IAMinerva
HomeBlogAbout
m3M365 NewscoMicrosoft CopilotteMicrosoft TeamsshSharePoint & OneDriveinIntune & SecurityexExchange & OutlookpoPower PlatformazAzure & Entra IDtuTutorials & GuidesevEvents & ConferencesseSecuritywiWindows
IAMinerva

Professional blog dedicated to the Microsoft 365 ecosystem.

Quick links

HomeBlogAboutNewsletter

Stay informed

Get the latest Microsoft 365 news delivered straight to your inbox.

© 2026 IAMinerva. All rights reserved.

Built withNext.js&Tailwind
Gestion des mises à jour Microsoft 365 Apps avec Intune
BlogM365 NewsManaging Microsoft 365 Apps Updates with Intune
M365 News#Microsoft 365#Intune#Update Management

Managing Microsoft 365 Apps Updates with Intune

Comprehensive guide to effectively manage Microsoft 365 Apps updates with Intune. Update strategies, update channels and PowerShell scripts included.

Houssem MAKHLOUF
March 10, 2026
5 min read

TL;DR par Minerva

généré par IA

Comprehensive guide to effectively manage Microsoft 365 Apps updates with Intune. Update strategies, update channels and PowerShell scripts included.

Introduction

Managing updates for Microsoft 365 Apps represents a critical issue for security and productivity in the enterprise. Each month, Microsoft publishes essential security patches for Outlook, Word, Excel, PowerPoint and Teams. The absence of an update strategy exposes your organization to known and exploitable vulnerabilities.

×

Important

Failing to keep your Microsoft 365 applications up to date transforms your productivity suite into a major risk vector for your organization.

Microsoft 365 Apps update channels

Microsoft 365 Apps uses a distribution model based on update channels that determines the frequency and content of updates received. This approach differs radically from the old MSI model where a specific version was deployed and then maintained indefinitely.

Overview of available channels

ChannelFrequencyUse cases
Current ChannelMultiple times per monthNot recommended in production
Monthly Enterprise Channel (MEC)Once per monthModern environments
Semi-Annual Enterprise Channel (SAEC)January and JulyRegulated industries
SAEC PreviewMarch and SeptemberCompatibility testing
Beta ChannelContinuousReserved for testing

Image 2

MEC vs SAEC Comparison

For the majority of enterprises, the choice is limited to two main options:

CriteriaMonthly Enterprise ChannelSemi-Annual Enterprise Channel
New featuresEvery monthEvery 6 months
Security patchesIncluded monthlyMonthly between releases
StabilityGoodExcellent
Microsoft Support12 months per version24 months per version
Testing window1 month6 months
✦

Tip

Choose MEC to quickly benefit from new features. Opt for SAEC if stability takes priority over innovation.

Configuring channels via Intune Settings Catalog

Intune's Settings Catalog advantageously replaces the old ADMX policies. This modern approach offers an intuitive interface and aligns with Microsoft's current recommendations.

Creating the configuration profile

1

Access the administration center

Log in to the Intune portal: https://intune.microsoft.com Navigate to Devices > Configuration

2

Creating the profile

Click on Create > New Policy Select:

  • Platform: Windows 10 and later
  • Profile type: Settings catalog

Image 3

3

Naming the profile

Assign an explicit name:

  • "M365 Apps - MEC - Production"
  • "M365 Apps - SAEC - Finance"

Image 4

4

Configuring the settings

In the Configuration settings tab, add the following settings:

⚡PowerShell
1# Recommended settings
2$settings = @{
3 "Channel Name (Device)" = "Monthly Enterprise Channel"
4 "Enable Automatic Updates" = "Enabled"
5 "Hide Update Notifications" = "Enabled"
6 "Hide option to enable or disable updates" = "Enabled"
7 "Delay downloading and installing updates" = "5"
8}

Image 5

5

Assigning groups

Assign the profile to appropriate groups:

  • Pilot groups for testing
  • Production groups after validation

Image 6

6

Finalization

Click Create to activate the policy

Image 7

Progressive deployment strategy

Recommended deployment architecture

A phased approach minimizes risks and ensures stability:

i

Good to know

A progressive deployment allows you to detect compatibility issues before a general rollout.

