Getting Office 2019 updates from internet through a tight outbound firewall

Matt Weatherford 6 Reputation points
2020-08-27T01:16:06.363+00:00

We have a "very secure" subnet with machines hosting restricted data.
We are using Windows Server 2019
By default, all outbound traffic to the internet is blocked. We have a WSUS server that traffic is allowed to.

We are trying to develop an "allow list" for these machines to get updates for Microsoft Office 2019
It seems that WSUS can not provide those updates - Office 2019 seems to have a different update mechanism (If I am mistaken, please lmk)

BTW: This was dead simple to do for all the OS and SW apps we use on the linux boxes that very clearly outline what repositories they talk to.

Has anyone got a working "allow" FW rule that lets MS Office 2019 get its updates from Microsoft's site without opening up outbound IP traffic to the universe?

Thanks in advance,
Matt

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,519 questions
Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,058 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,791 Reputation points Microsoft Vendor
    2020-08-27T09:56:47.823+00:00

    Hello @Matt Weatherford ,

    Thank you for posting here.

    We can refer to the following two methods.

    Method 1

    1.On the WSUS server, just add this product and related update categories.
    20867-office.png

    2.Then, the WSUS server needs to connect to the network, so the sites must be accessed by the running WSUS server to get updates. The sites on this list cannot be blocked by firewalls or networks, otherwise the updated metadata and files will not be available.
    3.For the list of URLs we can see the part of "Connection from the WSUS server to the Internet" in the following link.

    Step 2: Configure WSUS
    https://video2.skills-academy.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet

    Method 2
    We can find a computer that can connect to the Internet, download the office update first, and then distribute the downloaded office update to other clients.

    20833-offic.png

    For more information, we can refer to the link below.

    Update Office 2019 (for IT Pros)
    https://video2.skills-academy.com/en-us/deployoffice/office2019/update#configure-where-office-2019-gets-updates-from

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments
  2. Carl Fan 6,836 Reputation points
    2020-08-27T10:13:40.643+00:00

    Hi Matt,
    Yes, Office 2019 will not get updates via Windows Updates. We no longer can deploy updates for new Office 2019 versions using WSUS. Always it could be controlled by SCCM tool.
    Office 2019 uses click-to-run installation technology. It handles updates differently than Windows Installer (MSI)
    When there are updates for Office 2019, Microsoft releases a new build of Office 2019 on the Office Content Delivery Network (CDN) on the Internet. This new build includes all the latest security and quality updates.
    Configure where Office 2019 gets updates from
    https://video2.skills-academy.com/en-us/deployoffice/office2019/update
    Please remember to accept the answer if they help.
    Best Regards,
    Carl

    1 person found this answer helpful.
    0 comments
  3. Matt Weatherford 6 Reputation points
    2020-09-03T00:21:43.787+00:00

    Dear @Carl Fan and @Daisy Zhou

    Thank you both for answering. But now I am more confused, because IIUC, you gave contradictory responses - who is correct?

    Matt

    0 comments
  4. Daisy Zhou 20,791 Reputation points Microsoft Vendor
    2020-09-04T03:42:18.05+00:00

    Hello @Matt Weatherford ,

    Thank you for your update.

    I am sorry for my mistakes, according to my further research and search, I also discussed with WSUS and SCCM professional engineers. We found 2019 and Microsoft 365 use c2r (click to run) technology, updates for 2019 and Microsoft 365 cannot be deployed with wsus. C2r is a technology for installation and upgrade, it is not a one-time installation of complete software, but it will install a little bit of function based on the customer's needs and requirements, so it is called "click to run".

    But you can use SCCM to deploy office 2019 updates.

    And for an "allow list" for these machines to get updates for Microsoft Office 2019, the link beolw might be helpful (the part of Microsoft 365 Common and Office Online).

    Office 365 URLs and IP address ranges
    https://video2.skills-academy.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments