Hi again, I’m Ted Way, program manager for Office 2010 volume activation. Last time I posted to this blog, I talked about KMS and MAK as two activation methods for the enterprise. If you’re planning on deploying Office 2010, Windows (7, Vista, Server 2008 R2, Server 2008), or a combination of these, you’ll be happy to know that the activation technologies are essentially the same. The same KMS host running on Windows Server 2008 R2, volume editions of Windows 7, or Windows Server 2003 can activate both Windows and Office, for example.
In this post I’ll show screenshots of the end-user experience if activation was not successful. In addition, I’ll share some tips and tricks on how to manage your volume editions of Office and activation so your time can be spent on checking out all the cool new features in Office 2010. Your end-user does not need to know anything about activation because everything is happening behind-the-scenes.
For volume editions of Office, users will not see any reminders to activate the first 25 days after installation. However, if activation is not successful, then users will see notification dialogs every time they launch an Office application from day 25 to 30 post-installation. An example of these notification dialogs is shown below. If the user closes the dialog, he or she will still be able to fully use all the features in Office.
If Office still has not been activated 30 days after installation, users will see notification dialogs every time an Office application is started. In addition, the title bar color will change to red as shown below. These visual indicators serve as reminders that users need to activate.
Going to the Backstage view by clicking File tab | Help will be the quickest way to check licensing status:
If you’re using volume editions of Office 2010 Beta and you haven’t activated, take a look at this page for help.
If users are seeing the above notifications to activate, you can set up a KMS host in just minutes by following the directions on the KMS host set up page. Once the KMS host is set up, the KMS clients automatically find the host on DNS and activate themselves against it. This is transparent to the end-user.
Sanjay Garg, a developer of the Office Software Protection Platform focused on enterprise licensing, suggests, “Once a KMS host is activated, make sure you allow the Key Management Service through the Windows Firewall. That way the KMS client requests can get through to the KMS host.”
How do you know whether your KMS host has been successfully activated? On your KMS host computer, open an elevated command prompt and run this command in the Windows\system32 directory.
C:\WINDOWS\system32>cscript slmgr.vbs /dli
You should see the output below. Note the “Licensed” status, meaning you’ve activated your KMS host. When the “Current count” >= 5, then KMS clients will begin activating the next time they request activation.
Name: Office(TM) 14, Beta1ProPlusKMSHost edition Description: Office(TM) 14 KMS, VOLUME_KMS channel Partial Product Key: TCDMC License Status: Licensed Key Management Service is enabled on this machine Current count: 6 Listening on Port: 1688 DNS publishing enabled KMS priority: Normal
Here at Microsoft we have an internal KMS host running on a Windows Server 2008 R2 VM. If you are running Windows Server 2008, consider using a VM of Windows Server 2008 R2 or Windows Server 2003 as your KMS host. The Microsoft KMS host is handling all of our internal Windows AND Office 2010 activation requests. Since the host was set up earlier this year, it’s received 250,000 initial activation requests and 135,000 re-activation requests from licensed Office KMS clients. It’s also received and processed hundreds of thousands of additional requests for Windows client and server activation.
An administrator in Microsoft IT shared his experience: “We configure the server to auto publish in all the internal domains via reg key and we secure the _vlmcs._tcp DNS record in all domains by only allowing a specific security group to update it. We add the KMS servers to the security group as part of the standard KMS build process. Also part of the standard KMS build process we request an IPsec exemption for the servers, because we allow our unmanaged clients (labs, non-domain joined, etc) to activate.”
This handy script is helpful for performing local and remote licensing operations for Microsoft Office 2010. You can find it in the “%ProgramFiles%\Microsoft Office\Office14” folder. For 32-bit installs of Office on 64-bit operating systems, look for it under the “Program Files (x86)” folder. Keep in mind ospp.vbs is the script to configure the Office 2010 client, while slmgr.vbs is used to configure the KMS host and Windows installations.
To run this script, open an elevated command prompt by clicking the Start button and searching for “cmd” in the search box. Right click on the command prompt window and select “Run as administrator.” Go to the directory with this command:
cd “%ProgramFiles%\Microsoft Office\Office14”
You can see the options that are available by typing:
cscript ospp.vbs -?
Richard Moloney, the developer of this script, says a useful benefit after setting up a KMS host is using the -act and -dhistory commands to verify the Office client is finding the KMS host and successfully activating. He suggests, “If you’re setting up a KMS host, you can manually trigger and verify successful activation. You don’t need to wait 25 days until notification dialogs start popping up to start troubleshooting.”
