Deploying Microsoft 365 Apps for Mac with Microsoft Endpoint Manager – A Deep Dive

Deploying Microsoft 365 Apps for Mac with Microsoft Endpoint Manager – A Deep Dive

This article is contributed. See the original author and article here.

By Neil Johnson – Principal Program Manager | Microsoft Endpoint Manager – Intune


Microsoft 365 for Mac, or Microsoft 365 apps for Mac as it’s now known, is a key part of any Microsoft 365 deployment. The Office team has been hard at work making our Mac story the best it possibly can be over the past few years.


The current version has been redesigned based on our Fluent UI which matches Apple’s new Big Sur UI. It makes native use of Apple Silicon processors for improved performance and battery life, but how do you get it deployed to your users?


This article covers all the options available, the advantages and disadvantages of each of them, and why you would choose one over the others. We wrap up with guidance over the scenarios each one might be best used for.


Microsoft 365 Apps for Mac deployment methods via Intune

There are three different mechanisms that we can use within Microsoft Intune to get Microsoft 365 Apps deployed to Macs. Each has its own advantages and disadvantages.


  1. Mac App Store via Volume Purchase Program (VPP)

  2. Microsoft Content Delivery Network

  3. Intune Scripting Agent for Mac

Let’s look at each of these in turn.


1. Deploying Microsoft 365 Apps for Mac via Volume Purchase Program (VPP)

Microsoft 365 for Mac is published to the Mac App Store, which means that end users can install it themselves if they have an Apple ID. Additionally, if you have an Apple Business Manager account, you can you use Intune to push apps from the Mac app store directly to your devices.


Microsoft 365 app suite in the macOS App StoreMicrosoft 365 app suite in the macOS App Store

Steps to deploy Office via Apple Volume Purchase Plan (VPP)

This method is dependent on having an Apple VPP token configured already. Before following these steps ensure that you’ve followed our documentation on this here.


Once you have an Apple Business Manager VPP token synchronised with Intune, you can use the following steps to license and assign Office Apps to your users.


  1. Open

  2. Click in the search menu box, change Type to “Mac” and search for “Microsoft”.

    Microsoft apps in the Apple Volume Purchase Plan (VPP) Apps and Books consoleMicrosoft apps in the Apple Volume Purchase Plan (VPP) Apps and Books console

  3. Select the Application that you want to assign licenses to.

  4. Assign the Application to your organization and enter in the number of licenses that you need. Since there’s no cost for these apps it makes sense to enter more licenses than you will need (within reason).

    Example screenshot of purchasing the Microsoft Word app with license countExample screenshot of purchasing the Microsoft Word app with license count

  5. Once you have entered the values, click Get. The Application will temporarily show as Processing.

    Example screenshot of the Microsoft Word app "Processing".Example screenshot of the Microsoft Word app “Processing”.

  6. After a few minutes it will update and show the number of licenses you have available.

    Example screenshot of available licenses for the Microsoft Word appExample screenshot of available licenses for the Microsoft Word app

  7. Repeat the process for the other applications that you intend to use.

  8. Open the Microsoft Endpoint Manager admin center and select Tenant Administration > Connectors and tokens > Apple VPP Tokens.

  9. Select the Token you want to sync and click Sync in the ellipsis menu.

    Available Apple VPP Tokens and Sync button location in the MEM admin centerAvailable Apple VPP Tokens and Sync button location in the MEM admin center

  10. Still in the Microsoft Endpoint Manager admin center open Apps > macOS and filter for unassigned apps then type “Microsoft” into the search bar.

    macOS apps and Filter location in the MEM admin centermacOS apps and Filter location in the MEM admin center

  11. Select each app that you wish to deploy and assign it to an Azure AD group.

  12. Select the Application > Properties > Assignments (right at the bottom) > Edit.

  13. Under “Required” select Add group and search for the right group in Azure AD.

  14. Configure the assignment settings and click OK.

    • Assignment Settings > Mode = Included

    • App settings > License type = Device Licensing

    • App settings > Uninstall on device removal = Yes

  15. Click “Review and Save”. After review click “Save” to complete the assignment.

  16. Repeat the assignment for the rest of the Office apps that you want to be deployed.

  17. To check the configuration, trigger an MDM sync on a user’s device that was assigned the applications. The apps should begin to download and install within a few minutes of the sync completing.

