Patch Tuesday
On the second Tuesday of each month, Microsoft releases security patches for its products in one big monthly lump. “Patch Tuesday” is not as much fun as Super Sunday, Black Friday, or Fat Tuesday, but it’s still interesting to watch and see what Microsoft is fixing and what threats those fixes mitigate. For example, the July 2025 edition released 137 total fixes, including one zero-day and 14 issues that the Microsoft Security Research Center ranks as “critical.” The number of fixes may seem scarily high, but it’s not as bad as it first appears because these fixes cover Windows, Office, and a large spread of other products (including SQL Server 2016, which I think might be the oldest product covered in this month’s release).
For most of us, the Windows and Office updates have the biggest impact and are therefore the most interesting. This is especially true because end users probably represent a bigger share of potential vulnerabilities than servers, because there are more end users and they are more likely to be targeted or to interact with malicious content.
Where Updates Come From
When Microsoft creates a feature or security update for Windows or its Office applications, the update will reach you through one of several possible ways. Windows updates may be delivered through Windows Update, Microsoft Update, or your own on-premises Windows Software Update Service (WSUS) server. Microsoft has lots of documentation on how to plan a servicing strategy for Windows devices, which I won’t abstract here because, at bottom, unless you do something to interfere, your fleet of Windows devices should get security updates very soon after Microsoft releases them and you won’t have to take any action.
Office updates follow the same basic model, but there are a few twists. Like Windows updates, the Office team releases feature and security updates monthly, but when you get them may vary. Microsoft defines three channels for Office updates:
- The Current Channel releases at least once per month, and possibly more. It contains features and bug fixes that are released as soon as they’re ready. Security fixes normally arrive each month on Patch Tuesday, but Microsoft can release security updates at other times if they’re considered serious enough.
- The Monthly Enterprise Channel releases its updates on Patch Tuesday, along with bug and security fixes on a varying schedule. Most companies will use this because it simplifies update management by consolidating updates into a smaller number of updates.
- The Semi-Annual Enterprise Channel consolidates feature updates into two periods: January and July. Bug and security fixes are still released monthly on Patch Tuesday, but feature updates come on only the January and July Patch Tuesdays.
As with Windows updates, if you just don’t do anything, your macOS and Windows devices will probably update themselves. However, users sometimes defer both types of updates, so it’s important to have some way to see which updates have been deployed to which devices.
Using the Microsoft 365 Apps Admin Center
To help with this problem, Microsoft offers a free and underused set of tools at config.office.com. In addition to building your own custom configurations for deploying Office onto your devices, the Apps admin center has two tools of particular interest if you want to monitor the update status of your device fleet. Before we talk about those tools, though, you should know that they will only show information about devices that are running Windows and have Microsoft 365 Apps installed and have a license from your tenant. macOS devices, devices where the users only use the web versions of the Office apps, and/or devices where the user signs into desktop apps with a license from another tenant, will not contribute any data to these reports.
First is the Security update status report. This shows you which Windows devices have missed at least one Office security update and which associated vulnerabilities may exist. This doesn’t tell you anything about the underlying state of Windows security updates on the device; for that, you’ll need Intune or another device management solution. However, this report is a useful check to ensure that issues such as the January 2025 Outlook zero-day, recorded as CVE-2025-21298.
Second is the Cloud Update – Updates overview report. Cloud Update itself is worth learning more about (expect to see it featured in a future Practical Protection column) because it provides a self-contained, zero-cost set of tools for managing Office application updates without the need for additional tooling. The Updates overview report shows you which devices are being managed by Cloud Update, which deployment channels are in use (and which devices are in each channel), and how many and which devices have failed to update as configured. You can pause and roll back updates, and you can specify exclusion windows during which updates won’t be applied. These capabilities are basic compared to what more full-fledged update management tools can provide, but they’re simple to understand and apply, and you can use the reporting without defining or changing any of your existing update processes.
In the grand scheme of things, tracking your Office application updates may not seem of critical importance, but it can be, because the Office apps, particularly Outlook, can be a major attack surface, and users spend a lot of their daily time using them. The cost to track and check your update status and fix failures is low, and so the cost-benefit balance argues strongly that you make this a regular part of your network maintenance.
