Force M365 Apps to Update

What the M365 Apps Updater Worklet does

This Automox Worklet™ forces existing Microsoft 365 Apps (Office) installations to update to the latest version available on their configured update channel. The Worklet reads your endpoint's current Office configuration from the registry, determines the appropriate update channel (either from existing Group Policy settings, manual UpdateURL keys, or a fallback channel you define), and retrieves the latest version metadata from Microsoft's Office Content Delivery Network.

The Worklet handles two distinct operational modes. In standard version-checking mode, it compares the endpoint's current version against the latest available version for its channel and flags endpoints that are outdated. In forced fallback mode, it ensures endpoints are running the exact channel you specify, regardless of their current version or existing policy settings.

Updates execute via a scheduled task running in user context, verifying Office applications can properly close and restart without requiring system-level interruptions. The Worklet includes automatic cleanup of completed scheduled tasks and provides options to force application shutdown or prompt users to save their work.

Why automate Microsoft 365 Apps updates

Office applications are frequent targets for security vulnerabilities, and outdated versions expose your organization to well-documented exploits. Security updates address zero-day vulnerabilities and other critical weaknesses that attackers actively exploit. By automating updates through Automox, you eliminate the lag between patch availability and deployment that typically exists with manual update processes.

Beyond security, forced updates keep your organization benefits from performance improvements, bug fixes, and new features included in recent Office builds. Maintaining consistent versions across endpoints reduces compatibility issues when users share documents, collaborate on spreadsheets, or present in meetings. Inconsistent Office versions can cause formatting problems, missing features, and collaboration friction.

Using the Worklet's channel management capabilities, you control the pace of change. Development teams can run the Current or InsiderFast channels to access new features early, while finance departments can use the Deferred or Monthly Enterprise channels for stability and compatibility. This flexibility lets you balance innovation against stability requirements without manual intervention on each endpoint.

For IT teams managing hundreds or thousands of endpoints, automating M365 Apps updates eliminates the need for traditional software deployment tools or manual distribution of update installers. The Worklet uses Microsoft's official Office Deployment Tool and retrieves updates directly from Microsoft's CDN, verifying you always get legitimate, supported versions.

How the M365 Apps update process works

1. Evaluation phase: The Worklet reads the current Office configuration from the Windows registry (either 32-bit or 64-bit hive depending on your installation). It checks for Group Policy settings that define an update channel, then falls back to manual UpdateURL registry keys, and finally to the configured fallback channel. In version-checking mode, the Worklet downloads the VersionDescriptor.xml file from Microsoft's CDN for the active channel, extracts the latest available version number, and compares it against the installed version. The evaluation exits with a "Compliant" status if the endpoint is current, or flags it for remediation if an update is available.

2. Remediation phase: The Worklet generates an Office Deployment Tool configuration XML file that specifies the update channel, bitness (32-bit or 64-bit), product edition (O365ProPlusRetail), language settings, and whether to force application shutdown. It then creates a scheduled task that runs the Office Deployment Tool (setup.exe) with this configuration in user context. If you choose not to force shutdown, the Worklet copies the setup.exe and configuration to %windir%\temp and exits immediately, allowing the user to save work; the update continues when the user clicks "Continue" or on the next policy evaluation. If forced shutdown is enabled, the Worklet waits for the scheduled task to complete before confirming success.

M365 Apps update requirements

• Windows 8.1 or later (Windows 10, 11, Server 2016, Server 2019, Server 2022 supported)

• PowerShell 3.0 or later (included in Windows 8.1 and above)

• Microsoft 365 Apps (Office) must already be installed using Click-to-Run deployment (subscription version of Office)

• Office Deployment Tool (setup.exe) uploaded to the Worklet policy (download from https://aka.ms/ODT)

• Internet connectivity to retrieve version metadata and updates from Microsoft's CDN

• Valid update channel configuration via Group Policy, registry UpdateURL key, or Worklet fallback variable (Current, FirstReleaseCurrent, MonthlyEnterprise, Deferred, FirstReleaseDeferred, or InsiderFast)

• Sufficient disk space for temporary installation files (typically 2-5 GB)

• Administrator privileges required to modify Office configuration and create scheduled tasks

Expected Office app behavior after update

After the Worklet completes remediation, your Office applications will run the latest version for the configured update channel. The next time users open Word, Excel, PowerPoint, Outlook, or other Office apps, they will be running the most recent build available, including all security patches, bug fixes, and new features released for that channel. Any open Office documents or unsaved work will be preserved either through the native Office data recovery feature (if using forced shutdown) or through user intervention (if using prompted shutdown).

The registry entries in HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration will reflect the updated VersionToReport and maintain the UpdateChannel setting for future updates. The Worklet automatically cleans up scheduled tasks once updates complete, leaving no temporary artifacts on the endpoint. Subsequent policy evaluations will confirm that the endpoint is now compliant, and updates will only trigger again when a newer version becomes available for the configured channel.

How to validate force m365 apps to update changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for force m365 apps to update.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ScheduledTask, Write-Output, Unregister-ScheduledTask.

4. Validate remediation effects from script operations such as EN-US, Get-ScheduledTask, Write-Output, then rerun evaluation for compliance.