I'm struggling to manage Office updates because our users are constantly using the apps throughout the day. To alleviate this issue, we transitioned some machines from the Current Channel to the Monthly Enterprise Channel (MEC) to minimize feature updates, particularly the frequent Copilot updates that can be delayed without impacting our workflow. Currently, my Current Channel devices are at version 19725.20172 and the MEC machines are on 19725.20170—the latest versions for each channel. However, our vulnerability scanner is marking all MEC devices as critical, simply because they're not on the Current Channel build, even though they're fully updated according to MEC standards.
What really concerns me is the security aspect. I thought MEC primarily postponed feature updates and not security patches. I've heard that MEC is commonly used in business environments. My main question is: if a serious security vulnerability were to be discovered in Outlook, such as one linked to the preview pane, would MEC users have to wait until the next Patch Tuesday for a fix? If that's true, it raises serious concerns about whether moving to MEC was a smart decision, especially in 2026. Any thoughts on this?
1 Answer
Your vulnerability scanner might be misconfigured; it's not seeing the biggest picture. Regardless of the update channel, it should recognize that both versions you mentioned are indeed the latest for their respective channels. Check out this resource for Office update history—there are five versions currently considered up to date. If your scanner is incorrectly flagging these as outdated, consider raising a ticket with them.
Absolutely, I'm planning to file a ticket too since both channels are reporting vulnerable despite being on the latest versions. The mismatch is definitely hurting our compliance numbers. Quick question, with something like a serious vulnerability, would MEC really have to wait three weeks for a fix, or could Microsoft push a security update out sooner?