M100600: Patching Microsoft Office


This article includes background information and recommendations for patching Microsoft Office (including Microsoft Project and Microsoft Visio), using the ManageSoft Security Patch Management product. It also highlights known issues with patches applied to Office using ManageSoft Security Patch Management feature pack 7.1, and provides workarounds as appropriate.

Patching Microsoft Office (including Microsoft Project and Visio products)

ManageSoft Security Patch Management feature pack 7.1 uses the Microsoft Office Update Inventory Tool to perform security compliance checking of Office installations, and to apply patches. This knowledge base article contains recommendations and known issues relating to patching Microsoft Office.

Integration with the Office Update Inventory Tool

On Windows NT, Windows 2000, Windows XP, and Windows 2003 systems, version 2.0 of the Office Update Inventory Tool is executed on each managed device for security compliance checking. The files puids.cif andpatchdata.xml are used by the tool. These files are downloaded from the Microsoft website to the warehouse, and deployed to each managed device through the Security Patch Settings package.

For Windows 95, Windows 98, and Windows ME systems, version 1.5 of the Office Update Inventory Tool is used, because version 2.0 does not run on these platforms. Rather than handling a single CIF file with information for all patches (puids.cif), version 1.5 requires lots of small CIF files – one per patch. Microsoft no longer updates the collection of small CIF files (the last update was September 3, 2003), and so ManageSoft automatically generates them from the single puids.cif file that Microsoft keeps up to date. The Security Patch Settings package contains the individual patch CIF files for Windows 95, 98, and Me. These files are not downloaded or installed on other systems.

The Baseline Security Analyzer package (version 1.2.3316.1) in the software library will automatically install the correct version of the Office Update Inventory Tool on each supported platform.

Packaging Microsoft Office patches

All Office patches downloaded from the Microsoft website are self-extracting executables. When run, these packages will invoke one of setup.exeohotfix.exe, or ohotfix9.exe to install the patch. For self-extracting patches that useohotfix.exe for installation, there is no command line option that can be passed to prevent any modal dialogs from being displayed during installation. The only way to prevent modal dialogs being displayed for these patches is to modify certain attributes in ohotfix.ini.

Because of this, for Office patch packaging, ManageSoft Security Patch Management extracts the self-extracting executable and packs it as individual files. It also modifies ohotfix.ini wherever it is being used for the patch installation. ManageSoft Security Patch Management also recognizes patches with setup.exe or ohotfix9.exe, and passes in the command-line options specified in the patch properties page.

If ohotfix.exesetup.exe, or ohotfix.exe cannot be found in the self-extracting package, ManageSoft Security Patch Management will pack the self-extracting executable unmodified, attaching the command line arguments specified in the patch properties page.

As with all security patches, Office patches should be tested before deployment to production computers. Validation of the command line arguments, and checking coexistence of the patch with other software in your standard operating environment, are both strongly recommended before production rollout.

Patching Office installations

ManageSoft Security Patch Management, through the Office Update Inventory Tool, uses both binary and full-file patch strategies to update Office installations. This means that the patch is installed directly to an Office installation. To patch Office installations successfully using these strategies, the following requirements must be met:

Baseline Office image
A baseline image of Office source must be established. A baseline image serves as the source image for all managed devices, used both for first-time installations and for managed devices repairing existing installations of Office. The baseline images currently supported by Microsoft for Office patches are as follows:

For Office 2000

      • Office 2000 (original release version)
      • Office 2000 (original release version) + Service Release 1-a
      • Office 2000 (original release version) + Service Pack 2
      • Office 2000 (original release version) + Service Pack 3

For Office XP:

      • Office XP Service (original release version)
      • Office XP Service (original release version) + Service Pack 1
      • Office XP Service (original release version) + Service Pack 2
      • Office XP Service (original release version) + Service Pack 3

Other than those listed above, baseline images that have other patch updates included are not supported. If your baseline image has been 'corrupted' by additional patches, you need to rebuild the baseline image to one of the above standards, and then re-cache and reinstall the baseline image to all managed devices. Otherwise, the structure of the Microsoft updates means that patch installation will fail.

Note: Baseline images that include Service Packs are created by applying the Service Packs administratively (admin install) into the original release version.

Access to baseline image
Due to the binary patch behaviour, managed devices must have access to the baseline image source in order to apply the patch successfully.

For more information see http://www.microsoft.com/office/ork/xp/journ/Cliupdt.htm

Office 2000 Service Pack 3 Issue

In order to completely install Office 2000 Service Pack 3 (any languages), two executables, ohotfix.exe andoutlctlx.exe, need to run. However, when automatically packaging Office 2000 Service Pack 3, ManageSoft Security Patch Management only specifies ohotfix.exe. To successfully apply Office 2000 Service Pack 3, the following steps need to be taken:

  1. Download Office_2000_SP3_Outlook_Security_Update.zip attached to this knowledge base article.
  2. Uncompress the above file into a suitable leaf directory. Note that the automatic import facility will upload the directory comtents and those of all subdirectories into the software library, and you should ensure that the directory is initially empty with no unintended subdirectories.
  3. From the unzipped contents, import the ManageSoft project (.ndp) into the software library. All associated files in the same directory are also imported.
  4. Attach the above project file as a pre-requisite to Office Patch 2000 Service Pack 3.
  5. Pack and distribute both packages.

Office installation issues on Windows 9x

It is strongly recommended that Office patches are tested thoroughly in scenarios that match your production environment before rolling to Windows 9x devices. Some configurations of Windows 9x can cause Office patches to pop up dialogs, even if full quiet command line options are specified. Also, some patches need access to the original install media depending on how Office was initially deployed to the systems. Because of the varying behaviour of Office patches on Windows 9x, it is imperative that the test environment accurately models all of your production machine configurations.


Powered by Zendesk