Bewerken

Share via


Overview of cloud update in the Microsoft 365 Apps admin center

Cloud update provides a modern update management solution for Microsoft 365 Apps. Use cloud update to address common servicing needs with features such as custom rollout waves, exclusion windows, pause, and rollback. It works for organizations of any size, handling compatibility concerns for larger environments while offering simpler controls for smaller businesses. In addition, cloud update makes Copilot readiness easier by maintaining monthly updates with minimal administrative effort.

Getting started with cloud update

Cloud update is the recommended tool for servicing Microsoft 365 Apps. Use the following resources to prepare, enable, configure, and monitor cloud update for your organization.

  1. Review the requirements for using cloud update to ensure your environment is ready.
  2. Review how cloud update works with other management tools and verify that you don't have any conflicts.
  3. Review how cloud update uses channel to profile mapping for identifying eligible devices and onboarding them for update management.
  4. Learn more about the controls and settings available with cloud update.
  5. Follow the guide to enable and configure cloud update.
  6. Refer to the troubleshooting section for more advanced topics.

Requirements

Supported built-in admin roles

You can use the following built-in Microsoft Entra roles for accessing and managing the feature:

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Role Description
Office Apps Administrator (Recommended) This role can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect, and publish 'what's new' feature content to end-user's devices.
Security Administrator This role can read security information and reports and manage configuration in Microsoft Entra ID and Office 365.
Global Administrator This role can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.

Note

Global Reader is another built-in role supported by the Microsoft 365 Apps admin center, but it does not support some features like cloud update or the Modern App Settings page.

Licensing requirements

Your user must be assigned to one of the following subscription plans:

Type Subscription Plan
Education
  • Microsoft 365 A3
  • Microsoft 365 A5
  • Business
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium
  • Enterprise
  • Office 365 E3
  • Office 365 E5
  • Microsoft 365 E3
  • Microsoft 365 E5
  • Important

    The following plans are not supported:

    • Microsoft 365 operated by 21Vianet
    • Microsoft 365 GCC
    • Microsoft 365 GCC High and DoD

    Product version requirements

    You can manage Microsoft 365 Apps on Windows with the following version requirements:

    Network requirements

    Devices running Microsoft 365 Apps require access to the following endpoints:

    Microsoft service URLs required on allowlist
    Microsoft 365 Apps admin center
  • login.live.com
  • *.office.com
  • *.office.net
  • Office Content Delivery Network (CDN)
  • officecdn.microsoft.com
  • officecdn.microsoft.com.edgesuite.net
  • otelrules.azureedge.net
  • Source: Microsoft 365 URLs and IP address ranges

    Microsoft Entra groups requirements

    Cloud update has multiple features that support the use of Microsoft Entra groups. For example, groups can be used to configure custom rollout waves, setup device exclusions or exclude a certain group of devices from updates for a specific time frame.

    Using Microsoft Entra groups is supported under the following conditions:

    • Both device objects and user objects can be used and also added to the same group.
    • Device objects must be Microsoft Entra joined or hybrid joined.
    • User objects must be present in Microsoft Entra ID and have a supported license assigned.
    • Multiple groups can be used, but a single group should contain no more than 20,000 objects.
    • Nested groups support up to three levels deep.

    Touring cloud update

    Overview dashboard

    The Updates Overview page for cloud update provides an at-a-glance view of your update progress, health, and management status for all of your channel profiles.

    • Update progress shows the current update progress for all update channels, filterable by channel profile. Use this view to see how your rollout is progressing for the latest build. Drill down deeper to see all managed or unmanaged devices.

    • Channel overview shows the active channel profiles for your tenant, including their status, current release, and release date.

    • Update failures shows all reported failures and issues that might require attention. Drill down deeper to see the individual devices and determine if any other action is required to ensure these devices are active and checking in.

    • Tenant Settings is a separate tab on the overview page for configuring tenant-level settings, such as exclusion windows and exclude groups.

    Monthly Enterprise Channel profile

    Monthly Enterprise Channel delivers updates once a month on a predictable schedule (patch Tuesday). With this cadence, the Monthly Enterprise Channel profile is able to support more controls, such as rollout waves and update validation.