For Monthly Enterprise Channel (MEC)

  • Phase 1: IT Group (0 day delay)
  • Phase 2: Pilot users (5 day delay)
  • Phase 3: General deployment (5-7 day delay)

For Semi-Annual Enterprise Channel (SAEC)

  • Phase 1: Pilot group 50-100 users (0 day delay)
  • Phase 2: Production deployment (5 day delay)

Image 8

PowerShell verification script

⚡PowerShell
1# Check the current channel on a workstation
2$officeConfig = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name "CDNBaseUrl" -ErrorAction SilentlyContinue
3
4if ($officeConfig) {
5 $channel = switch -Wildcard ($officeConfig.CDNBaseUrl) {
6 "*492350f6-3a01-4f97-b9c0-c7c6ddf67d60*" { "Current Channel" }
7 "*55336b82-a18d-4dd6-b5f6-9e5095c314a6*" { "Monthly Enterprise Channel" }
8 "*b8f9b850-328d-4355-9145-c59439a0c4cf*" { "Semi-Annual Enterprise Channel" }
9 default { "Unknown Channel" }
10 }
11 Write-Host "Current channel: $channel" -ForegroundColor Green
12} else {
13 Write-Host "Office configuration not found" -ForegroundColor Red
14}

Monitoring and validation

Via the Microsoft 365 Apps administration center

Access the portal: https://config.office.com

In the Inventory section, review:

  • Version distribution by channel
  • Build support status
  • Deployment compliance

Image 9

PowerShell reporting script

⚡PowerShell
1# Generate a compliance report
2Connect-MgGraph -Scopes "Directory.Read.All"
3
4$devices = Get-MgDevice -Filter "operatingSystem eq 'Windows'" -All
5$report = @()
6
7foreach ($device in $devices) {
8 # Retrieve Office information via Graph API
9 $officeInfo = Get-MgDeviceRegisteredOwner -DeviceId $device.Id
10
11 $report += [PSCustomObject]@{
12 DeviceName = $device.DisplayName
13 LastSync = $device.ApproximateLastSignInDateTime
14 ComplianceState = $device.ComplianceState
15 }
16}
17
18$report | Export-Csv -Path "Office365_Compliance_Report.csv" -NoTypeInformation
!

Warning

Ensure you have the necessary Graph API permissions before running these scripts.

Glossary of terms

  • CDN (Content Delivery Network): Infrastructure for distributing Microsoft updates
  • CVE (Common Vulnerabilities and Exposures): Standardized identifiers for vulnerabilities
  • ADMX: Administrative template files for group policies
  • Settings Catalog: Modern interface for configuring policies in Intune
  • Build: Specific version of a Microsoft 365 application

Useful links

  • Official documentation for update channels
  • Microsoft 365 Apps administration center
  • Microsoft Intune portal
  • PowerShell reference for Microsoft Graph
  • Office version support matrix
Share:
HM

Houssem MAKHLOUF

Microsoft 365 enthusiast & IT professional.

Previous article

Intune: Block Unauthorized Software Installations

Mar 10, 2026
Next article

Create a Microsoft Forms by Importing a Word or PDF Document

Mar 10, 2026

Related articles

Cadenas stylisé avec des éléments graphiques abstraits et du texte sur la sécurité.securite

New Microsoft 365 Security Adoption Model

Discover the Microsoft 365 security adoption guide based on Zero Trust principles: modular approaches and modern strategies.

Jun 29, 20264 min
Main d'homme interagissant avec une interface numérique lumineuse et dynamique.copilot

Agents: Transforming Work with AI in Microsoft 365

Intelligent agents are redefining work in Microsoft 365 by automating complex and extended tasks. Discover their impact and adoption.

Jun 28, 20263 min
Exécution de scripts PowerShell pour auditer des applications AI et gérer leurs enregistrements.copilot

Audit and Manage AI Applications with PowerShell

Audit unauthorized AI applications in Entra ID with PowerShell and Microsoft Graph to strengthen control and security.

Jun 28, 20264 min