This is an updated article on the old one which is referenced here. https://msandbu.org/office365-and-rds-done-right-with-citrix-and-fslogix/ A lot has changed since I first wrote this article back in 2015 and updates it in 2016 and therefore I decided to rewrite the article to make it a bit clearer and give a bit more advice into each section.
The article itself focuses on the deployment of Office 365 ProPlus on a VDI/RDSH environment but also applies to regular Windows endpoints.
Important URL’s to take note of:
ADMX Templates for Office 365 ProPlus: https://www.microsoft.com/en-us/download/details.aspx?id=49030
Deployment toolkit Office365: https://www.microsoft.com/en-us/download/details.aspx?id=49117 (Which now supports 2019)
XML Online Configurator: https://config.office.com/
- Common best-practices and guidelines
- Identity Federation and sync
- Licensing and Roaming
- Deployment and managing updates
- Vendors and Office 365 Optimization
- Skype for Business
- Group Policy
- Troubleshooting and general tips for tuning
- Remote display protocols and when to use when.
- Server 2019 and Office 365
- Office 2019 / Office ProPlus
Common best-practices and guidelines
It is always common best practice to have the apps and the data as close as possible to get the best end-user experience and performance. However, this is not the case with Office 365 where you now have the data stored in Microsoft’s own datacentres and now having the applications installed on end-user devices which connects to these services from miles away. All these different services come from different datacenters and having multiple endpoints which Skype for Business, Outlook, and OneDrive use to connect and utilize the different services.
When using Office 365 data will be available in multiple regions across depending on where you set up your first subscription ( You can see where your data will be stored here –> https://products.office.com/en-us/where-is-your-data-located?geo=Europe#Europe) The distance between your end-users with the Office applications and Office 365 services is important, if this distance is too far away it will affect the end-user experience. Office 365 also has a Multi-geo service which allows you to store data closer to your users if they are in another geographic region. This service is available for OneDrive and Exchange which you can read more about here –> https://docs.microsoft.com/en-us/office365/enterprise/office-365-multi-geo (which requires a minimum of 500 uers) You can also read more about supported regions here –> https://docs.microsoft.com/en-us/office365/enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-office-365
NOTE: Deploying a VDI/RDSH solution in Azure has also shown to improve the performance on Office 365 Applications such as load time and overall end-user experience since it provides lower latency connectivity to Office 365 endpoints.
When setting up access to Office 365 your security policies might require firewall openings for the different Office 365 which is a pretty long list. The list of Office 365 URLs and IP address ranges can be found here –> https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
It is important to understand that you should have a stable internet connection and should not have any “blockers” or inspection of the traffic going out. Because there can be many things that might be blocking Office 365 traffic.
Also if you have limited public IP addresses, ensure that you make sure that you have enough for outbound TCP connection to Office 365, limitations with NAT and Office 365 https://docs.microsoft.com/en-us/office365/enterprise/nat-support-with-office-365
Ensure that you check the outbound connection speed and validate that you have low-latency connections to some of the Office 365 endpoints. A simple checklist.
- Check ICMP: to outlook.office365.com and ensure that you have a low response time on the request.
- Check TCP Connection – PowerShell: Test-netconnection –computername “outlook.office365.com” -port 443 and ensure that you have low latency here
- Check DNS: If you have a DNS server hosted in another region your endpoint might be routed to another Office 365 datacenter, ensure that DNS servers are located within the same region as your clients. Also, ensure that DNS requests are not taking long to process. Try doing nslookup outlook.office365.com and ensure that you get a response that is part of your geographic region, can be verified using https://www.iplocation.net/
- Bypass outbound proxy servers: Microsoft recommends not having proxy servers for Office 365 traffic (https://docs.microsoft.com/en-us/office365/enterprise/office-365-networking-overview)
- Split tunnel for VPN solutions to bypass Office 365: Having solutions such as VPN with forced tunneling that makes all Office 365 traffic go through a VPN will also slow down the performance since this will also create IP fragmentation.
