Microsoft 365 Apps for enterprise
Important
The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.
Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.
Service level objective
Important
To update Microsoft 365 Apps for enterprise, you must create at least one Autopatch group first and Microsoft 365 app update setting must be set to Allow. For more information on workloads supported by Windows Autopatch groups, see Software update workloads.
Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC) for the:
- Enterprise Standard Suite. The Enterprise Standard Suite includes Access, Excel, OneNote, Outlook, PowerPoint, and Word.
- Subscription versions of Microsoft Project and Visio desktop apps, for example, Project Plan 3 or Visio Plan 2.
Microsoft 365 Apps deployed on the Monthly Enterprise Channel are supported for two months.
Note
Microsoft Teams uses a different update channel from the rest of Microsoft 365 Apps.
Device eligibility
For a device to be eligible for Microsoft 365 Apps for enterprise updates (both 32-bit and 64-bit versions), as a part of Windows Autopatch, they must meet the following criteria:
- The device must be turned on and have an internet connection.
- The device must be able to access the required network endpoints to reach the Office Content Delivery Network (CDN).
- There are no policy conflicts between Microsoft Autopatch policies and customer policies.
- The device must check into the Intune service in the last five days.
- If Microsoft 365 Apps are running, the apps must close for the update process to complete.
Update release schedule
All devices registered for Windows Autopatch receive updates from the Monthly Enterprise Channel. This practice provides your users with new features each month, and they receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN).
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day update deadline that specifies how long the user has until the user must apply the update.
Deployment rings
Since the Office CDN determines when devices are offered updates, Windows Autopatch doesn't use rings to control the rollout of these updates.
End user experience
Windows Autopatch configures the following end user experiences:
- Behavior during updates
- Office client
Behavior during updates
Note
If Microsoft 365 Apps are running, the apps must close for the update process to complete.
Updates are only applied when Microsoft 365 Apps aren't running. Therefore, end user notifications for Microsoft 365 Apps usually appear when:
- The user is working in a Microsoft 365 App, such as Microsoft Outlook, and didn't closed it in several days.
- The update deadline arrives and the updates still aren't applied.
Office client app configuration
To ensure that users are receiving automatic updates, Windows Autopatch prevents the user from opting out of automatic updates.
Microsoft 365 Apps for enterprise update controls
Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center.
Submit a support request to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed.
Note
Updates are bundled together into a single release in the Monthly Enterprise Channel. Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
Allow or block Microsoft 365 App updates
Important
You must be an Intune Administrator to make changes to the setting.
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices.
| Microsoft 365 App setting | Description |
|---|---|
| Allow | When set to Allow, Windows Autopatch moves all Autopatch managed devices to the Monthly Enterprise Channel and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to Block. |
| Block | When set to Block, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from channels other than the default Monthly Enterprise Channel. |
To allow or block Microsoft 365 App updates:
- Go to the Microsoft Intune admin center.
- Navigate to the Tenant administration > Windows Autopatch > Autopatch groups > Update settings.
- Go to the Microsoft 365 apps updates section. By default, the Allow/Block toggle is set to Block.
- Turn off the Allow toggle to opt out of Microsoft 365 App update policies. You see the notification: Update in process. This setting will be unavailable until the update is complete.
- Once the update is complete, you receive the notification: This setting is updated.
Note
If the notification: This setting couldn't be updated. Please try again or submit a support request. appears, use the following steps:
- Refresh your page.
- Please repeat the same steps in To block Microsoft 365 apps updates.
- If the issue persists, submit a support request.
To verify if the Microsoft 365 App update setting is set to Allow:
- Go to the Microsoft Intune admin center.
- Navigate to Devices > Configuration profiles > Profiles.
- The following profiles should be discoverable from the list of profiles:
- Windows Autopatch - Office Configuration
- Windows Autopatch - Office Update Configuration [Test]
- Windows Autopatch - Office Update Configuration [First]
- Windows Autopatch - Office Update Configuration [Fast]
- Windows Autopatch - Office Update Configuration [Broad]
To verify if the Microsoft 365 App update setting is set to Block:
- Go to the Microsoft Intune admin center.
- Navigate to Devices > Configuration profiles > Profiles.
- The following profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Office Configuration". The result should return 0 profiles filtered.
- Windows Autopatch - Office Configuration
- Windows Autopatch - Office Update Configuration [Test]
- Windows Autopatch - Office Update Configuration [First]
- Windows Autopatch - Office Update Configuration [Fast]
- Windows Autopatch - Office Update Configuration [Broad]
Compatibility with Servicing Profiles
Servicing profiles is a feature in the Microsoft 365 Apps admin center that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
A service profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the device eligibility requirements regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it's ineligible for Microsoft 365 App update management. However, the device might still be eligible for other managed updates.
Incidents and outages
If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, submit a support request.