Introduction
Managing updates for Microsoft 365 Apps represents a critical issue for security and productivity in the enterprise. Each month, Microsoft publishes essential security patches for Outlook, Word, Excel, PowerPoint and Teams. The absence of an update strategy exposes your organization to known and exploitable vulnerabilities.
Important
Failing to keep your Microsoft 365 applications up to date transforms your productivity suite into a major risk vector for your organization.
Microsoft 365 Apps update channels
Microsoft 365 Apps uses a distribution model based on update channels that determines the frequency and content of updates received. This approach differs radically from the old MSI model where a specific version was deployed and then maintained indefinitely.
Overview of available channels
| Channel | Frequency | Use cases |
|---|---|---|
| Current Channel | Multiple times per month | Not recommended in production |
| Monthly Enterprise Channel (MEC) | Once per month | Modern environments |
| Semi-Annual Enterprise Channel (SAEC) | January and July | Regulated industries |
| SAEC Preview | March and September | Compatibility testing |
| Beta Channel | Continuous | Reserved for testing |
MEC vs SAEC Comparison
For the majority of enterprises, the choice is limited to two main options:
| Criteria | Monthly Enterprise Channel | Semi-Annual Enterprise Channel |
|---|---|---|
| New features | Every month | Every 6 months |
| Security patches | Included monthly | Monthly between releases |
| Stability | Good | Excellent |
| Microsoft Support | 12 months per version | 24 months per version |
| Testing window | 1 month | 6 months |
Tip
Choose MEC to quickly benefit from new features. Opt for SAEC if stability takes priority over innovation.
Configuring channels via Intune Settings Catalog
Intune's Settings Catalog advantageously replaces the old ADMX policies. This modern approach offers an intuitive interface and aligns with Microsoft's current recommendations.
Creating the configuration profile
Access the administration center
Log in to the Intune portal: https://intune.microsoft.com Navigate to Devices > Configuration
Creating the profile
Click on Create > New Policy Select:
- Platform: Windows 10 and later
- Profile type: Settings catalog
Naming the profile
Assign an explicit name:
- "M365 Apps - MEC - Production"
- "M365 Apps - SAEC - Finance"
Configuring the settings
In the Configuration settings tab, add the following settings:
1# Recommended settings2$settings = @{3 "Channel Name (Device)" = "Monthly Enterprise Channel"4 "Enable Automatic Updates" = "Enabled"5 "Hide Update Notifications" = "Enabled"6 "Hide option to enable or disable updates" = "Enabled"7 "Delay downloading and installing updates" = "5"8}
Assigning groups
Assign the profile to appropriate groups:
- Pilot groups for testing
- Production groups after validation
Finalization
Click Create to activate the policy
Progressive deployment strategy
Recommended deployment architecture
A phased approach minimizes risks and ensures stability:
Good to know
A progressive deployment allows you to detect compatibility issues before a general rollout.
For Monthly Enterprise Channel (MEC)
- Phase 1: IT Group (0 day delay)
- Phase 2: Pilot users (5 day delay)
- Phase 3: General deployment (5-7 day delay)
For Semi-Annual Enterprise Channel (SAEC)
- Phase 1: Pilot group 50-100 users (0 day delay)
- Phase 2: Production deployment (5 day delay)
PowerShell verification script
1# Check the current channel on a workstation2$officeConfig = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name "CDNBaseUrl" -ErrorAction SilentlyContinue3 4if ($officeConfig) {5 $channel = switch -Wildcard ($officeConfig.CDNBaseUrl) {6 "*492350f6-3a01-4f97-b9c0-c7c6ddf67d60*" { "Current Channel" }7 "*55336b82-a18d-4dd6-b5f6-9e5095c314a6*" { "Monthly Enterprise Channel" }8 "*b8f9b850-328d-4355-9145-c59439a0c4cf*" { "Semi-Annual Enterprise Channel" }9 default { "Unknown Channel" }10 }11 Write-Host "Current channel: $channel" -ForegroundColor Green12} else {13 Write-Host "Office configuration not found" -ForegroundColor Red14}Monitoring and validation
Via the Microsoft 365 Apps administration center
Access the portal: https://config.office.com
In the Inventory section, review:
- Version distribution by channel
- Build support status
- Deployment compliance
PowerShell reporting script
1# Generate a compliance report2Connect-MgGraph -Scopes "Directory.Read.All"3 4$devices = Get-MgDevice -Filter "operatingSystem eq 'Windows'" -All5$report = @()6 7foreach ($device in $devices) {8 # Retrieve Office information via Graph API9 $officeInfo = Get-MgDeviceRegisteredOwner -DeviceId $device.Id10 11 $report += [PSCustomObject]@{12 DeviceName = $device.DisplayName13 LastSync = $device.ApproximateLastSignInDateTime14 ComplianceState = $device.ComplianceState15 }16}17 18$report | Export-Csv -Path "Office365_Compliance_Report.csv" -NoTypeInformationWarning
Ensure you have the necessary Graph API permissions before running these scripts.
Glossary of terms
- CDN (Content Delivery Network): Infrastructure for distributing Microsoft updates
- CVE (Common Vulnerabilities and Exposures): Standardized identifiers for vulnerabilities
- ADMX: Administrative template files for group policies
- Settings Catalog: Modern interface for configuring policies in Intune
- Build: Specific version of a Microsoft 365 application
