Overview:
Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016. Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.
High Level Process
- The Ivanti administrator downloads Office 365 definitions from the Ivanti global servers.
- Once the Office 365 definitions are downloaded to the core, the Ivanti administrator can scan for those Office 365 vulnerabilities.
- In order to remediate (apply latest patches) detected vulnerabilities, Ivanti administrator have to manually run, on the core machine, a new tool provided by Ivanti (Office365Util.exe). Using this tool, the Ivanti administrator can choose the Office 365 versions that are relevant to the environment. The Ivanti Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
- Once the patch binaries are downloaded to the core, the Ivanti administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.
Step 1: Download Content
Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.
| Download Updates (Microsoft Windows Vulnerabilities) | Updating Definitions (Office365Util.exe/O365Util.dll) |
|---|---|
 |  |
| Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs) | MSO365 (Vul_Defs) |
|---|---|
 |  |
Step 2: Launch Office365Util.exe
Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.
\\Core_Server\LDLogon\Office365Utility
This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).
Step 3: Select Options from Office365Util
The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):
| Platforms | Deployment Tools |
|---|---|
 |  |
| Channels | Office 365 (2013) Product List View |
|---|---|
 |  |
In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.
Office 365 Tool
The START action will do (2) things:
- Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file
\\Core_Server\LDLogon\Office365Tool
The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).
If you have both 2016 and 2013 products in need of patching, the download has to be completed separately.
| Office365Tool | Deployment Tool Options |
|---|---|
 |  |
| 2016 Content | 2013 Content |
|---|---|
 |  |
2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):
\\Core_Server\LDLogon\Patch\Office365
Patch Location
Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.
Non-Default Patch Location
This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:
Office 365 (2016)
httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"
Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64
Office 365 (2013)
httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType
Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013
In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.
To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.
You will need to explicitly set the value to reflect the location your patches reside.
The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.
References
How to change the default Patch Location for Security and Patch Manager