Advantages Disadvantages

  • It makes use of Apple’s content caching, which can greatly improve deployment efficiency (Note: Intune can also be used to configure your content caches)

  • It’s possible to deploy the individual apps.

  • Easy to configure if you already have Apple Business Manager.

  • You can configure the apps to uninstall on unenrollment.

  • You can send an uninstall command to remove unwanted apps.

  • Teams is not yet in the Mac App Store (could be deployed via scripting agent)

  • You cannot control which update channel to use.

  • When OneDrive is deployed via VPP it will have a different bundleID than if it was installed via a standalone installer.

    • VPP:


  • Updates via this approach can be unpredictable, especially if apps are permanently open.


If you require a relatively simple deployment of the Microsoft 365 App suite and have investments in both Apple Business Manager and Apple Content caching, then this mechanism of Microsoft 365 Apps for macOS deployment may be the most suitable.


2. Deploying Microsoft 365 Apps for Mac via the Microsoft Content Delivery Network

This mechanism is supported natively by Microsoft Intune. It is as simple as checking a box and providing a group of users to deploy it to. Those users will receive the entire Microsoft 365 Apps (which includes Teams and the Microsoft Auto update tool).


Steps to deploy Office via the Microsoft Content Delivery Network

  1. Open the Microsoft Endpoint Manager center  and select Apps > macOS > Add

  2. Under Select “App Type” choose Microsoft 365 Apps > macOS

    Selecting the Microsoft 365 Apps in the MEM admin centerSelecting the Microsoft 365 Apps in the MEM admin center

  3. Adjust the Suite description details as required and click Next to continue.

    Microsoft 365 Apps for macOS - App properties in the MEM admin centerMicrosoft 365 Apps for macOS – App properties in the MEM admin center

  4. Assign Scope Tags if you need them, click Next.

  5. Under Required click “Add group” and search for an appropriate group to target the Microsoft 365 Apps for Mac to.

    Microsoft 365 App Suite for macOS - Assignment properties in the MEM admin centerMicrosoft 365 App Suite for macOS – Assignment properties in the MEM admin center

  6. Click Next, review, and then click Create to assign the Microsoft 365 Apps to the Azure AD group.

  7. To check the configuration, trigger an MDM sync on a user’s device that was assigned the applications. The apps should begin to download and install within a few minutes of the sync completing.


Note: This process will install the entire Microsoft 365 Apps for macOS suite, including Teams. However, it is possible to control which apps are installed via plist. We have a sample plist for this on our GitHub repo here. The instructions for deploying a preference file can be found here.


Advantages Disadvantages

  • Easy to deploy.

  • Includes the Microsoft Autoupdate (MAU) tool which can be configured via plist to auto update and deploy insider builds of Office for testing to some users (covered later).

  • Possible to create a local MAU cache server for updates.

  • Large initial download size (1.8GB) and doesn’t use local caching.


If you don’t have Apple Business Manager or Apple Content caching and you need the entire suite, plus Teams, this is probably the easiest way to get Office 365 Business Pro for Mac installed.


3. Deploying Microsoft 365 Apps for Mac via the Intune Scripting Agent for Mac

This approach uses the Intune scripting agent to download and install the Office suite or individual apps. There are examples of this approach on our Intune Shell Samples GitHub Repo.


Our GitHub Repo has two main scripts that help in this circumstance.

  1. Deploy entire Office Suite

  2. Deploy individual Office Suite apps


These two scripts do the same thing. Once they are deployed onto the Mac, they attempt to download the installer package and then install it. The main benefit here is that you get additional flexibility about the installation process.


This is a sample of some code from which will look for a local copy of the installer before downloading from the CDN servers. You would need to handle the downloading of the latest installer package regularly. We have an example script to do this here.



# Check to see if we can access our local copy of Office
curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $localcopy
if [ $? == 0 ]; then
     echo "$(date) | Local copy of $appname downloaded at $tempfile"
    echo "$(date) | Couldn't find local copy of $appname, need to fetch from CDN"
    echo "$(date) | Downloading $appname from CDN"
    curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $weburl
    if [ $? == 0 ]; then
         echo "$(date) | Success"
         echo "$(date) | Failure"
         exit 5



The Individual Office apps script has an array that you can specify the specific applications that you want to use. The entries within this array are the <id> values from here.


