When Microsoft performs an Exchange Risk Assessment Program (ExRAP) with a customer there are several work items related to patching. We discuss how the:
- Server hardware, firmware and drivers get updated
- Server OS gets updated
- Desktop OS gets updated
- AV gets updated
- Exchange Service Packs and Rollups get installed
Most customers have an appreciation for properly managing and maintain the above, though they may be lagging on critical OS patches for example. Having standardised server builds, with known good drivers is a great foundation for any service.
What's Wrong With This Picture?
Hopefully you will have noted the omission of one critical aspect of the messaging environment. Even though it's the thing that you spend a huge amount of your day in front of — Outlook. I really don't want to say how many ExRAPs have shown that customers are not properly managing their Outlook clients.
Let's not focus on the looming end of support for Outlook 2003, rather examine one of the other popular Outlook builds in detail – Outlook 2010.
Exhibit A is a classic example of an Outlook 2010 client that has had little love and attention. This client is in an unsupported state as Office 2010 RTM is no longer in support, and SP1 must be installed.
You may think, well big deal I don't want to call Microsoft support anytime soon. But tell me how are you going to get security updates for a version of a product where security updates are no longer made by the vendor?
Additionally, fixes that are being developed will be coded against the currently supported builds of the product, so that means SP1 is a requirement to install a recent fix. This can be seen in the Outlook 2010 October 2012 update.
Exchange's Supported Outlook Versions
You will notice that a given version of Exchange will only support certain versions of Outlook. Take Exchange 2010 for example. It's system requirements page pledges support for Outlook 2003, 2007, 2010 and 2013. It will *NOT* support Outlook XP, Outlook 2000 and all prior versions that are now coffee mat coasters in your office.
Traditionally this has been part of the mind-set that has led to this challenge. By Exchange 2010 simply stating that "Outlook 2010" is supported and not explicitly driving customers to update to a recent build, this has led to some apathy in updating Outlook.
This is changing however!! You will note that Exchange 2013 has some hard requirements in supported Outlook builds, again documented on the system requirements page:
This is due to the fact that having an Outlook client that is up to date certainly does improve the user experience, in addition to hard technical requirements so that Outlook can understand the new Autodiscover XML response tags. While on this topic please ensure that you review KB 2839517 — Outlook is unable to connect to Exchange 2013 public folder or auto-mapped mailbox.
Update 9-6-2014: Please note the text at the Office 365 requirements page has changed. I've left the below in for reference purposes but as always follow the requirements that are documented in the service plan requirements.
The same is also true for Office 365. if you are an O365 customer please note the specified timelines.
What Do I Miss By Not Patching
The Office Update Center will quickly show us the latest builds for Outlook. Staying focussed on Outlook 2010 we can quickly locate the following:
For the differences between Cumulative Updates and Public Updates take a peek here.
Please note that I am not advocating slapping patches on, they will require the same level of diligence and change control as the updates that are installed onto Exchange.
And just to see all the work that is being done by the Outlook team, I'd encourage you to scroll down to the section that lists all of the released updates. Take a look at the fix list for a few updates and you will see how many issues have been put to bed!!
Another way to look at it would be print each of the updates off, post them onto the helpdesk wall and tell the helpdesk not to troubleshoot any of these issues coming in as you do not have the fix in place….
I would assume that most us will have a corporate wide software deployment mechanism to get deploy these updates, report on compliance and ensure the patch level is maintained. For smaller shops, they will need to ensure that Microsoft Update is used on a machine as the standard Windows Update will not offer up patches for other Microsoft applications.
Update 14-4-2014: The discussion of Outlook patching again comes to mind due to a recent issue with Outlook 2013. This is discussed in KB 2863911 Outlook 2013 profile might not update after mailbox is moved to Exchange 2013
Extending Outlook Management
While we are on the topic of making sure that Outlook is being fully managed, please also make sure that the settings required by your organisation are being configured on Outlook. Outlook has provided extensive support for Group Policy and it is easy to configure the correct client settings via GPO. For reference the downloads are here:
One of the top support call generators when Exchange 2010 was first released was the change in RPC Client Access where the Exchange server required encryption to be enabled on the Outlook profile. Outlook 2003 does not select this option by default. If the Outlook client had been fully managed by GPO then this option could have been enabled and support issues minimised.
Just like many Exchange designs miss the CAS Namespace planning aspect, a lot also skip over making sure clients are at a good build level. Make sure Outlook is being fully managed and updated in your environment! Doing so will help mitigate issues and lead to improved user satisfaction with your messaging services. By proactively staying aligned with the support lifecycle you ensure that you are in a position to deploy a fix or security update with minimal additional work.
Please don't overlook Outlook! **
** Else you will make Ross's kitty sad. And we don't want that!!