- Other TCP optimization: https://blogs.technet.microsoft.com/onthewire/2014/06/18/top-10-tips-for-optimising-troubleshooting-your-office-365-network-connectivity/
- Configure AppQoE if possible on the wireless and outbound connections for Office365 to be prioritized
- SD-WAN if required: If you have limited connectivity and combination of multiple ISP providers and connectivity such as MPLS in combination with regular internet connectivity you should look into SD-WAN to ensure optimal performance. For instance, some traffic vendors have integrated with Office 365 REST APIs to get a list of webservice that catalogs and returns up-to-date information about all Office 365 front door service endpoints. Microsoft has organized O365 service endpoints into three categories: Optimize, Allow and Default. Endpoints in the Optimize category are the most sensitive to network performance, latency and availability. This allows SD-WAN vendors to optimize the traffic path to the different Office 365 services.
- Do I Need ExpressRoute? https://blogs.technet.microsoft.com/fasttracktips/2018/10/08/is-expressroute-for-me/
- Are all browsers the same ? No… There are many new changes that have been implemented server side (and will be implemented moving forward. Such as TLS 1.3 (Which is not implemented on Office 365 yet) which reduces the MS it takes to establish handshake in a TLS session and the same with TCP Fast Open which was only supported on certain browers when it was available service side. Also Browers behave differently when it comes to page rendering and support for new standards to it is important to look at the system requirements (https://support.office.com/en-us/article/which-browsers-work-with-office-online-ad1303e0-a318-47aa-b409-d3a5eb44e452)
- SACK and TCP MSS SACK, (DSACK and FACK) which makes it easier to resume a TCP stream in event of packet loss, since it does not need to retransmit all packet which have been lost in a TCP session.
TCP MSS, the maximum segment size, is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment.The two pictures below shows the difference from a computer that doesn’t have SACK and Lower TCP MSS compared to the other which has max MSS and Sack enabled.
So how can I check this from my computer? The simplest way is to check using WireShark or Message Analyzer, Open up a TCP Session and look for the
- TCP Sack (Should be enabled)
- MSS Value (Should be 1460)
- Window Scaling (Should be enabled)
Some bandwidth tips for Office 365 in terms of Bandwidth usage: Network and bandwidth tips
Average latency to Office365 endpoints is 50 – 70 MS, depending on the distance to the endpoints.
• 2000 «Heavy» users using Online mode in Outlook About 20 Mbps at peak
• 2000 «Heavy» users using Cached mode in Outlook About 10 Mbps at peak
• 2000 «Heavy» users using audio calls in Skype/Teams About 110 Mbps at peak
• 2000 «Heavy» users working Office using RDP About 180 Mbps at peak (With UDP traffic trough RDP Protocol)
NOTE: Securing traffic and activity to Office 365 requires something else than traditional security products such as proxies and firewalls. Take a closer look at CASB Solutions which have direct API integrations with Office 365 to provide security (Such as Microsoft Cloud App Security)
Identity Federation and sync
As a part of any Office 365 deployment, an important piece of that is setting up Identity and access. This can be done either using federated access or using newer mechanisms such as Passthrough authentication or if you have a Cloud only approach with Azure AD joined devices you might not need this at all. Note that both provide an SSO mechanism to Office 365.
NOTE: That none of the scenarioes below are supported with Azure AD Domain Services.
Password hash synchronization (PHS) – Password Hash Sync enables users to use the same username and password that they use on-premises without having to deploy any additional infrastructure besides Azure AD Connect.
Pass-through authentication (PTA) – This option is similar to password hash sync, but provides a simple password validation using on-premises software agents for organizations with strong security and compliance policies. This is using the Azure AD as a connector to the on-premises Active Directory. This means that all authentication and validation of user-credentials happens on-premises. NOTE: Pass-through Authentication does not automatically failover to password hash synchronization, therefore to ensure high-availability you should configure Pass-through Authentication for high availability using multiple connectors.
Federated authentication – When you choose this authentication method Azure AD will hand off the authentication process to a separate trusted authentication system, such as AD FS to validate the user’s sign-in. This means that all authentication and validation of user-credentials happens on-premises.