# Edit AppstoInstall array with "id" values from for the apps you want to install
# Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work.
AppsToInstall=(   ""



Steps to deploy Microsoft 365 Apps for Mac via the Intune Scripting agent

Example: Deploying Outlook, Word, PowerPoint, and OneDrive to a Mac via the scripting agent.

  1. Download a copy of our sample file and save it to your device.

  2. Open the file in your text editor of choice and modify the AppsToInstall array to only include Outlook, Word, PowerPoint and OneDrive.

    # Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work.
    AppsToInstall=(     ""

  3. Mark the script as executable by opening a Terminal session and using the chmod +x command. Assuming that you downloaded the script to ~/Downloads type:

    chmod +x ~/Downloads/​

  4. If possible, find a test device and copy the script across. Run it as root by typing:

    sudo ~/Downloads/​

  5. Open the Microsoft Endpoint Manager admin center and Devices > macOS > Shell Scripts > Add

  6. Enter a Name and Description and click Next.

    Creating a new custom macOS script in the MEM admin centerCreating a new custom macOS script in the MEM admin center

  7. Click in the file browse UI in the Upload script dialog and select the saved file.

    1. Run script as signed-in user = No

    2. Hide script notifications on device = Not configured

    3. Script frequency = Not configured

    4. Set the Max number of retries to 3, Run and leave the rest as not configured.

      Custom macOS script - Script settings in the MEM admin centerCustom macOS script – Script settings in the MEM admin center

  8. Assign Scope Tags if you need them, click Next.

  9. Under “Required” click Add group and search for an appropriate group to target the script to.

    Custom macOS script - Assignment settings in the MEM admin centerCustom macOS script – Assignment settings in the MEM admin center

  10. Click Next, review, and then click Create to assign the script to the Azure AD group.

  11. The Intune script agent runs on an 8hr check-in cycle but can be manually triggered by the end user.

    1. Open the Company Portal app (sign-in if prompted).

    2. Select the device you are using.

    3. Click Check Settings under the ellipses menu.

      "Check status" location in the Company Portal for macOS“Check status” location in the Company Portal for macOS

    4. The script agent will check-in against the service and attempt to run the script.

  12. The script will log to this log file.


  13. The Intune script agent itself creates a daily log in this location.



Advantages Disadvantages

  • Fastest install time.

  • Additional logging.

  • Can deploy either entire suite or individual apps.

  • Possible to cache the initial installation files on local webserver.

  • Possible to create a local MAU cache server for updates.

  • Includes the Microsoft Autoupdate (MAU) tool which can be configured via plist to auto update and deploy insider builds of Office for testing to some users (covered later).

  • Requires additional server infrastructure for caching.

  • Requires bash scripting skills.

  • Additional infrastructure complexity.


Controlling Microsoft 365 apps for Mac updates with Microsoft AutoUpdate (MAU)

If you are deploying Microsoft 365 Apps for Mac via the CDN (or script agent) you will notice that updates are handled via the Microsoft AutoUpdate tool. To see this, open any of the Office apps and click on Help > Check for Updates.


Screenshot of the Microsoft AutoUpdate (MAU) toolScreenshot of the Microsoft AutoUpdate (MAU) tool

In the Microsoft AutoUpdate menu, click Advanced to see the Update Channel and if the app is configured for Automatic Updates.


Screenshot of the Microsoft AutoUpdate (MAU) tool and Preferences optionsScreenshot of the Microsoft AutoUpdate (MAU) tool and Preferences options

The MAU tool can be configured by deploying Intune property lists. You can even control deadlines for individual app updates as described here. The complete list of available keys for MAU can be found here.


We have three common examples on our GitHub Repo:


Let’s look at these plist examples and how we might use them in a typical deployment where we have a mixture of standard users on the Current channel and a group of early adopters on Preview or Beta.


Note: More information on Office Insiders content for Mac can be found here.


