Force M365 Apps to Update

What the Microsoft 365 Apps force-patch Worklet does

This Automox Worklet™ force-patches existing Click-to-Run Microsoft 365 Apps installations on Windows endpoints to the latest build for their configured update channel. The Worklet reads the endpoint's Office configuration from HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration, resolves the active channel from Group Policy, the installed UpdateURL, or your fallback parameter, and runs the Office Deployment Tool (setup.exe /configure update.xml) under a scheduled task so the patch completes in USER context.

The Worklet runs in two modes. In version-checking mode (the default, $forcefallback = 'False'), it downloads v32.cab from the channel CDN under officecdn.microsoft.com, extracts VersionDescriptor.xml, and compares the latest I640Version or I320Version against the installed VersionToReport. Endpoints already on the latest build exit Compliant with no remediation. In forced-channel mode ($forcefallback = 'True'), the Worklet skips the version check and confirms the endpoint is on the channel you specified in the $channel parameter, switching channels if needed.

Patches execute through a scheduled task named Force M365 Apps Update that calls setup.exe with a generated update.xml. The XML pins the Channel, OfficeClientEdition (32 or 64), product ID (O365ProPlusRetail), display Level, and FORCEAPPSHUTDOWN property you choose. When FORCEAPPSHUTDOWN is False, the Worklet copies setup.exe and update.xml to %WINDIR%\Temp and exits, expecting a follow-up evaluation to confirm completion and clean up the scheduled task.

Why force-patch Microsoft 365 Apps across managed Windows endpoints

Microsoft 365 Apps ships security updates on Patch Tuesday almost every month, and Office vulnerabilities land regularly on CISA's Known Exploited Vulnerabilities catalog. Common classes include remote code execution in the Word and Excel parsers, MSDT and protocol handler abuse, and Outlook credential leaks. Click-to-Run normally self-updates in the background, but only when every Office process closes long enough for the updater to swap binaries.

On a real fleet, that rarely happens. Users hibernate laptops with Outlook open for weeks, leaving HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\VersionToReport pinned at a vulnerable build. Running this Worklet against your Windows workstation group drives the Office Deployment Tool through an explicit update cycle on every targeted endpoint, so the next Microsoft fix lands on the next agent check-in instead of waiting for users to close PowerPoint and Outlook overnight. Endpoints already on the current channel build are detected and skipped during evaluation.

How the Office Click-to-Run force-patch works

1. Evaluation phase: The Worklet first checks for an existing Force M365 Apps Update scheduled task and unregisters it if its state is Ready, or exits 0 if it is still running. The script opens HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration with the 64-bit registry view (or the 32-bit hive on x86) and captures VersionToReport, Platform, UpdateURL, and UpdateChannel. Channel selection follows a three-step fallback: the GPO UpdateBranch value at HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\OfficeUpdate, then the installed UpdateURL, then the $channel parameter you set in the script. When $forcefallback is False, the script downloads Office/Data/v32.cab from the channel CDN, expands VersionDescriptor.xml, and compares I640Version or I320Version against the installed build. A matching build exits 0 with Compliant; an older build exits 1 to flag remediation. When $forcefallback is True, the script exits 1 if UpdateChannel does not match the $channel CDN URL.

2. Remediation phase: The remediation script repeats the same registry and CDN preflight, then builds an update.xml in the script directory containing Add (OfficeClientEdition, Channel), Product (ID = O365ProPlusRetail), Language (MatchInstalled with Fallback = EN-US), optional ExcludeApp entries from $excludeApps, Updates (Enabled = TRUE), Display (Level = $visibility, AcceptEULA = TRUE), and Property (Name = FORCEAPPSHUTDOWN, Value = $forceAppshutdown). It registers a scheduled task called Force M365 Apps Update that runs $scriptDir\setup.exe /configure $scriptDir\update.xml as the USERS account using logon trigger type 7. When $forceAppshutdown is True, the script polls the task state until Ready, unregisters the task, re-reads VersionToReport, and exits 0 on a version or channel match or 1 with a pointer to %WINDIR%\Temp logs. When $forceAppshutdown is False, the script copies setup.exe and update.xml to %WINDIR%\Temp, starts the task, and exits 0 so a subsequent policy run confirms completion.

Microsoft 365 Apps force-patch requirements

• Windows 8.1 or later (including Windows 10, Windows 11, and Windows Server 2016, 2019, or 2022) with the Automox agent running under SYSTEM

• PowerShell 3.0 or later

• Microsoft 365 Apps installed via Click-to-Run (subscription Office, not MSI Office 2016 or earlier perpetual SKUs); endpoints without HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration are skipped as Not Applicable

• Office Deployment Tool: upload the latest Setup.exe from https://aka.ms/ODT into the Worklet policy. The script invokes $scriptDir\setup.exe and will fail without it

• Outbound HTTP to officecdn.microsoft.com so the agent can pull v32.cab, VersionDescriptor.xml, and the patch payload

• A valid update channel sourced from Group Policy (Computer Configuration > Administrative Templates > Microsoft Office 2016 > Updates > Update Channel), the installed UpdateURL value, or the $channel script parameter. Accepted channel names: Current, FirstReleaseCurrent, MonthlyEnterprise, Deferred, FirstReleaseDeferred, InsiderFast

• Roughly 2 to 5 GB of free disk space on C: for the patch staging cache

• Decide a user-impact posture for $forceAppshutdown. Set it to True for unattended patching (open Word, Excel, and Outlook are closed automatically), or False to prompt the user to close affected apps. When False, $visibility should remain FULL so the user sees the dialog

Expected Office state after force-patch

After remediation, HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\VersionToReport reports the latest build for the configured channel, and UpdateChannel matches the channel CDN URL you pinned. The next launch of Word, Excel, PowerPoint, Outlook, OneNote, or Teams runs the patched binaries; File > Account > About Word displays the new version and build. The Force M365 Apps Update scheduled task is unregistered, leaving no residual entries under the root task folder on the endpoint.

Validate the patch with one of the following checks. From PowerShell, run Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' | Select-Object VersionToReport, UpdateChannel and confirm the version matches the build advertised on the Microsoft 365 Apps release notes page for your channel. For CVE mapping, compare the build number to the fixed-in build column in Microsoft's Security Update Guide. If the remediation script exits 1 with an installation failure, review the ODT logs under %WINDIR%\Temp on the endpoint. Subsequent Automox policy runs report Compliant and skip remediation until Microsoft publishes the next build on the channel, at which point the Worklet rolls the fleet forward without an admin touching any laptop.