With the release of Office 2021, Microsoft updated the administrative templates for GPOs. However, the new release does not get its own ADMX but instead shares it with its predecessors. Therefore, existing GPOs also apply in the event of an update. Compared to Office 2019, ADMX 10 offers new settings.
Contents of this article

The ADMX for Office, which Microsoft offers for download on its website, applies to versions 2016–2021 as well as to Microsoft 365 Apps for enterprise (formerly ProPlus). The Microsoft 365 Business apps, on the other hand, cannot be configured using group policies.

Microsoft offers separate templates for x86 and x64 but not for the 2021 version

Microsoft offers separate templates for x86 and x64 but not for the 2021 version

The GPO templates can cover several versions of Office at once, because internally, the major version of the apps remained at 16.0. Thus, they all look up the registry for settings under software\policies\microsoft\office\16.0 (HKLM and HKCU hives). Hence, GPOs that have been created for Office 2016, for example, also apply to version LTSC 2021 after updating to this version.

In a mixed environment, settings that have been introduced only recently have, as expected, no effect on Office 2016 or 2019. In this case, it would be useful to know the supported Office version for every setting. However, the GPO editor only shows which minimum version of Windows is required.

The ADMX for Office does not inform users about the minimum required version of the apps

The ADMX for Office does not inform users about the minimum required version of the apps

The download package with the administrative templates contains an Excel file that documents all settings. Unfortunately, it also does not provide any information about which group policy is compatible with which version of Office.

If you compare the ADMX or ADML files that Microsoft was still offering for Office 2019 in early 2021 with those for Office LTSC 2021, then ten differences become apparent.

For Office in general:

  • Allow users who are not admins to install language accessory packs
  • Automatically generate alternative text (alt text) for pictures
  • Show recommended files on the File tab or start page
  • Turn off protection of unsupported file types in Application Guard for Office

For Outlook:

  • Limit which permissions can be assigned to Default, Anonymous, or My Organization on mail folders and calendars
  • Deactivate Outlook web add-ins whose equivalent COM or VSTO add-in is installed

For Word:

  • Hide the modern comments opt-out
  • Stop checking to ensure hyperlink text is meaningful
  • Stop checking to ensure hyperlink text extensions are meaningful if they include extensions

For Excel:

  • Prevent Excel from running XLM macros

The names of most settings are self-explanatory. In principle, practically all of them try to improve usability, accessibility, and security.

For example, it is certainly convenient to let users install language packs without having to bother the IT department. The generation of automatic text for the alt attributes of images known from HTML also makes sense.

Admins can allow users to install language packs themselves

Admins can allow users to install language packs themselves

At the request of many users, Microsoft added the option of returning to the old comments format in Word after the "modern" version was found to have numerous disadvantages. According to the description, admins can deny users this opportunity with the new setting, but only in subscription versions of Office.

With Application Guard, Office applications can be run in a sandbox to prevent malware from being transmitted to the system. With another new setting, you can determine that unsupported file types are not simply blocked but that Office opens them in the sandbox instead.

The setting for Excel to prevent the execution of legacy XLM macros is also important for improving security.

This setting can be used to block old macros from the time of Excel 4.0

This setting can be used to block old macros from the time of Excel 4.0

OPAX files ^

The download also includes OPAX configuration files. You can use them in conjunction with the Office Customization Tool to customize the conventional MSI installation. This is only available for Office 2016; all other versions are installed via click-to-run.

To configure the current setup procedure, for example, to install only selected Office programs, you need the Office Deployment Tool.

Conclusion ^

The small number of new settings for the group policies reflects the few new features for Office LTSC 2021. These are mainly intended for convenience purposes; however, a few have an impact on security.

Subscribe to 4sysops newsletter!

Since the latest release of Office internally retains the major version 16.0, existing GPOs can continue to be used. The documentation has also largely remained at this level. There you don't find any information about the Office version required for the individual settings.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account