Below is the plist for our production users. The important keys here are:

  • ChannelName: Tells MAU which version of Office to install

  • DisableInsiderCheckbox: Prevents the end user from changing the update channel

  • UpdateCache: Tells MAU where to look locally for updates (see MAU Cache)





The Beta plist is the same but with one exception:

  • ChannelName = Beta






We would assign the property lists as follows:

  • Current Office 365 for Mac users

    • Assign to the same group that Office 365 Business application or deployment script was assigned to

    • Exclude your Beta Office 365 Business users group

  • Beta Office 365 for Mac users

    • Assign to your Beta Office 365 Business users group


Steps to configure in Intune:

  1. Open the Microsoft Endpoint Manager admin center and Devices > macOS > Configuration Profiles > Create Profile > Preference File > Create.

  2. Set a Name and Description and click Next.

  3. Enter the preference domain name as:

  4. Click on the file browser UI and select the current plist that you downloaded from our GitHub site. Then click Next.

    Microsoft AutoUpdate PLIST for Standard users - Preference file settingsMicrosoft AutoUpdate PLIST for Standard users – Preference file settings

  5. Assign Scope Tags if you need them, click Next.

  6. Under “Required” click Add group and search for the same group that you assigned Office 365 for Mac Pro to.

  7. Under “Excluded Groups” click Add group and search for the group(s) that you are going to assign the Beta and/or Preview plist to.

    Microsoft AutoUpdate PLIST for Standard users - Assignment settingsMicrosoft AutoUpdate PLIST for Standard users – Assignment settings

  8. Click Next, Review the content and then click Create.

    Now we have the ‘Current’ config deployed, let’s create one for our ‘Beta’ users.

  9. Click Devices > macOS > Configuration Profiles > Create Profile > Preference File > Create.

  10. Set a Name and Description and click Next.

  11. Enter the preference domain name as:

  12. Click on the file browser UI and select the Beta plist that you downloaded from our GitHub site. Then click Next.
    Microsoft AutoUpdate PLIST for InsideFast users - Preference file settingsMicrosoft AutoUpdate PLIST for InsideFast users – Preference file settings

  13. Assign Scope Tags if you need them, click Next.

  14. Under “Required” click Add group and search for the group that you want to use to assign Microsoft 365 apps for macOS Beta channel to.

  15. Do not put anything in Excluded groups.
    Microsoft AutoUpdate PLIST for InsideFast users - Assignment settingsMicrosoft AutoUpdate PLIST for InsideFast users – Assignment settings

  16. Click Next, Review the content and then click Create

  17. Click Devices > macOS > Configuration Profiles > Search for “AutoUpdate” and you should have two Preference File policies, one for InsiderFast users and one for Standard.
    Configuration Profiles for macOS search result for "auto" in the MEM admin centerConfiguration Profiles for macOS search result for “auto” in the MEM admin center

  18. To check the configuration, trigger an MDM sync on a user’s device that is in the Current group and then repeat for another user in the Beta group. After sync the Microsoft AutoUpdate tool should reflect the changes.

  19. This is what a user in the Beta group should see once their device has completed it’s next MDM sync.
    Microsoft AutoUpdate (MAU) tool - Preference settingsMicrosoft AutoUpdate (MAU) tool – Preference settings
    Microsoft AutoUpdate (MAU) tool - Available updatesMicrosoft AutoUpdate (MAU) tool – Available updates
    Note: To troubleshoot MAU property list files look on the target machine under /Library/Managed Preferences for If this file is present, it means that Intune has deployed the configuration.

  20. To check the contents of the deployed plist use the following commands:

    % cp /Library/Managed Preferences/ ~/Desktop 
    % plutil -convert xml1 ~/Desktop/ 
    % cat ~/Desktop/

    Once converted from binary to HTML the plist should look like it did in the original Intune plist.

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
    <plist version="1.0">


  21. The Microsoft Autoupdate app generates a log file in the following location.



There are three ways to handle Microsoft 365 apps for macOS deployment with Intune. There are no right and wrong solutions here, each is applicable in certain circumstances.


Most environments should start with the Intune CDN method of deployment combined with a custom plist for the Microsoft AutoUpdate agent as described in this post. This method provides the best mixture of complexity, flexibility and is the easiest to support for most scenarios.