    The Monthly Enterprise Channel profile page for cloud update provides an at-a-glance view of your update progress, management status, and health for devices on Monthly Enterprise Channel.

    • Rollout information provides you with insights about the active state of the profile and current release details.

    • Update progress shows the current update progress for devices managed by the Monthly Enterprise Channel profile. Use this view to see how your rollout is progressing for the latest build. Drill down deeper to see all devices managed by this profile.

    • Update validation shows you deployment health insights about the latest update when using custom rollout waves. Use these insights to determine the update's effect on your environment.

    • Update failures shows all reported failures and issues for the Monthly Enterprise Channel profile that might require attention. Drill down deeper to see the individual devices and determine if any other action is required to ensure these devices are active and checking in.

    • Profile settings is a separate tab on this page for configuring profile-specific settings, such as rollout waves and the update deadline.

    Current Channel profile

    Current Channel delivers updates multiple times a month, on an unset schedule as soon as they're ready for customers. Due to this cadence, the Current Channel profile a reduced set of features that fit the channel dynamic.

    The Current Channel profile page for cloud update provides an at-a-glance view of your update progress, management status, and health for devices on Current Channel.

    • Rollout information provides you with insights about the active state of the profile and current release details.

    • Update progress shows the current update progress for devices managed by the Current Channel profile. Use this view to see how your rollout is progressing for the latest build. Drill down deeper to see all devices managed by this profile.

    • Potential update issues shows potential issues that might require more attention to ensure devices are reporting in and receiving their updates. Failure details aren't available for this profile due to the fast-paced nature of Current Channel.

    • Profile settings is a separate tab on this page for configuring profile-specific settings, such as the update deadline.

    Profile controls

    Profile controls are management actions available for each individual profile, unless otherwise specified.

    Pause

    Note

    Pause is only available for devices managed by the Monthly Enterprise Channel profile.

    Pause is a feature allowing you to stop all update actions. For example, if the latest update for Microsoft 365 Apps isn't compatible with another app in your environment, you can pause the profile until the issue is resolved. Keep these points in mind when using pause:

    • When you pause a cloud update profile, all remaining update deployments are halted. They remain halted until an admin resumes the profile. Resume the profile as soon as possible to prevent blocking your devices from receiving updates.
    • When devices are already in the "in progress" state, the update installation continues. Consider issuing a rollback on these devices if necessary.
    • When a profile is paused, the rollback feature is still acknowledged.

    To pause and resume a profile, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select Monthly Enterprise Channel.
    3. On the Overview tab of the Monthly Enterprise Channel profile, select Pause channel. After a moment, the button changes to Resume channel.
    4. Confirm the channel is paused by selecting the Overview page from the left navigation and reviewing the Channel overview card.
    5. Resume the profile by returning to the Monthly Enterprise Channel profile page and selecting Resume channel.

    Note

    For rollout waves, the scheduled rollout continues when a profile is paused and does not restart when the profile is resumed.

    Rollback

    Note

    Rollback is only available for devices managed by the Monthly Enterprise Channel profile.

    Rollback enables you to roll back a device to a previous version. For example, if your finance department experiences an issue with the latest version of Excel, you can roll them back to the previous version. Keep these points in mind when using rollback:

    • Devices that are rolled back will stay on the previous version until the next version is released. When the new version releases, devices in a rolled-back state revert to their regular update schedule. They skip the previous version and update to the latest release.
    • If the underlying issue was resolved, you can cancel a rollback action before the next version is available.
    • A rollback can still be initiated when a profile is paused.
    • Devices always roll back to the previous version of the Monthly Enterprise Channel. It isn't possible to roll devices back to another channel.

    To trigger a rollback, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select Monthly Enterprise Channel.
    3. On the Overview tab of the Monthly Enterprise Channel profile, select Channel actions > Rollback devices.
    4. On the flyout, select the version you want to roll the device back to, enter the name of the device or devices, and select Roll back.
    5. The rollback action takes 24 hours to complete. You can monitor the status from the Overview page by selecting Channel actions > Manage rolled back devices.