NOTE: All features now support SSO and automatic activation of Office 365 using Seamless SSO feature. For this feature to work, you need Office client versions 16.0.8730.xxxx and above. No GPO for automatic activation needs to be set for this feature to work. You can read more about how it works here –> https://docs.microsoft.com/nb-no/azure/active-directory/hybrid/how-to-connect-sso-how-it-works#how-does-sign-in-on-a-native-client-with-seamless-sso-work
NOTE: If you want to make use of newer functionality which is part of Azure Active Directory which as Passwordless login you need to use Azure AD. You can see more how it works here –> https://msandbu.org/setting-up-passwordless-phone-sign-in-with-azure-ad/
Licensing and roaming
Setting up licensing for users in Office 365 to automatically give them an Office license can be done using Group Based Licensing in Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal this can automatically give cloud users or synced users an Office 365 license.
It should also be noted when deploying Office 365 ProPlus Client applications in a shared computer environment such as RDSH you need to use Shared Computer Licensing which is only part of E3 or upwards. which creates a token which is user specific which is stored in the %localappdata%\microsoft\office\16.0 folder. Which doesn’t work well in a non-persistent environment? However starting with Version 1704 of Office 365 ProPlus you can now configure license roaming on license token using Group Policy which you can read more about configuring here –> https://msandbu.org/shared-computer-support-office365-and-citrix-with-ad-pta/ Configuring Shared Computer Licensing is part of the deployment in an RDSH environment and is specified in the configuration.xml file as part of the deployment or using Group Policy.
NOTE: Office 2016 using volume licensing does not require shared computer activation, here you can either use a MAK or KMS License downloaded from the volume licensing center.
Deployment and managing updates
Deployment of Office 365 ProPlus is done using the deployment toolkit (Link in the start of the blog post). It is essentially a setup.exe file which can be used with a configuration file to install Office ProPlus.
The deployment tool has three switches that we can use.
setup.exe /download configuration.xml
setup.exe /configure configuration.xml
setup.exe /packager configuration.xml
NOTE: Using the /packager creates an App-V package of Office365 Click-To-run and requires a clean VM like we do when doing sequencing on App-V, which can then be distributed using existing App-V infrastructure or using other tools. But remember to enable scripting on the App-V client and do not alter the package using sequencing tool it is not supported.
The download switch downloads the Office package based upon the configuration file here we can specify editions, versions and which office applications to be included and update path and so on. The Configuration XML can look like this.
<Add OfficeClientEdition=“64” Channel=“Monthly”>
NOTE: Making a Configuration file with all the different parameters can be done using XML Online Configurator: https://config.office.com/ but to install Office365 ProPlus in a shared environment we need to activate shared computer licensing, which requires this in the configuration file
<Property Name=“SharedComputerLicensing” Value=“1”/>
NOTE: You can also enable is using this registry key
“InstallationPath”=”C:\Program Files\Microsoft Office 16”
If this config file is used together with setup.exe /configure it will ask the client to download Office 365 Pro plus packages from a Microsoft CDN to install it. It will also install the package using the monthly update model from Microsoft. I recommend that if you have a large environment that you have one configuration file to download Office 365 to a local software repository using the setup.exe /download parameter. Then you have one configuration file to install Office 365 from that repository using the DownloadPath config in the XML file to get all clients to get the source from a local network path<Add OfficeClientEdition=“64” Channel=“Monthly” DownloadPath=“\\fileshare\office”>
Also when it comes to updates, Microsoft has three update models.
- Monthly Channel
- Semi-Annual Channel (Targeted)
- Semi-Annual Channel
NOTE: I do not recommend using the monthly channel, there has been a lot of new changes that break new features in Office. I recommend setting up a group using Semi-Annual Channel (Targeted) and then the rest in a Semi-Annual Channel. Regardless of setup, all versions of Office will get security updates.
Also, you should take note on which version Office is currently on, you can get a list of version names and release history here –> https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date
Skype for Business
Running Skype For Business in a remote desktop session, either it is through Microsoft, Citrix or VMware you will get into some issues if you are running video or audio through a remote session. The issue starts with having the rendering done on the remote server and then the SIP traffic and video traffic to be tunneled to a remote session protocol like RDP/HDX/BLAST. This increases the load on the servers and increases bandwidth since the traffic needs to be sent twice, once to the server and secondly to the endpoints.
Citrix and VMware have created solutions to optimize this experience which allows the actual SIP Audio/Video traffic to be bypassed down to the endpoint itself, but all other traffic such as SIP signaling and authentication happens inside the session.
