Overview of the Security Update Status and Vulnerabilities in the Microsoft 365 Apps Admin Center
The Security Update Status page in the Microsoft 365 Apps admin center offers insights into the security updates for Microsoft 365 Apps across devices. It helps administrators understand and maintain the security posture of their devices by tracking the installation of the latest security updates. This feature is essential for ensuring a secure and protected environment for Microsoft 365 Apps users.
Requirements
Supported built-in admin roles
You can use the following built-in Microsoft Entra roles for accessing and managing the feature:
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
| Role | Description |
|---|---|
| Office Apps Administrator (Recommended) | This role can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect, and publish 'what's new' feature content to end-user's devices. |
| Security Administrator | This role can read security information and reports and manage configuration in Microsoft Entra ID and Office 365. |
| Global Administrator | This role can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities. |
Note
Global Reader is another built-in role supported by the Microsoft 365 Apps admin center, but it does not support some features like cloud update or the Modern App Settings page.
Licensing requirements
Your user must be assigned to one of the following subscription plans:
| Type | Subscription Plan |
|---|---|
| Education | |
| Business | |
| Enterprise |
Important
The following plans are not supported:
- Microsoft 365 operated by 21Vianet
- Microsoft 365 GCC
- Microsoft 365 GCC High and DoD
Product version requirements
You can manage Microsoft 365 Apps on Windows with the following version requirements:
- Supported version of Microsoft 365 Apps
- Supported version of Microsoft Windows 10/11
- Supported version of Windows Server that supports Microsoft 365 Apps
Network requirements
Devices running Microsoft 365 Apps require access to the following endpoints:
| Microsoft service | URLs required on allowlist |
|---|---|
| Microsoft 365 Apps admin center | |
| Office Content Delivery Network (CDN) |
Source: Microsoft 365 URLs and IP address ranges
Accumulated Vulnerabilities and Update Schedule
The admin center displays both the accumulated vulnerabilities and the count of devices lagging in updates. A device that wasn't updated misses at least one security patch, making it a potential risk. All channels receive security builds on the second Tuesday of every month, and for those using Monthly Enterprise Channel, this security build is incorporated as part of the new monthly version. Each installation version receives a monthly security update for the duration of its support.
How to View Security Update Status
To view the security update status for the devices in your inventory, follow these steps:
- Sign in to the Microsoft 365 Apps admin center with your admin account, and then go to Health > Security Update Status in the navigation pane.
- Complete the setup wizard if viewing security update status for the first time.
- Insights about active devices start to appear on the page within two hours.
Update Status Insight and Security Vulnerability Details
The Update status on the Security Update Status page shows what percentage of your devices installed the most recent security update. The date of the most recent security update is listed at the top of the page for reference. For a list of security updates, see Release notes for Microsoft Office security updates.
Your devices in inventory are evaluated against the most recent security update, depending on the assigned update channel. Devices can be in one of the following three categories:
- Up to date - Installed the most recent security update.
- Not up to date - The most recent security update isn't installed.
- Unknown - Security update status couldn't be retrieved.
You can also drill down to view a list of all devices or a filtered view of the devices that aren't up to date.
In the security vulnerability details, each monthly security release is listed, meaning the device list displays devices from every channel.
Goal Insight
The Goal insight helps track progress in updating devices with each security update. Setting a goal involves specifying the percentage of devices you want to update within a timeframe.
Setting a goal doesn't create any policies or changes to your devices. The goal is used only for your personal reporting on the Security Update Status page.
Update Status by Channel Insight and Updating Devices
The Update status by channel insight shows the update status of devices based on their update channel. Admins should anticipate up to a week to ensure all devices are updated. Devices lagging by more than two security builds should be prioritized. The recommended method for updating devices is with a cloud update for automated cloud management.