Patching Microsoft Office 365 is one of the easiest techniques to protect systems and users from harm, yet attackers realize we often delay those updates. Office 365 provides a way to update automatically in the background, but that doesn’t mean you can’t control what the platform installs. In fact, I highly recommend that you review for which “channel” your Office 365 deployment is set.
If you have one of the Microsoft 365 business plans that use Office 365 ProPlus, it is set by default for the Semi-Annual Channel. This patching cadence is the slowest of the three and ensures that you only get the major updates every six months in January and July.
If you subscribe to Office 365 Business or one of the Business Premium plans, their default setting is the Monthly Channel. This channel provides users with new features as soon as they are available and typically releases updates at least once a week.
Depending on your firm’s needs, you may want to back off this release cadence to ensure full compatibility with your line-of-business applications. You can configure this with either Group Policy, the Office Deployment Tool (ODT) or Intune.
To review what current patching cadence your system is set for, open Microsoft Word (or another Office platform), click on “File”, and then “Account” and review the section at the bottom that starts with “About Word”.
Susan Bradley
Review the update channel for Office
Updating Microsoft Office 2019
Office 2019 uses a different update channel. Remember that Office no longer uses a Windows installer process to obtain updates. Rather, it uses click-to-run technology. This means that you no longer see Office updates listed in the Windows update history. Both the security and quality updates are automatically installed. Updates are cumulative, so once you get an update, you have all previously needed updates as well. Even with the cumulative nature of the updates, you’ll want to keep up to date as the click-to-run process uses a differential process where only the differences are installed to keep file downloads to a minimum.
While you can’t use Windows Server Update Services (WSUS) to control updates in Office 365, you can use System Center Configuration Manager (SCCM) to deploy and manage updates to Office 2019. With SCCM, you can specify the setting UpdatePath and download the updates from the Office content delivery network (CDN) to a shared folder on your local network and then use that local location as the update repository.
If you have Windows Defender ATP, don’t forget to set up these attack surface reduction rules that will block or audit the processes produced by an attack. These four policies will go a long way to keeping you more secure:
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block executable content from email client and webmail
- Block executable files from running unless they meet a prevalence, age or trusted list criterion
You’ll need the corresponding GUID codes to enable each rule:
D4F940AB-401B-4EFC-AADC-AD5F3C50688AD4F940AB-401B-4EFC-AADC-AD5F3C50688ABE9BA2D9-53EA-4CDC-84E5-9B1EEEE4655001443614-cd74-433a-b99e-2ecdc07bfc25
You can use this with both Office 365 and a version of Office 365 desktop apps that come from the Microsoft store (also known as Office Centennial apps).
Susan Bradley
Set up these attack surface reduction rules
I’ll be presenting later this year at The Experts Conference, August 27 and 28 in Charleston, South Carolina on the topics of Windows update and Office365 security. I hope to see you there!