Trigger activation and view the KMS activation history by running:
cscript ospp.vbs –act cscript ospp.vbs –dhistory
For MAK activation, one common task would be to check the status of your computer, install a Professional Plus Beta MAK key, and trigger activation. Run these commands (if you’re pasting these commands, you may need to change the long dash to a short dash). In this example, note that when you run the –act command, you’ll be triggering MAK activation, which goes to Microsoft’s activation servers, not your KMS host.
cscript ospp.vbs –dstatus cscript ospp.vbs –inpkey:22HGX-728MX-BBWX9-7BB8X-J96B4 cscript ospp.vbs –act cscript ospp.vbs –dstatus
What if you got an error code? You can easily get the error description with this command specifying the error code:
cscript ospp.vbs –ddescr:0xC0020017
You can even run this script to check the status or trigger activation of a remote computer. Just provide the computer name and login credentials:
cscript ospp.vbs –act <remote computer name> <username> <password>
This brings me to the next section: how would you remotely manage and activate multiple computers quickly?
To remotely manage volume editions of Windows and Office 2010 in your organization using a GUI tool, download VAMT 2.0 Beta. VAMT 2.0 allows you to get an overview of the licensing status of both Windows and Office 2010 installations.
For VAMT 2.0 to manage client computers, make sure you make an exception for the Windows Management Instrumentation (WMI) on the client computers. Go to Control Panel –> Windows Firewall -> Allow a program through Windows Firewall. If you are managing Windows XP machines running Office 2010, see this article for more information. I’ve included a screenshot of VAMT 2.0 with my two computers:
I can monitor my desktop and laptop, in addition to any other machines I have access to. Both have Windows Vista and Office 2010 applications installed. Under “Product Key Type,” GVLK is the generic volume license key, which is the KMS client key. On my laptop, I have the MAK key installed from the activation page.
If I right click on my computer name, I can install product keys, trigger activation, or even do proxy activation through VAMT 2.0. Proxy activation is a method of activating multiple machines with Office 2010 that have a MAK key installed. This would be helpful for computer networks that are not connected to the Internet, or if you want to MAK activate multiple machines at once for your sales team, for example.
If you have any questions, check out the Office 2010 Volume Activation resource center on TechNet. There’s a great video that gives an introduction to KMS and MAK along with more in-depth documentation.
If you have any specific questions, post it to our forum at http://social.technet.microsoft.com/Forums/en/office2010volact/threads and our team will do our best to address them!
Howdy, I’m David B Heise and I work on the Office Security team responsible for testing Office File Validation (codename: Gatekeeper). There have been some misconceptions about the new file validation feature in Microsoft Office 2010 and I hope to clear these up and explain the why and what.
Throughout the years the office binary formats have necessarily evolved and grown in scale and complexity. The reasons why the formats are complex have been discussed sufficiently elsewhere (see Joel Spolsky's article here) so we won’t go into that discussion here, however these binary formats are very well documented here. We have found that malicious attackers use the binary files as an attack vector to infect a targeted user, as such we wanted to come up with a way to stop this from happening. One thing our team has been doing is whenever a new Office file format attack is reported to Microsoft we have been checking it with our validation to see how well we’re doing. So far, so very good!
Office File Validation is a feature that was originally introduced in Publisher 2007 to validate Publisher’s PUB files. It verifies that a particular binary file conforms to the application’s expectations. In Office 2010 we’ve expanded this feature significantly to include binary formats for Word, Excel, and PowerPoint. Please note that this feature is for binary formats ONLY (i.e. PUB, DOC, XLS, PPT, etc), this does not validate the XML based documents (i.e. DOCX, XLSX, PPTX, etc), nor does it validate macros or other custom items. What it does validate is the structure of the file, for example if you have a XLS file that has a FONTINDEX structure with the ifnt value set to 4 (which is an invalid value for that particular item) then it fails validation.
Whenever an un-trusted binary file (i.e. not in a trusted location and not a trusted document) is loaded by Word, PowerPoint, or Excel it goes through a check to see if it is a valid file. This check looks at the specific bits of the file that the application is about to parse, in other words the relevant OLESS Streams. If it is determined to be valid, it opens as normal, nothing to see…move along…move along. However if it is found to be invalid, it is sent (by default) to the Protected View.
