IRONSMITHINTEL
HIGH
|Auth: user interaction|Reboot: not required|Est. 20–40 minutes|Manual only

Microsoft 365 Apps Must Be Updated Independently from Windows Update

Microsoft 365 Apps (formerly Office 365) receives security patches through Click-to-Run, not Windows Update — servers with Office installed may be running vulnerable versions if automatic updates are disabled.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Attackers exploit unpatched Office vulnerabilities through malicious documents. Users on servers running outdated Office who open a malicious Word, Excel, or PowerPoint document can trigger remote code execution. Office vulnerabilities are one of the top initial access vectors used in targeted attacks.

How the attack works

Microsoft 365 Apps for Enterprise (formerly Office 365 ProPlus) uses a Click-to-Run deployment that updates independently from Windows Update. Servers where users work with Office documents — including RDS servers, jump hosts, and analyst workstations — may be running significantly outdated Office versions if automatic updates are disabled or the server lacks internet access for update retrieval.

Am I affected?Quick check

Probably yes if any of these apply:

RDS servers
Jump hosts with Office installed
Analyst workstations
Any server where users open Office documents
Running Microsoft 365 Apps not on Current Channel or Monthly Enterprise Channel (latest)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inMicrosoft 365 Apps Current Channel (latest build)
Real-world incidentsWhat we've seen

A finance team member on an RDS server opens a phishing attachment containing a malicious macro. The server is running Office 2016 with no updates applied — a known equation editor vulnerability (CVE-2017-11882) executes a payload before the user dismisses the security prompt.

How to patch

Manual remediation steps

20–40 minutes

Check Office Version

# For Click-to-Run (Microsoft 365 Apps)
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' |
    Select-Object VersionToReport, UpdateChannel, CDNBaseUrl

# For MSI-based Office
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\16.0\Common\ProductVersion' |
    Select-Object LastProduct

Update Microsoft 365 Apps

Method 1 — From Office Application

1
Open any Office application (Word, Excel)
2
File → Account → Update Options → Update Now

Method 2 — Command Line

# Force immediate update check
& 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe' /update user displaylevel=false

Method 3 — Microsoft 365 Admin Center

For managed deployments, update the channel and build in the Microsoft 365 Admin Center.

Verification

(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration').VersionToReport
# Compare to current build at: docs.microsoft.com/officeupdates/update-history-microsoft365-apps-by-date
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.