Link to both vendors sources: NOTE: Both solutions support Office 365 together with Office 365 ProPlus C2R
Citrix and HDX Optimization Pack: https://docs.citrix.com/en-us/hdx-optimization/current-release.html
VMware and Horizon Virtualization Pack for Skype for Business: https://www.vmware.com/products/horizon/skype-for-business.html
It should also be noted that now more and more functionality is moving over to Microsoft Teams, none of the vendors have created an optimization pack to take over the same functionality to Microsoft Teams yet. You can read more about running Teams in a VDI Session here –> https://docs.microsoft.com/en-us/microsoftteams/virtual-environment-teams
From a protocol perspective, if you are unable to use either of the optimization packs, use UDP for audio and video traffic, this is enabled as default for both RDP (If you open UDP ports) default in Citrix with EDT, VMware Blast and PCOIP (Default)
If you plan to deliver Citrix from within Azure you need to configure the following to have EDT work properly –> https://msandbu.org/connection-interrupted-running-citrix-with-edt-in-azure/
Outlook in a VDI or Non-persistent environment comes with challenges and specifically around the use of OST files and search index which gets broken with each reboot of a non-persistent VDI. Microsoft recommends that with the use of Office 365 that you use Cached Mode in Outlook to have data for the last months stored locally to enhance the user experience.
Data and OST files can be stored on network-based storage if there are adequate bandwidth, low latency and high performance to the drive. These settings can be defined using Group Policy in Office 365 ADMX Files, together with Cached mode.
User Configuration –> Administrative Templates –> Microsoft Outlook 2016 –> Account Settings –> Exchange –> Cached Exchange Modes
- Cached Exchange Mode (File | Cached Exchange Mode)
- Cached Exchange Mode Sync Settings (3 months)
Then specify the location of the OST files, which of course is somewhere else
User Configuration –> Administrative Templates –> Microsoft Outlook 2016 –> Miscellaneous –> PST Settings
- Default Location for OST files (Change this to a network share
Now moving OST files to a default network share will still present issues with roaming search index which will not work properly. There are however third-party providers such as FSLogix and Liquidware which can be used to solve Outlook OST and Search Roaming you can read more details about it here –> https://wilkyit.com/2018/01/19/office-365-in-non-persistent-environment-product-comparison-matrix/ also that Citrix and VMware also have now
Setting up Outlook using Intune and ADMX Backed Policies using Microsoft Intune: http://bit.ly/2Stk4v7
Also ensure that Outook from
OneDrive for Business and full file sync is not officially supported for nonpersistent VDI and RDS deployments. That means that the OneDrive desktop app doesn’t support client sessions that are hosted on Remote Desktop Services (RDS) and to non-persistent Virtual Desktop Infrastructure (VDI), persistent VDI is supported, however.
For the OneDrive desktop app to work as designed, the following requirements must be met:
- The application must be installed on the local computer.
- The user must be able to write to the user profile.
Data that are written to the user profile must be saved to the local hard disk and be available without a network connection.
OneDrive Files On-Demand is only supported on Windows 10 Fall Creators Update and later versions. This feature can be enabled using the built-in Windows 10 Group Policy. With Files On-Demand, you can access all your files in the cloud without having to download all of them and use storage space on your system. All your OneDrive online files can be seen in File Explorer and work just like every other file on your system. You will be able to open online-only files from within any desktop or Windows Store apps using the Windows file picker. This feature covers both OneDrive for Business as well as your SharePoint Online team sites (NOTE: It is enabled by default)
You can also enforce it using OMA-URI trough Intune
Description Enable OneDrive Files On-Demand
Data type String
In terms of Group Policy, much can be configured using the built-in ADMX files that come with the download package. Such as handling updates and other tuning tips. Some recommendations from my side.
NOTE: That all settings can also be defined in the configuration.xml file instead of Group Policy. Any Group Policy setting will override the setting configured by the Office Deployment Tool.
- User Configuration –> Administrative Templates –> Microsoft Office 2016 –> Miscellaneous
- Do not use hardware graphics acceleration
- Disable Office animations
- Disable Office backgrounds
- Disable the Office start screen
- Suppress the recommended settings dialog
- Menu animations (disabled!)