If you click on that text you will be taken to the Backstage view where you will have the option to open the file in the full application experience. Please note that this is a trust decision that will mark this particular file as a trusted file, and as such, will NOT be validated the next time you open this file.
After you’re done with the file and close the application you may see a prompt like this:
This prompt only appears at most once every two weeks (per application) and gives you the option to send the failing file (or files) to us via Windows Error Reporting. Of course you can remove a file or two if you don’t want to share that information, but by sending us the file we can analyze it further to improve Office File Validation.
We realize that many administrators (or security conscious users) may not like the idea of opening a file that fails validation, so there is a group policy to control the default action when a file fails validation. These policies are located under the application’s “Options\Security\Trust Center\Protected View” in the group policy templates and it is a per application setting.
There are several registry keys that control various aspects of Office File Validation.
Common Keys
HKCU\Software\Microsoft\Office\14.0\Common\Security\FileValidation \ReportingInterval - This is a DWORD that controls the number of days between the showing of the dialog to send files to Windows Error Reporting.
HKCU\Software\Microsoft\Office\14.0\Common\Security\FileValidation\DisableReporting - This is a DWORD that if set to 1 will disable the showing dialog (and thus the sending of files) to Windows Error Reporting.
Application Specific Keys
For these examples I’m going to use “Excel”, but these also work for “PowerPoint” and “Word”
HKCU\Software\Microsoft\Office\14.0\Excel\Security\FileValidation\EnableOnLoad – This is a DWORD that if set to 0 Office will not validate files. HKCU\Software\Microsoft\Office\14.0\Excel\Security\FileValidation\DisableEditFromPV – This is a DWORD that if set to 1 will not allow files to be edited that fail validation.
HKCU\Software\Microsoft\Office\14.0\Excel\Security\FileValidation\EnableOnLoad – This is a DWORD that if set to 0 Office will not validate files.
HKCU\Software\Microsoft\Office\14.0\Excel\Security\FileValidation\DisableEditFromPV – This is a DWORD that if set to 1 will not allow files to be edited that fail validation.
Excel Specific Keys HKCU\Software\Microsoft\Office\14.0\Excel\Security\FileValidation\PivotOptions – This is a DWORD that controls specific options around validating pivot caches (for performance reasons) in files that have them. 0 = Never validate any pivot cache 1 = Validate the pivot cache in the following cases: (1) file is opened from the internet, and the platform marks the file locally as having come from the internet. (2) The file is a Microsoft Outlook email attachment. (3) The user specifically opened the file in protected view. (4) The file is opened from a known "unsafe location" locally where internet content is cached, and any special user-defined untrusted locations, unless protected view unsafe locations are disabled via (a different) registry key. (5)The file is opened and the pivot cache is parsed on load. 2 =Always validate all pivot caches
HKCU\Software\Microsoft\Office\14.0\Excel\Security\FileValidation\PivotOptions – This is a DWORD that controls specific options around validating pivot caches (for performance reasons) in files that have them.
0 = Never validate any pivot cache 1 = Validate the pivot cache in the following cases: (1) file is opened from the internet, and the platform marks the file locally as having come from the internet. (2) The file is a Microsoft Outlook email attachment. (3) The user specifically opened the file in protected view. (4) The file is opened from a known "unsafe location" locally where internet content is cached, and any special user-defined untrusted locations, unless protected view unsafe locations are disabled via (a different) registry key. (5)The file is opened and the pivot cache is parsed on load. 2 =Always validate all pivot caches
For custom solutions built on top of Office there are a few interesting properties that have been added to the Application Objects that will disable file validation for that session. There is also an extra option for Excel to control the validation of Pivot Caches (i.e. the file cached data for pivot tables and charts). Here’s a powershell script example showing how to set these two options for Excel (but the FileValidation property would also apply for Word and PPT):
$excel = New-Object -comobject Excel.Application # valid values are: # msoFileValidationDefault = 0 # msoFileValidationSkip = 1 $excel.FileValidation = msoFileValidationSkip # valid values are: # xlFileValidationPivotDefault = 0 (do whatever you’d normally do, i.e. follow registry & default settings), # xlFileValidationPivotRun = 1 (validate all pivot caches), # xlFileValidationPivotSkip = 2 (don’t validate any pivot caches) $excel.FileValidationPivot = xlFileValidationPivotSkip
We have made specific strides to ensure that file validation is very fast. Yes, it now takes more time to open a file, but we’re generally talking milliseconds more. In fact, you’d be hard pressed to find a normal sized file that takes more than a second to validate, most files validate in the 1 to 100 milliseconds range. Of course if the file is huge and super complex and takes an hour to open already…then yes it will take more than a second, but you probably aren’t going to notice anyway. In addition to that if the file takes more than 5 seconds to validate (so we’re talking very complex files here) we give you the option to cancel and go straight to the Protected View. After all we couldn’t just let you open it normally because then hackers would just make a file that was really complex…then take over your machine, which is exactly what this feature is trying to stop.