    Tenant settings

    Tenant settings apply to all profiles, unless otherwise specified. Available settings include exclusion windows and exclude groups.

    Exclusion windows

    Note

    Exclusion windows is only available for devices managed by the Monthly Enterprise Channel profile.

    Exclusion windows enables you to limit change in your environment during busy periods, such as tax season or at the end of the fiscal year. Create an exclusion window to prevent devices from downloading updates during specific dates. Keep these points in mind when using exclusion windows:

    • By default, exclusion windows affect all devices managed by a corresponding cloud update profile.
    • You can set an exclusion window for specific devices or users in a Microsoft Entra group. Only these specified devices or users are excluded from updates, while all other devices follow their regular update schedule.
    • Update exclusions start and end at 00:00 UTC on the specified dates, not local device time.
    • Consider adding a buffer when scheduling a start and end date to accommodate UTC. If a device received the update policy before the exclusion window applies, it continues with the update installation.
    • Exclusion windows supports groups. Refer to the Microsoft Entra group requirements for cloud update.

    To create and manage an exclusion window, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select Overview.
    3. On the Overview page, select the Tenant Settings tab.
    4. From Tenant Settings, select Exclusion windows.
    5. Select Add exclusion window.
    6. From the flyout, provide a name, description, schedule, and scope. Select Create.
    7. Once an exclusion window is created, you can monitor, edit, and/or delete it from the Exclusion windows page.

    Note

    For rollout waves, the scheduled rollout continues when an exclusion window is active and does not restart when updates resume.

    Exclude groups

    Cloud update is designed to give you full update coverage across the devices on Current Channel and Monthly Enterprise Channel. However, there could be situations where you need to exclude specific devices or users. For example, you might need to move a device to an update channel that isn't currently available with cloud update. Keep these points in mind when using exclude groups:

    • Refer to the Microsoft Entra group requirements for cloud update.
    • Exclude groups is a tenant-level setting and applies to all profiles.
    • Excluded devices are reflected in your device inventory within 24 hours. You can confirm a device was excluded by reviewing the Cloud Update Status column.
    • Once a device is marked as excluded, you can change the following registry value to regain control: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate
      Value: IgnoreGPO=0

    To add or modify a group exclusion, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select Overview.
    3. On the Overview page, select the Tenant Settings tab.
    4. From Tenant Settings, select Exclude groups.
    5. Select Exclude specific groups of devices.
    6. Select + Add group to list.
    7. From the flyout, add your Microsoft Entra group or groups and choose Add to list.
    8. Select Save.

    Profile settings

    Profile settings are specific to each profile. Available settings include rollout waves, update validation, update deadline, and deactivation.

    Rollout waves

    Devices managed by the Monthly Enterprise Channel profile can use rollout waves.

    Rollout waves let you configure custom waves for your update rollout. For example, you might have a group of early adopters that volunteer to receive changes first, while users in your finance department prefer to get their updates last. Keep these points in mind when using rollout waves:

    • Rollout waves support groups. Refer to the Microsoft Entra group requirements for cloud update.
    • You don't need to include every user or device in a custom rollout wave. A final wave is included by default that includes all remaining devices in the Monthly Enterprise profile.
    • You can configure a delay between waves ranging from 1-5 days.
    • If update validation is enabled, ...
      • wave 1 is locked to 7 days, and all other waves are configured for days between waves.
      • we recommend having at least twenty devices on wave 1, so enough signals are generated.
      • waves start on their assigned start dates. Update validation doesn't halt or delay waves.
    • Rollout waves aren't enforced for expedited actions, such as rollback and switch device update channel. These actions occur outside of a wave assignment.
    • The rollout wave schedule continues even if a profile is paused or during an active exclusion window. For example, if you pause a profile on patch Tuesday and resume 20 days later, all rollout waves pass, and all unpatched devices are eligible for updates.
    • A common practice is to use the first two waves for closer monitoring of the new update, and the latter two waves for broad deployment. Often, wave 1 and 2 covers the first 20% of all devices, while the remaining 80% are covered by wave 3 and 4.

