Microsoft Office 365 E3 Update management



Please help to understand:


1. Apply automatic update

2. Report about Office versions in the organization

3. The Office 365 Update process


Apply automatic update:

Deployed the Intune policy Administrative template to:

a) Enable Automatic Updates

b) Hide the end-user option to disable the update

c) Set update release as Current Channel

d) Deadline for Office update X days

e) Set Admin.Microsoft.Com to use Current Channel


Is it good enough to set that tenant users will be Office up-to-date?

Or we better enroll under monthly enterprise profile?

If we enable Get other updates with Windows Updates, this process will update Office?


Report about Office versions in the organization:

Having the most accurate report, the best like live,

For example, recently there was a Vulnerability related to Office Update, would be Extremely necessary to know the current status together with the last device sync date... But, we have 4x locations:


Knowing that a-b-d reports require from 48 up to 72 hours to get an update, not sure if we can really count on those reports for "live view"...

So which is best to use? Intune?


The Office 365 Update process

Is it the Task Scheduler that is triggering the office update? Can admins trigger the office update when critical updates are needed, how? PowerShell for Intune?

If the user uses the Outlook Desktop app for the whole day, but in order to apply Office updates, all the Office apps must be closed, does this mean that Office updates will apply only after the user restarts the device? And what if the user uses Sleep mode?

Why the Task Scheduler task "Office Update 2.0" has the status "the task never run"?




3 Replies
On "1. Apply automatic update":
"If we enable Get other updates with Windows Updates, this process will update Office?" > No, it will not.
"Set Admin.Microsoft.Com to use Current Channel" > This setting only applies to unmanaged devices, so all your Intune devices would ignore this setting. Also this setting only sets the udpate channel, it does not enforce updates.
"steps a-d" > These steps are sufficient assuming that most of your devices are managed by Intune. If you have a bunch of personal/BYOD devices connected to your tenant, these setting will not apply.

For these scenarios, using Servicing profiles is the more comprehensive solutions, as for servicing profile it doesn't matter of the device is managed by Intune or not.
"Report about Office updates":
If your devices are running Microsoft 365 Apps, we recommend using the Security Update Status page: The report shows you the current state of your inventory related to security. As devices are uploading a current inventory snapshot every 24 hrs, the shown data is on average just 12 hrs behind reality.

If you have other Office releases like Office 2019/2021 in your mix, Intune might be the better tool. But again, Intune can only show you managed devices, while Security Update Status page shows you all Microsoft 365 Apps instances which are connected to your tenant.
best response confirmed by lightupdifire (Contributor)
"The Office 365 Update process"
The scheduled task runs on a regular base, manually triggering the task will not expedite updates.

The update engine will try to apply the update after it has been downloaded and extracted. It will continue to try to apply the update every 90 minutes. It will apply the update during reboot. It will try to apply update during "OS is locked + OS is in idle". If these attempts were not successful, it will show prompt to user after "first attempt + your deadline value", in parallel it will continue to try to apply the update.