Deployment Method

Use when…

Apple Volume Purchase Plan (VPP)

  1. You have Apple Business Manager and you have deployed Apple Content caching.

  2. You don’t need to support Beta or Preview builds.

  3. You don’t need to ensure that the Microsoft 365 apps for macOS are up to date.

Intune CDN

  1. You want to deploy with the least amount of effort.

  2. Your network can cope with the initial download demands (1.8G per device).

  3. You want to ensure that the Microsoft 365 apps for macOS are updated reliably.

  4. You want to have some users on Beta or Preview for early adopter testing.

  5. You want to take advantage of Microsoft AutoUpdate cache locally.

Intune Scripting Agent

  1. Speed of download and install is important.

  2. You need additional logging.

  3. You want to locally cache the initial download.

  4. You want to take advantage of Microsoft AutoUpdate cache locally.

  5. You want to have some users on Beta or Preview for early adopter testing.

  6. You want to ensure that the Microsoft 365 apps for macOS are updated reliably.

  7. You want to deploy specific apps and not just the entire suite.

  8. You have some in-house bash scripting skills (or time to learn).


We’ll be writing more content for macOS over the remainder of this year, so feel free to let us know scenarios that you’d like us to cover.


Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

March identity updates – Public preview of AD FS sign-in activity in Azure AD reporting and more

March identity updates – Public preview of AD FS sign-in activity in Azure AD reporting and more

This article is contributed. See the original author and article here.

Howdy folks,


I’m excited to share the latest Active Azure Directory capabilities that will streamline your hybrid identity, monitoring, and B2B user experiences. These updates help you achieve a more unified identity management from a single control plane and enrich experiences to help provide seamless and secure collaboration with guest users.


Unified identity management

  • Public preview of AD FS sign-ins in Azure AD reporting – AD FS sign-ins can now be added to Azure AD activity reporting, giving organizations a unified view of their hybrid identity infrastructure and helping them along their identity modernization journey. This sign-in activity appears in the “Federated” column of Azure AD sign-in reports for customers using the latest version of Azure AD Connect Health. Customers can stream this activity and analyze in their own SIEM tools like Azure Sentinel, or they can use the Azure AD integration with Azure Monitor and Log Analytics to unlock insights and build dashboarding within the Azure portal. Log Analytics now has a stream called “ADFS SignIns”, which contains the same schema as the sign-in data in the logs, and Azure Monitor has a new pre-built “Sign-In Report” workbook.

  • General availability of tenant creation activity in Azure AD audit logs – Whenever a user creates a new Azure AD tenant, that activity is now recorded in the Azure AD audit logs of the tenant the user was signed into with the Azure portal, not just the logs of the newly created tenant. The log activity includes the new tenant ID, the UPN and Object ID of the user that created the tenant, and the tenant creation time and date.  Admins can use this to more effectively monitor their entire organization and better maintain an inventory of all their tenants.


Azure Monitor workbook for Azure AD and AD FS sign-in reporting.png
Azure Monitor workbook for Azure AD and AD FS sign-in reporting



External Identities

  • Email one-time passcode for B2B collaboration in Arlington/Government Cloud – Organizations in the Microsoft Azure Government cloud can now enable guests to redeem invitations with email one-time passcode (email OTP). Guest users can still collaborate with partners in the Azure Government cloud by requesting and entering a temporary code to sign-in to shared resources.


As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (@AzureAD).

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division



Learn more about Microsoft identity:

Add Developer PowerShell and Developer Command Prompt for Visual Studio to Windows Terminal

Add Developer PowerShell and Developer Command Prompt for Visual Studio to Windows Terminal

This article is contributed. See the original author and article here.

Windows Terminal is great, I use it for all my command line work. It automatically detects new shells that are installed on your system, like the shell for Ubuntu or PowerShell Core 7. Unfortunately, it doesn’t detect the Developer Command Prompt and Developer PowerShell for Visual Studio. Luckily, you can add them yourself!