    To configure rollout waves, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select Monthly Enterprise Channel.
    3. On the Monthly Enterprise Channel page, select the Settings tab.
    4. From Settings, select Rollout waves.
    5. Select Yes, create rollout waves.
    6. Select + Add waves, provide the groups you want in wave 1, and choose Save. Repeat these steps for waves 2 and 3.
    7. Adjust the Days between waves slider to meet your needs.
    8. Select Save.
    9. Once your waves are configured, you can monitor the wave rollout from the Monthly Enterprise Channel page by clicking on View waves overview beneath the wave chart.

    Important

    Rollout waves can be used to help reduce network congestion. In addition, cloud update includes built-in update thresholds. These include the following:

    • The Current Channel profile leverages the default rollout schedule defined by the Office Content Delivery Network (CDN), which on average reaches full deployment within 5 days of patch Tuesday.
    • The Monthly Enterprise Channel profile has a separate threshold that prevents more than 30% of your eligible devices from updating per day. This same enforcement is applied when using custom rollout waves.

    Update validation

    Update validation is available for devices managed by the Monthly Enterprise Channel profile and using custom rollout waves.

    Update validation is a feature that enables you to validate new updates for the Monthly Enterprise Channel before organization-wide deployment. This feature automatically collects and consolidates health indicators such as app and add-in performance and reliability data and brings attention to any identified issues. Its automated nature reduces the need for manual administrative work and simplifies the update deployment process.

    For more information, watch Introducing Update Validation in the Microsoft 365 Apps admin center or read the full documentation.

    Deadline

    Deadline is available for all cloud update profiles.

    The update deadline is used to ensure updates are applied in a specified period. Keep these points in mind when configuring your update deadline:

    • The update deadline is independently calculated for each device, commencing from the first unsuccessful installation attempt. For example, if open applications prevent the update from installing, the deadline is triggered from this initial failure. The start of the deployment wave and the update's release date do not influence this timeline.
    • If the deadline passes, a prompt is shown to the user, offering the option to close their applications now or postpone the installation.
    • Users can postpone the update installation three times for two hours each, before a final two-hour countdown is shown. If the deadline is around seven hours past already, users can postpone only once.
    • When the countdown reaches zero, the system saves open files, closes necessary applications, applies the update, and then reopens the applications and files. User downtime is less than five minutes.
    • If the deadline is set to zero, users immediately receive a prompt to update if apps are open, with the option to delay the update.
    • When users choose to postpone, the update can still be applied under other conditions. For example, if the device reboots or if Update Under Lock applies.

    To configure the deadline, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select an update profile.
    3. On the profile page, select the Settings tab.
    4. From Settings, select Deadline.
    5. Adjust the Update deadline slider to your preferred value and select Save.

    Cloud update review (deactivation)

    Admins have the ability to deactivate a channel profile at any time. Deactivating a profile disables update management for all devices on the corresponding update channel. For example, deactivating the Current Channel profile disables update management for all devices in your tenant that are on Current Channel.

    Important

    Using the switch device update channel feature automatically enables all channel profiles, regardless of deactivation state. This feature is dependent on the cloud update service to function.

    To deactivate a profile, follow these steps:

    1. Sign in to the Microsoft 365 Apps admin center with a privileged account.
    2. Expand Cloud Update from the left navigation and select an update profile.
    3. On the profile page, select the Settings tab.
    4. From Settings, select Cloud Update review.
    5. Review the information and click the link to deactivate the management through cloud update.
    6. Fill out the form and click submit.

    The cloud update status for devices in inventory on a deactivated profile will be updated to Eligible for ChannelName and update management from the service will stop. You can change the following registry value to regain control: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate
    Value: IgnoreGPO=0

    Compatibility with other management tools

    Cloud updates take priority over existing update management settings for Microsoft 365 Apps. For example, if you apply settings through Microsoft Configuration Manager or set policies using Microsoft Intune’s configuration profiles, these settings remain unchanged by the cloud update but aren't enforced anymore. This change affects all devices managed by the cloud update.

    Note

    Cloud update will not change the update settings of other products, such as Windows or Edge. It will also not prevent management solutions from reinstalling Microsoft 365 Apps.

