS appliances which may create headwinds for scenarios like Frontline workers. (More on that below) Additionally, assignment of home drives in on-premises Active Directory Domain Services (AD DS) remains a concern because it directly opposes Microsoft's vision for the future where “Azure AD is the Microsoft recommended path for most new or repurposed devices, especially when using modern deployment tools like Windows Autopilot.”
Why do dependencies on on-premises infrastructure still exist? (My Top 5)
- Tradition – this is the way we have always done it and have user provisioning workflows which automate this configuration.
- The Unknown – often central IT does not know how various departments use these files shares of home drives. Yes, I am talking about the business-critical application IT does not know about that writes temporary files or output to these resources.
- Time and resources – coordinating migration of all data from on-premises to cloud takes resources and coordination. The effort asks questions such as “What is our retention policy for all this old data?” “Discovery, what is all this data and who owns it?” “Is there a subset of files which do not meet Microsoft's requirements for OneDrive and how to address? (Funny names, file length, encryption etc.)” Program Management is a customer responsibility and critical part of initiative.
- No taxonomy or retention plan. Microsoft Purview Information Protection can help discover and classify and protect content in the cloud and that starts with developing an organization's classification taxonomy for different sensitivity levels of content. This takes time partnering with your security team, legal, and others often leading to inaction.
- End user training – IT should initiate a campaign to inform their users of this change and gradually mark data on the on-premises file servers to read-only and eventual removal. Fast Track has some great adoption materials (including OneDrive Adoption Center, Pre-Launch, Engaging your Org and Train your Org) to be aware of.
Microsoft 365 Apps for the web is previously known as Office for the web.
Migration Scenarios for legacy Office:
- Upgrade Office 2016 to Microsoft 365 Apps
- Upgrade Office 2019 to Microsoft 365 Apps
- Uninstall legacy Office 2016 and use Microsoft 365 Apps for the web
- Uninstall legacy Office 2019 and use Microsoft 365 Apps for the web
- Leave legacy Office Perpetual version on devices until end-of-life Oct 14, 2025 which may not require access to Microsoft 365 services and consider using other technologies to block launch of applications which depend on Microsoft 365 connectivity like Outlook such as AppLocker.
Scenario 3 and 4 depends on data to be in SharePoint Online or OneDrive to use Office for the web as it cannot open files from on-premises locations. This is why migration of user and group shares to SharePoint Online is so critical as prerequisite. Differences and details between E and F plans including change management strategy can be found in the following article Changing from a Microsoft 365 E plan to a Microsoft 365 F plan.
Frequently asked questions regarding to support scenarios above.
How can I determine which machines have legacy Office products installed and their readiness for upgrade?
Great place to start is using Microsoft 365 Apps readiness integration from Configuration Manager Office 365 Client Management dashboard. Additionally, build dynamic collections in Configuration Manager to identify devices and their journey to Microsoft 365 Apps.
When does extended support end for Office 2016 and Office 2019?
Both products are end of life on Oct 14, 2025, and will continue to receive security updates until that date.
How to upgrade from MSI-based Office, Visio and Project to the Microsoft 365 Apps with one installation package?
Video by Office Ranger Martin Nothnagel who provides walkthrough Simplify your Office upgrade with MSICondition.
Migration of MSI based Office to Microsoft 365 Apps will result in a longer installation process while Windows Installer first removes legacy MSI product prior to installation when using RemoteMSI parameter. (Recommended as side-by-side installation of MSI and “Click-to-Run” strongly discouraged)
How can I easily migrate from Office 2019 or Office 2021 to Microsoft 365 Apps?
Use Group Policy (GPO) or Intune CSP setting Upgrade Office 2019 to Microsoft 365 Apps for enterprise. The beauty of this solution is no deployment package is required as the product will gracefully upgrade like any other standard software update.
Upgrade Office 2019 to Microsoft 365 Apps for enterprise
Computer ConfigurationAdministrative TemplatesMicrosoft Office 2016 (Machine)updates
Office 2019 must first upgrade to Microsoft 365 Apps on Semi-Annual before moving to Monthly Enterprise Channel (recommended channel) and change must use Content Delivery Network (CDN). (MS Supported method)
Configuration Manager transition from Office 2016 or Office 2019 to Microsoft 365 Apps not supported by MS Support.
Channel change and product transition will take several days as various timers are in play. IT Pros attempting rapid lab validation will see delay “by design.” Be patient.
The upgrade from Office 2016 or Office 2019 to Microsoft 365 Apps will be complete once the end user accepts prompt “Your Privacy Matters”. The backstage of Office will not reflect the correct product until this is completed as it is a legal requirement, regardless of product name in addremove programs.
What if the only method available is using Configuration Manager in our environment? While it's not supported, will it work?
In my limited lab testing, yes it works with a caveat. You may see error, 0x87d00668, Software update still detected as actionable after applying from Configuration Manager client. However, on automatic follow-up attempts it will succeed. A simple workaround is hiding software notifications for this deployment.
If I manage Office 2016 or Office 2019 software updates today using Configuration Manager, how can I use the CDN for upgrade as recommended?
By default, Office 2019 uses CDN for software updates. However, it's possible OfficeC2Rcom COM application was registered to facilitate Configuration Manager integration in the past. Please ensure policy Management of Microsoft 365 Apps is Disabled via domain policy or from Configuration Manager client settings. You can verify if the undesired policy is in place by launching dcomcnfg.exe on a client computer and confirming OfficeC2RCom application is present. The purpose of the COM application is to allow Microsoft 365 Apps to interop with Configuration Manager to pull updates from distribution points rather than CDN. In this scenario, we want ‘OfficeC2RCom' application to be NOT present, to restore the default CDN workflow.
For the change to take effect, where the COM application is deregistered, the service Microsoft Office Click-to-Run Service must be restarted.
If you align with recommendation to update from CDN, Delivery Optimization (DO), a free cloud service built into Windows, should be enabled. The vast majority of customers I speak with have this disabled as upon initial release in 2015 with Windows 10, some experienced network disruption and/or reporting wasn't available. A lot has changed since then as there are a myriad of configuration options and you can now leverage Windows Updates for Business Reports. You'll need DO to also support other cloud services such as Windows Update for Business.
Where can I obtain information about typical monthly software updates in terms of size from CDN to alleviate network teams concerns?
Where can I find the feature differences between Microsoft 365 Apps and Microsoft 365 Apps for the web to better assess use cases like frontline workers?
What tool can be used to automate the uninstall of any Office version?
Use enterprise download from Office uninstall with Microsoft Support and Recovery Assistant
Example to silently remove Office 2016:
SaRAcmd.exe -S OfficeScrubScenario -AcceptEula -OfficeVersion 2016
OfficeVersion – Specify this switch to remove the Office version that's defined in the
Once devices are moved to Microsoft 365 Apps, what tools or processes are available to fully automate and lower cost of ownership to maintain product?
Client must be on Monthly Enterprise Channel to use Servicing Profiles
Microsoft's strong recommendation is to use CDN to update Office (default behavior) but reasons exist which prohibit this option for your environment, what should I do?
Use Configuration Manager Automatic Deployment Rules (ADR) with Microsoft 365 Apps to automate the download the deployment of software updates. Please see Microsoft 365 Apps: Enhancement for Configuration Manager ADRs – Microsoft Community Hub
In closing, I'm going to collect feedback through continual customer discussions to refine and improve the guidance above.