Microsoft 365 Business: Configure macro security settings via group policies

One of the biggest limitations of Microsoft 365 Business (formerly Office 365 Business) is that you cannot control Word, Excel, & Co. via Group Policy Objects (GPOs). This means you cannot configure the settings for macros centrally. As a workaround, you can use Group Policy Preferences (GPP) to set the corresponding registry keys.

Microsoft 365 Business subscriptions target smaller businesses and include a range of cloud services in addition to the traditional desktop applications. Although subscriptions can include up to 300 users, Microsoft does not provide central management for the Office programs via group policies in such environments (see also Restricting or blocking Office 2016/2019 macros with Group Policy).

Setting registry keys via GPP ^

In reality, however, even in companies with 100 or 200 PCs, admins want to ensure that at least some of the essential security settings comply with their standards. For this task, you can use GPP to set the respective registry keys.

Standard group policies for Office 2019 store their user-related settings under HKCU:\software\policies\microsoft\office\16.0, but Microsoft 365 Business ignores these entries. However, if you change certain options from the GUI of Word or Excel itself, it saves them under the HKCU:\software\microsoft\office\16.0 branch. Therefore, it makes sense to manage them centrally.

Users can override GPP settings ^

While regular group policies for Office prevent users from modifying a given configuration by disabling the appropriate GUI controls, users can modify such GPP-derived settings at will.

But the 90-minute default refresh interval for group policies would soon undo all user changes. Hence, GPP is an effective means of controlling important security settings, unless a user intentionally wants to undermine the administrator's settings.

Another shortcoming of this procedure, however, is that there is not a GUI equivalent for all .admx settings for regular policies. This applies, for example, to the option to block macros generally if documents originate from the internet. The GPP solution discussed here therefore cannot activate this feature.

Finally, Microsoft has not consistently documented the registry keys, so you have to experiment a bit to find out which option in the application settings leads to which registry entry.

GPO for restricting macro settings ^

Macros embedded in documents constitute a particular threat in Office. Although a good virus scanner should also protect against macro viruses, you will not want your users to execute just any VBA code.

Options for executing macros in MS Word—the value in brackets corresponds to the VBAwarnings registry value

Options for executing macros in MS Word—the value in brackets corresponds to the VBAwarnings registry value

Thus, the Office applications have four settings to control macro execution:

  • Enable all macros (not recommended) => (1)
  • Disable all macros with notification => (2)
  • Disable all macros except digitally signed macros => (3)
  • Disable all macros without notification => (4)

The corresponding value is stored under HKCU:\software\microsoft\office\16.0\<Application>\Security in the VBAwarnings key. A value from 1 to 4 represents the options above. <Application> stands for Word or Excel.

To ensure, for example, that no macros can start in Word, create a new GPO for the desired user organizational unit (OU) and open it in the editor. There, switch to User Configuration > Preferences > Windows Settings > Registry and start the command New > Registry Item from the context menu.

Set registry keys for macro security centrally via GPP

Set registry keys for macro security centrally via GPP

For Action, choose Update, and as Hive, choose HKEY_CURRENT_USER. Enter Software\Microsoft\Office\16.0\Word\Security as the key path, VBAwarnings as the Value Name, REG_DWORD as the Value Type, and 2 as the Value Data.

The procedure for Excel works the same way; you only have to replace "Word" with "Excel" in the registry path.

Protected view for documents from the internet ^

If you open a document downloaded from the internet or saved from an email, Office displays it in a read-only view by default.

Protected view settings in the Microsoft Word Trust Center

Protected view settings in the Microsoft Word Trust Center

However, the user is free to turn off this protection via the Trust Center. In this case, the Office application will write a value for each of the three available options under Security\Protected View.

Periodically reset protected view settings to the safe default values by deleting user customizations

Periodically reset protected view settings to the safe default values by deleting user customizations

To restore the default settings, you only need to delete the branch under Protected View. You can also do this at regular intervals via GPP. For this purpose, create a registry item as above, change the Action to Delete, and enter the path:

Software\Microsoft\Office\16.0\Word\Security\Protected View

You can ignore the remaining fields.

Trusted locations ^

If you define certain directories as trustworthy, some security settings will no longer apply to documents stored there. For example, it is possible to circumvent the macro restrictions this way.

Without a central configuration with regular GPOs, users can define such storage locations in the Trust Center as they wish. However, you can also clear these at regular intervals by using GPP.

The Microsoft specified trusted storage locations reside under Location0 to Location2

The Microsoft specified trusted storage locations reside under Location0 to Location2

The procedure is the same as with Protected View, except that there are several registry branches, and you don't want to delete them all.

By default, the containers Location0, Location1, and Location2 already exist under "Security"; therefore, set up items for Location3 to Location6, for example, to remove the first three user-defined directories.

Removing user defined trusted locations

Removing user defined trusted locations

Trustworthy documents ^

Trusted documents comprise another concept in Office to obtain exceptions from security requirements.  User can also switch off this feature completely via the Trust Center, which the value 1 then reflects in the registry key DisableTrustedDocuments under Security\Trusted Documents.

Disabling trusted documents via registry entry

The procedure here is identical to the one for VBAwarning, except that the path is Software\Microsoft\Office\16.0\Word\Security\Trusted Documents, and for the name, enter DisableTrustedDocuments with a value of 1.

Disable trusted documents with a new registry item

Disable trusted documents with a new registry item

Conclusion ^

Since Microsoft 365 Business does not allow centralized management via group policies, you can define important security-related settings via GPP.

This is not a robust solution like with the regular group policies, but by updating the registry keys at relatively short intervals, you can ensure that the desired configuration is always restored.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

1+
avatar
Share
1 Comment
  1. Dev 2 months ago

    Thanks for sharing really its must to have central control over the policies for security. You have very well pointed out the settings.

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account