    Channel to profile mapping

    With cloud update enabled, devices are automatically mapped to the corresponding profile based on their update channel. For example, all devices on Current Channel map to the Current Channel profile. Once the devices are mapped to a profile, cloud update delivers the appropriate policies to these devices.

    Cloud update currently supports management for devices on Current Channel and Monthly Enterprise Channel. Devices on any other update channel won't be managed by cloud update until they're moved to a channel that cloud update supports.

    Troubleshooting

    Important

    If you are experiencing any issues enabling cloud update or managing the devices in your environment, be sure to review the requirements for cloud update before proceeding.

    Devices are stuck in an onboarding state

    With cloud update enabled, the service uses channel to profile mapping to automatically identify and onboard devices to their corresponding profile. Devices on the Monthly Enterprise Channel show a status of Onboarding to Monthly Enterprise Channel until a new update is available. Here are the two scenarios where this situation applies:

    • When cloud update first discovers a device with the latest Microsoft 365 Apps version for the Monthly Enterprise Channel already installed, it displays Onboarding to Monthly Enterprise Channel. This status continues until the next update is released, usually on the upcoming patch Tuesday.

    • When cloud update first discovers a device with an outdated Microsoft 365 Apps version for Monthly Enterprise Channel, and is scheduled in a later custom rollout wave, the device displays Onboarding to Monthly Enterprise Channel. This status remains until the device's wave begins and the update is released.

    Devices are updating outside of their assigned wave

    If you are using custom rollout waves, there may be instances where devices update outside of their assigned wave. Review the following scenarios and take any necessary actions:

    • Add-on app deployments: When you install an add-on app, such as Project or Visio, it can trigger an update check when the application is retrieved from the Office CDN. Consider updating your XML to included Version="MatchInstalled" to install the same version of Office, even if a newer version is available.

    • Onboarding devices: Devices that are still in an Onboarding to [channel-name] state are managed by your existing settings until cloud update takes control. During this time, other management settings can enforce updates. Consider excluding devices from these other management tools or wait until the next patch Tuesday cycle for cloud update to engage.

    • Channel change: The switch device update channel feature will trigger an update check. If you initiate a channel change using a group that contains devices already on Monthly Enterprise Channel, those devices will not receive a channel change action, but will check for the latest available update for Monthly Enterprise Channel. Consider removing those devices from the group if you need to ensure they only update within their wave assignment.

    My Device-based group didn't work with [feature name]

    If you're using a group that contains device objects, the devices must be Microsoft Entra joined or hybrid joined. Devices that are Microsoft Entra registered/Workplace joined aren't recognized when the group is processed. As an alternative, consider adding one or more corresponding user objects. For more information, see the requirements for using Microsoft Entra groups.

    I noticed that no Component Object Model (COM) component for Cloud update has been registered on my devices.

    The predecessor of Cloud Update, Servicing Profiles, registered COM objects on a device to manage Microsoft 365 Apps updates. With Cloud Update, the COM object is no longer necessary, so no such control gets registered anymore and this is expected.

    Report a problem

    If you encounter a problem enabling or managing cloud update, first verify that you reviewed the requirements and completed the steps in the troubleshooting section.

    If the problem persists after troubleshooting, open a support ticket with Microsoft. For a quick investigation, include the date and time when the issue was discovered, and provide a detailed description of the problem. Provide a detailed description of the problem. If it relates to a device, gather the Device ID from your device inventory. You can find the Device ID by selecting the device name in inventory and reviewing the flyout.

    Send feedback

    We value your feedback. To submit feature suggestions and report issues, you can use the Feedback button in the top-right corner of the Microsoft 365 Apps admin center.

    Screenshot of a feedback form interface with three options on the left side: 'I Like Something' with a happy face emoji, 'I Don't Like Something' with a frowning face emoji, and 'I Have a Suggestion' highlighted in orange with a light bulb emoji. On the right side, there's a section titled 'What do you suggest?' with a large text box prompting 'Please type in your comment' and a smaller box underneath for an optional email address. There's a checkbox labeled 'Include screenshot' and an orange 'Submit' button. In the bottom left corner is a 'Privacy Statement' link.