The steps are rather simple:

  • Open Windows Terminal

  • Open the Settings through the UI (see screenshot) or with Ctrl+,

  • In the settings.json file that opens in your favorite code editor, locate the lists array inside the profiles object


Inside that lists array, you can add your additional profiles. In this case, for the Visual Studio command prompts, just use the following snippet:



                "name": "Developer PowerShell for VS 2019",
                "commandline": "powershell.exe -noe -c "&{$vsPath = &(Join-Path ${env:ProgramFiles(x86)} 'Microsoft Visual StudioInstallervswhere.exe') -property installationpath; Import-Module (Join-Path $vsPath 'Common7ToolsMicrosoft.VisualStudio.DevShell.dll'); Enter-VsDevShell -VsInstallPath $vsPath -SkipAutomaticLocation}"",
                "icon": "%ProgramFiles(x86)%Microsoft Visual Studio2019EnterpriseCommon7IDEAssetsVisualStudio.70x70.contrast-standard_scale-180.png"
                "name": "Developer Command Prompt for VS 2019",
                "commandline": "%comspec%  /k "%ProgramFiles(x86)%Microsoft Visual Studio2019EnterpriseCommon7ToolsVsDevCmd.bat"",
                "icon": "%ProgramFiles(x86)%Microsoft Visual Studio2019EnterpriseCommon7IDEAssetsVisualStudio.70x70.contrast-standard_scale-180.png"



Save the settings.json file, and now the new options show when opening a new tab:


Time to do your Visual Studio command line work in the fancy new Windows Terminal!

2020 Time zone updates for Volgograd, Russia now available

This article is contributed. See the original author and article here.

The March 2021 Cumulative Update Preview release for Windows includes the following time zone updates for Volgograd, Russia:


  • Individuals and organizations in Volgograd were recommended to temporarily set the time zone on their devices to “(UTC+3:00) Moscow, St. Petersburg” from December 27, 2020 at 02:00.

  • Beginning with the March 2021 Cumulative Update Preview, Volgograd will now move back to Windows time zone, “(UTC+3:00) Volgograd”. Note that the offset is UTC+3:00 instead of the earlier UTC+4:00 for Volgograd.

  • This can be done in one of the two ways:

    • Select the Windows logo key, type “time zone”, and select Change the time zone. From the time zone dropdown, select “(UTC+3:00) Volgograd”.

    • Navigate to Control Panel > Date and Time > Change time zone. From the time zone dropdown, select “(UTC+3:00) Volgograd”. Select OK to apply the change.

  • This change is for customers running the following Windows 10 versions:

    • Windows 10, version 1809

    • Windows 10, version 1903

    • Windows 10, version 1909

    • Windows 10, version 2004

    • Windows 10, version 20H2

  • Volgograd customers running other, supported versions of Windows will see the relevant changes in the April 2021 monthly quality update.

For Microsoft’s official policy on DST and time zone changes, please see Daylight saving time help and support. For information on how to update Windows to use the latest global time zone rules, see How to configure daylight saving time for Microsoft Windows operating systems.

2021 Time zone updates for Republic of South Sudan now available

This article is contributed. See the original author and article here.

The March 2021 Cumulative Update Preview for Windows includes the following time zone update:


  • Individuals and organizations in the Republic of South Sudan were recommended to temporarily set the time zone on their devices to (UTC+2:00) Harare, Pretoria” from February 1, 2021 at 00:00.

  • Beginning with the March 2021 Cumulative Update Preview, South Sudan customers will now move to a new Windows time zone, “(UTC+2:00) Juba”.

  • This can be done in one of the two ways:

    • Select the Windows logo key, type “time zone”, and select Change the time zone. From the time zone dropdown, select “(UTC+2:00) Juba”.

    • Navigate to Control Panel > Date and Time > Change time zone. From the time zone dropdown, select “(UTC+2:00) Juba”. Select OK to apply the change.

  • This change is for customers running the following Windows 10 versions:

    • Windows 10, version 1809

    • Windows 10, version 1903

    • Windows 10, version 1909

    • Windows 10, version 2004

    • Windows 10, version 20H2

  • South Sudan customers running other, supported versions of Windows will see the relevant changes in the April 2021 monthly quality update.

For Microsoft’s official policy on DST and time zone changes, please see Daylight saving time help and support. For information on how to update Windows to use the latest global time zone rules, see How to configure daylight saving time for Microsoft Windows operating systems.