In addition for any file that takes a long time to validate (if it passes validation, fails validation, or validation is skipped) will also be shown the same Windows Error Reporting prompt as a failing file; giving you the option to send us the file for further analysis.
In talking with the developers one day we imagined a conversation that went like this:
“So what have you been working on?” “Office File Validation” “What’s that?” “A check on an Office file to make sure it’s ok” “So, you spent the last two years writing a Boolean function?” “Well…um…yes, but it’s an important function!”
“So what have you been working on?”
“Office File Validation”
“What’s that?”
“A check on an Office file to make sure it’s ok”
“So, you spent the last two years writing a Boolean function?”
“Well…um…yes, but it’s an important function!”
At the end of the day the Office File Validation is really just a Yes/No function to inform the application if a file is valid or not, but that’s a really important function! In fact is also a really complex function, as anyone who’s ever even peeked into the file format specifications can attest. So there you have it, in a nutshell. Office File Validation will check your binary file to ensure the significant bits of your file are valid, and if you think we’re wrong you can either trust the file or let us know!
Hello, I’m Keri Vandeberghe and I work in Microsoft’s Office Design Group (ODG) as a User Experience Designer. I would like to share the story behind the visual approach and brand integration for Office 2010. I’ll give you a behind the scenes look at the philosophy that led us to the current design direction.
Office 2010 is not a complete makeover but a visual refresh to refine surfaces and remove unnecessary visual elements so the focus is on users’ content and less on the borders and widgets that frame the content part of a window (this frame is also known as the “chrome”). In order to achieve this we’ve reduced the number of borders, boxes, and horizontal banding which gave 6 extra pixels of vertical space back to the content area. By adding more white space, and carefully placed visual elements, we strove to create an interface that appears less intrusive, lightweight, and leaves more room for the self-expression of those using it.
For Office 2007 the Ribbon was a new UI paradigm and the visual styling was emphasized to expose features, show the relationship of controls, and bring forth functionality that was buried in menus and dialogs. Boxes and borders around each control and Ribbon group acted as “visual cues” to guide the user. The Office 2007 Ribbon used a high gloss glass surface, which aligned with the Windows Vista aesthetic, and added an additional “WOW” to a new interface.
Comparison of Office 2007 and Office 2010 Ribbon
In Office 2010 we feel the UI has matured and taken on a more refined appearance without sacrificing the overall structure of the Ribbon and its functionality. A major change for Office 2010 visuals is that the default theme is no longer blue. We chose a neutral palette to minimize sensorial overload when creating documents and we also made a departure from flashy finishes. The Ribbon is still the most prominent UI piece and sets the pace for all that follows. The user interface below the Ribbon is more subdued. The soft gradients and the use of light and color are meant to call attention to or draw the users’ eye to a specific area. There is a visual rhythm defined by white space and a few highly contrasted elements like the Office brand orange to indicate selection and the individual product colors in the File tab.
We’ve continued the tradition of shipping three UI themes; Silver, Blue, and Black. All of the text in the Silver theme now has a 5:1 contrast ratio (the perceived difference in a color that occurs when it is surrounded by another color) with its background. This is a common request from our users with low vision and we’ve found that most users also benefit from the enhanced readability and improvements.
You’ll find the control for switching themes by clicking on the File tab > Options > General > Color Scheme.
Consistency in the overall visual styling across Office applications, SharePoint, and Web Applications was a major goal this release. We wanted the experience to feel familiar and consistent when moving from one product to the other. The neutral color palette in SharePoint provides a platform for individual company branding to shine with much less effort. Carrying over the neutral color palette to the Web Apps pairs well with a variety of host chromes and ties the experience back to the full service Office applications.
