Muokkaa

Jaa


Overview of the Security Update Status and Vulnerabilities in the Microsoft 365 Apps Admin Center

The Security Update Status page in the Microsoft 365 Apps admin center offers insights into the security updates for Microsoft 365 Apps across devices. It helps administrators understand and maintain the security posture of their devices by tracking the installation of the latest security updates. This feature is essential for ensuring a secure and protected environment for Microsoft 365 Apps users.

Requirements

Supported built-in admin roles

You can use the following built-in Microsoft Entra roles for accessing and managing the feature:

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Role Description
Office Apps Administrator (Recommended) This role can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect, and publish 'what's new' feature content to end-user's devices.
Security Administrator This role can read security information and reports and manage configuration in Microsoft Entra ID and Office 365.
Global Administrator This role can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.

Note

Global Reader is another built-in role supported by the Microsoft 365 Apps admin center, but it does not support some features like cloud update or the Modern App Settings page.

Licensing requirements

Your user must be assigned to one of the following subscription plans:

Type Subscription Plan
Education
  • Microsoft 365 A3
  • Microsoft 365 A5
  • Business
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium
  • Enterprise
  • Office 365 E3
  • Office 365 E5
  • Microsoft 365 E3
  • Microsoft 365 E5
  • Important

    The following plans are not supported:

    • Microsoft 365 operated by 21Vianet
    • Microsoft 365 GCC
    • Microsoft 365 GCC High and DoD

    Product version requirements

    You can manage Microsoft 365 Apps on Windows with the following version requirements:

    Network requirements

    Devices running Microsoft 365 Apps require access to the following endpoints:

    Microsoft service URLs required on allowlist
    Microsoft 365 Apps admin center
  • login.live.com
  • *.office.com
  • *.office.net
  • Office Content Delivery Network (CDN)
  • officecdn.microsoft.com
  • officecdn.microsoft.com.edgesuite.net
  • otelrules.azureedge.net
  • Source: Microsoft 365 URLs and IP address ranges

    Accumulated Vulnerabilities and Update Schedule

    The admin center displays both the accumulated vulnerabilities and the count of devices lagging in updates. A device that wasn't updated misses at least one security patch, making it a potential risk. All channels receive security builds on the second Tuesday of every month, and for those using Monthly Enterprise Channel, this security build is incorporated as part of the new monthly version. Each installation version receives a monthly security update for the duration of its support.

    How to View Security Update Status

    To view the security update status for the devices in your inventory, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with your admin account, and then go to Health > Security Update Status in the navigation pane.
    2. Complete the setup wizard if viewing security update status for the first time.
    3. Insights about active devices start to appear on the page within two hours.

    Update Status Insight and Security Vulnerability Details

    The Update status on the Security Update Status page shows what percentage of your devices installed the most recent security update. The date of the most recent security update is listed at the top of the page for reference. For a list of security updates, see Release notes for Microsoft Office security updates.

    Your devices in inventory are evaluated against the most recent security update, depending on the assigned update channel. Devices can be in one of the following three categories:

    • Up to date - Installed the most recent security update.
    • Not up to date - The most recent security update isn't installed.
    • Unknown - Security update status couldn't be retrieved.

    You can also drill down to view a list of all devices or a filtered view of the devices that aren't up to date.

    In the security vulnerability details, each monthly security release is listed, meaning the device list displays devices from every channel.

    Goal Insight

    The Goal insight helps track progress in updating devices with each security update. Setting a goal involves specifying the percentage of devices you want to update within a timeframe.

    Setting a goal doesn't create any policies or changes to your devices. The goal is used only for your personal reporting on the Security Update Status page.

    Update Status by Channel Insight and Updating Devices

    The Update status by channel insight shows the update status of devices based on their update channel. Admins should anticipate up to a week to ensure all devices are updated. Devices lagging by more than two security builds should be prioritized. The recommended method for updating devices is with a cloud update for automated cloud management.