- User Configuration –> Administrative Templates –>Microsoft Office 2016 –> Global Options –> Customize
- User Configuration –> Administrative Templates –> Microsoft Office 2016 –> First Run
- Disable First Run Movie
- Disable Office First Run Movie on application boot
- User Configuration –> Administrative Templates –> Microsoft Office 2016 –> Subscription Activation
- Automatically activate Office with federated organization credentials (If using Federation)
NOTE: None of these policies can be deployed using OMA-URI as part of Intune MDM, only with configured using ADMX Backed policies.
Troubleshooting and general tips for tuning
Remote display protocols
When running Office 365 ProPlus in a virtualized environment you should always focus on providing the best end-user experience. When it comes to running Office 365 ProPlus you should know that it is quite fond of using GPU hardware. To give a better UX experience you should always make sure that
- Having enough bandwidth for UX connectivity
- High end user policies
- GPU supported sessions using vGPU or other GPU based
- More coming soon….
Intune also supports the deployment of Office 365 ProPlus as part of a native option inside the Intune Portal. As part of the deployment in Intune, it only supports some pre-configured settings and we cannot define our own config.xml file. The following is supported through Intune deployment.
- Office version: Choose whether you want to assign the 32-bit or 64-bit version of Office. You can install the 32-bit version on both 32-bit and 64-bit devices, but you can install the 64-bit version on 64-bit devices only.
- Update Channel: Choose how Office is updated on devices
- Remove MSI from end-user devices: Choose whether you want to remove pre-existing Office.MSI apps from end-user devices. The installation won’t succeed if there are pre-existing.MSI apps on the end-user device
- Use shared computer activation
Now you can, however, using ADMX backed policies in the meantime to deploy the custom Office 365 ADMX files directly using the setup here –> https://blogs.technet.microsoft.com/ukplatforms/2018/05/30/google-chrome-gpo-via-intune/
You can also read more about it here –> http://bit.ly/2Stk4v7
Server 2019 and Office 365
Effective January 14, 2020, ProPlus will no longer be supported on the following versions of Windows. This will ensure that both Office and Windows receive regular, coordinated updates to provide the most secure environment with the latest capabilities.
- Office 365 ProPlus will continue to be supported on Windows 8.1 through January 2023, which is the end of support date for Windows 8.1.
- Office 365 ProPlus will also continue to be supported on Windows Server 2016 until October 2025.
- Source: https://support.microsoft.com/en-us/help/4462769
As it is now Office 365 ProPlus with Shared Computer Support cannot be used on Windows Server 2019. It only supports Office 2019 ProPlus, so if you want to use your existing licenses stick with Windows Server 2016
Office 2019 / Office ProPlus
As part of Office 2019, Microsoft announced that Office 2019 will no longer be available as a standalone MSI package. This means that Office 2019 will use the same deployment solution like Office 365 ProPlus which is C2R (Click 2 Run) however Office 2019 will still continue to use MAK or KMS licensing and NOT shared computer licensing. Where you define the PIDKEY in the Configuration XML file during deployment. You can read more about it here –> https://docs.microsoft.com/en-us/deployoffice/office2019/deploy
Note you can also switch between Office 2019 and Office 365 ProPlus using Group Policy –> https://getadmx.com/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_VLtoSubscription
Windows Virtual Desktop and Office 365 ProPlus
As part of Windows Virtual Desktops, end-users will be given access to Office 365 ProPlus as part of the image when provisioning the VDI instances. Windows Virtual Desktops is a multi-user Windows 10 VDI service which will be running in Microsoft Azure. The Service will be available for free customers who have M365 E3/E5/F1/B subscriptions (NOTE: That you will still need to pay for the compute capacity of the VDI instances themselves. You can read more about the service here –> https://msandbu.org/windows-virtual-desktop-what-is-it-actually-and-limitations/
Citrix and Office 365 –> https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deployment-guide-office-365-for-xenapp-and-xendesktop.pdf
VMware and Office 365 –> https://techzone.vmware.com/resource/best-practices-delivering-microsoft-office-365-vmware-horizon-7
FSLogix and Office 365 Profile Container –> https://www.fslogix.com/products/office-365-container