The Office Design Group worked closely with Microsoft’s brand team to evaluate, refine and identify the in-product branding opportunities. This collaboration ensured that the brand was infused in the product in a relevant and distinctive way.
With Office 2010 we’ve unveiled a new Office brand system. The logo has evolved, moving from the original four colors that signified Word, Excel, PowerPoint and Outlook to a mark that fully embraces the Office orange brand. The logo also completes the evolution from the puzzle pieces last seen in Office XP to a mark that conveys energy, impact, and connection.
The application icons have been re-designed for the release of Office 2010. The new icon designs respond to research that informs us that users can more easily associate icons by letter and color than by abstract design. We’ve adopted an alphabet system to bring a more uniform approach to the wide variety of Office family products.
We’ve also chosen to play up the individual application colors this release and have updated the spectrum of colors to use a more vibrant and pure color palette. We’ve added the product color to the File tab and a few select elements in the Backstage view to make it easier to quickly identify the Office application you are working in. Think of the application colored File tab as a sneak peek into the Backstage view.
The new Microsoft Office brand gesture and updated orange color palette is showcased in the animated splash screen. The animation adds energy, expressiveness, and an element of delight to the product launch experience.
It’s not just a pretty picture Designing and implementing the visuals for Microsoft Office goes beyond the icons and the age old desire simply to “make it look pretty”. It’s about bridging the gap between the familiar and the unknown, conveying and building on a brand, and helping users complete their daily tasks without getting in the way. Hopefully this quick overview has given you a better understanding of the visual refresh you’ll see in Microsoft Office 2010.
Hello, my name is Shelley Gu and I am a Program Manager on the Trustworthy Computing Security team. I’d like to introduce some new features we have added to digital signatures in Office 2010. First I’ll briefly explain what digital signatures are and how to use them, and then I’ll dive into the details about how they work in Office 2010.
More and more business transactions are being conducted electronically. Consequently, digital signatures are being used increasingly to legally bind relying parties to their transactions. A digital signature is used to verify the identity of the person who signed the document, and confirms that the content was not modified after the digital signature was applied to the document. Digital signatures provide security based in encryption technologies and help mitigate risk associated with electronic business transactions. With improvements to digital signing, Office aims to meet the information security needs of enterprises and public sector entities worldwide.
To create a digital signature, you must have a digital certificate, which proves your identity to relying parties, and should be obtained from a reputable certificate authority (CA). If you do not have a digital certificate, Microsoft has partners that provide digital certificates as well as other advanced signature services that are integrated into Office at the Office Marketplace.
In Word, Excel and PowerPoint 2010, a digital signature can be added by going to the Office Backstage View:
A signature line or signature stamp can be added in Word, Excel, and InfoPath by going to the Insert Tab:
A signature line looks like this:
A signature stamp (more commonly used in Eastern Asia) looks like this:
Office 2007, and later versions, use an open signing standard called XML-DSig that replaces the less advanced binary signatures from Office 2003 and earlier versions. XML-DSig represents a signature in a mostly human-readable XML format. For more information on XML-DSig, see http://www.w3.org/Signature.
Office 2010 digital signatures are able to use advanced algorithms (like the elliptic curve public key algorithm) supported by Windows Vista and later. All supported operating systems also allow the use of more robust hashing algorithms, like SHA-512.
The most immediate problem with digital signatures is that the certificate you use will expire – usually in as little as one year. After the certificate has expired, no one should trust the signature. If you want to be able to trust a signature over a longer period, then you must keep copies of the information needed to validate the certificate. You might also need to worry about the cryptography becoming obsolete.
Fortunately, a solution to these problems is available in an extension to the XML-DSig standard called XAdES.
XAdES (XML Advanced Electronic Signatures) is a set of tiered extensions to XML-DSig, the levels of which build upon the previous to provide more and more reliable digital signatures.
By implementing XAdES, Office complies with the European Union Advanced Electronic Signature Criteria in Directive 1999/93/EC as well as a new Brazilian government directive which defines XAdES as the accepted standard for digital signing in Brazil.
Office 2010 can create different levels of XAdES signatures on top of XML-DSig signatures:
The Office 2010 Beta only creates up to and including XAdES-T signatures, but Office 2010 RTM will be able to create all the signatures in the above table.
