- Move Windows recovery partition using GParted - Wed, Dec 1 2021
- Configure Secured Core in Windows Server 2022: HVCI, DMA protection, System Guard, and VBS - Mon, Nov 22 2021
- ADMX templates for Office 2021: compatible with 2016 GPOs and 10 new settings - Mon, Nov 15 2021
The ADMX for Office, which Microsoft offers for download on its website, applies to versions 2016–2021 as well as to Microsoft 365 Apps for enterprise (formerly ProPlus). The Microsoft 365 Business apps, on the other hand, cannot be configured using group policies.
The GPO templates can cover several versions of Office at once, because internally, the major version of the apps remained at 16.0. Thus, they all look up the registry for settings under software\policies\microsoft\office\16.0 (HKLM and HKCU hives). Hence, GPOs that have been created for Office 2016, for example, also apply to version LTSC 2021 after updating to this version.
In a mixed environment, settings that have been introduced only recently have, as expected, no effect on Office 2016 or 2019. In this case, it would be useful to know the supported Office version for every setting. However, the GPO editor only shows which minimum version of Windows is required.
The download package with the administrative templates contains an Excel file that documents all settings. Unfortunately, it also does not provide any information about which group policy is compatible with which version of Office.
If you compare the ADMX or ADML files that Microsoft was still offering for Office 2019 in early 2021 with those for Office LTSC 2021, then ten differences become apparent.
For Office in general:
- Allow users who are not admins to install language accessory packs
- Automatically generate alternative text (alt text) for pictures
- Show recommended files on the File tab or start page
- Turn off protection of unsupported file types in Application Guard for Office
- Limit which permissions can be assigned to Default, Anonymous, or My Organization on mail folders and calendars
- Deactivate Outlook web add-ins whose equivalent COM or VSTO add-in is installed
- Hide the modern comments opt-out
- Stop checking to ensure hyperlink text is meaningful
- Stop checking to ensure hyperlink text extensions are meaningful if they include extensions
- Prevent Excel from running XLM macros
The names of most settings are self-explanatory. In principle, practically all of them try to improve usability, accessibility, and security.
For example, it is certainly convenient to let users install language packs without having to bother the IT department. The generation of automatic text for the alt attributes of images known from HTML also makes sense.
At the request of many users, Microsoft added the option of returning to the old comments format in Word after the "modern" version was found to have numerous disadvantages. According to the description, admins can deny users this opportunity with the new setting, but only in subscription versions of Office.
With Application Guard, Office applications can be run in a sandbox to prevent malware from being transmitted to the system. With another new setting, you can determine that unsupported file types are not simply blocked but that Office opens them in the sandbox instead.
The setting for Excel to prevent the execution of legacy XLM macros is also important for improving security.
OPAX files ^
The download also includes OPAX configuration files. You can use them in conjunction with the Office Customization Tool to customize the conventional MSI installation. This is only available for Office 2016; all other versions are installed via click-to-run.
To configure the current setup procedure, for example, to install only selected Office programs, you need the Office Deployment Tool.
The small number of new settings for the group policies reflects the few new features for Office LTSC 2021. These are mainly intended for convenience purposes; however, a few have an impact on security.
Subscribe to 4sysops newsletter!
Since the latest release of Office internally retains the major version 16.0, existing GPOs can continue to be used. The documentation has also largely remained at this level. There you don't find any information about the Office version required for the individual settings.