Time stamping digital signatures (XAdES-T signatures) is an important scenario we focused on in Office 2010. In order to create a time stamped signature, you’ll need to:
Once everything is configured, you can just create signatures like you normally would. A timestamp from a trusted timestamp server extends the life of your signature, because even after the certificate expires, the timestamp proves that the certificate had not expired at the time of signing. As a result, time stamping protects against certificate expiration, and if the certificate was revoked after the signature was applied, the signature is still valid.
By default, Office 2010 creates XAdES-EPES signatures. Registry settings are used to specify the level of signatures to create. There are two registry settings to control the type of signature Office creates, XAdESLevel and MinXAdESLevel.
The MinXAdESLevel setting allows you to ensure that created signatures meet your required XAdES level. A XAdES-T or higher signature will fail if the timestamp server isn’t available, and a XAdES-C or higher signature will fail if revocation information isn’t available. Having a minimum setting allows scenarios where you could attempt a XAdES-X-L signature, but fall back to XAdES-EPES if the timestamp server is down.
To create XAdES-T signatures and above you will need to provide Office with a time stamp server to query for time stamps:
If you want to create XAdES signatures, we recommend using one of three levels:
Example:
Sam wants to create XAdES-X-L signatures. If this is not possible, he is willing to accept any signature that is at least a XAdES-T signature. He sets:
In this case, Office attempts to create a signature up to the –X-L level. If Office is unable to create a XAdES-X-L signature, Office falls back to the last successful XAdES level provided that the level is not lower than MinXAdESLevel. In this case, XAdES-T, XAdES-C, and XAdES-X signatures would be acceptable if Office is unable to create a XAdES-X-L signature. Otherwise, Office does not add a signature.
As mentioned previously, Office 2010 Beta is only able to create up to XAdES-T signatures because we added the rest of the XAdES work in after the Beta. The XAdESLevel registry setting we explained above still applies, but the maximum level is 2 (XAdES-T). TheMinXAdESLevel setting isn’t present, but you can only create two types of XAdES signatures – with and without a timestamp, which is controlled by the TimestampRequired setting (which isn’t present in the RTM version).
To create a XAdES-T signature, you will additionally need to set TimestampRequired (below) and TSALocation (see explanation above):
The XAdES feature is one of many security enhancements we have made to Office 2010. Thanks for reading, and we look forward to hearing your feedback!
You may have already heard, but we have some exciting news from the Office team -- earlier this week we reached the 1 millionth download of Office 2010! This means that more than 1 million people across the world are now experiencing and testing the next version of Office. You’ll recall we launched the public beta just two weeks ago at the Professional Developer’s Conference and in reaching the 1 millionth download milestone, Office 2010 has had more people download it in the first two weeks than any other version of Office including Office 2007! It’s super gratifying to see so many people interested in experiencing the next version of Office and help us deliver the best product possible. Anyone who hasn’t yet downloaded Office 2010 should go to www.microsoft.com/2010, try it today, and send us your feedback via this blog or the newsgroups at http://social.technet.microsoft.com/Forums/en/category/office2010,office2007deployment.
It’s Jon again from the Office User Experience team. I started at Microsoft a little over 2 years ago and one of the things that inevitably happened is that I instantly became the IT guy for everyone I know. The nice part about this is that every now and then I get to show off something that’s really cool to impress everyone in the room.
When I get asked about Office 2007, an interesting trick I like to mention is the ability to minimize the Ribbon by double clicking on the active tab, pressing Ctrl+F1, or using the Ribbon’s right click menu.
Word 2010 with the Ribbon minimized
Minimizing the Ribbon is great when I know I won’t be making many changes to the document and just want to focus on the content that’s already there. It’s helpful when I’m looking at a spreadsheet with lots of data to absorb, reading a very long document, or working on a laptop with a small screen size.
We thought minimizing the Ribbon was a useful feature for more than just the intrepid power users who discovered it in Office 2007, so in Office 2010 we’re bringing the functionality front and center (well, a little off-center). We’ve added an easier to find arrow widget next to the Help button in the top right of every Office 2010 application.
Click the arrow to minimize the Ribbon so only the tabs show. Once the Ribbon is minimized you can click on the tabs to use them like menus. When it’s time to do some more serious editing, click the arrow a second time to expand the Ribbon so you can more efficiently get to all of the Ribbon’s commands.
Increasing the discoverability of minimizing the Ribbon is nice because now lots of users will be able to enjoy it. The only downside is that I’ll have one fewer cool trick to show off to friends and family.