- How to use delivery optimization with WSUS - Mon, Jul 13 2020
- ESXi 7.0 Free: New features, limitations, upgrade - Mon, Jul 6 2020
- Update baseline: Microsoft's recommended GPO settings for Windows updates - Wed, Jul 1 2020
Microsoft 365 Business subscriptions target smaller businesses and include a range of cloud services in addition to the traditional desktop applications. Although subscriptions can include up to 300 users, Microsoft does not provide central management for the Office programs via group policies in such environments (see also Restricting or blocking Office 2016/2019 macros with Group Policy).
Setting registry keys via GPP ^
In reality, however, even in companies with 100 or 200 PCs, admins want to ensure that at least some of the essential security settings comply with their standards. For this task, you can use GPP to set the respective registry keys.
Standard group policies for Office 2019 store their user-related settings under HKCU:\software\policies\microsoft\office\16.0, but Microsoft 365 Business ignores these entries. However, if you change certain options from the GUI of Word or Excel itself, it saves them under the HKCU:\software\microsoft\office\16.0 branch. Therefore, it makes sense to manage them centrally.
Users can override GPP settings ^
While regular group policies for Office prevent users from modifying a given configuration by disabling the appropriate GUI controls, users can modify such GPP-derived settings at will.
But the 90-minute default refresh interval for group policies would soon undo all user changes. Hence, GPP is an effective means of controlling important security settings, unless a user intentionally wants to undermine the administrator's settings.
Another shortcoming of this procedure, however, is that there is not a GUI equivalent for all .admx settings for regular policies. This applies, for example, to the option to block macros generally if documents originate from the internet. The GPP solution discussed here therefore cannot activate this feature.
Finally, Microsoft has not consistently documented the registry keys, so you have to experiment a bit to find out which option in the application settings leads to which registry entry.
GPO for restricting macro settings ^
Macros embedded in documents constitute a particular threat in Office. Although a good virus scanner should also protect against macro viruses, you will not want your users to execute just any VBA code.
Thus, the Office applications have four settings to control macro execution:
- Enable all macros (not recommended) => (1)
- Disable all macros with notification => (2)
- Disable all macros except digitally signed macros => (3)
- Disable all macros without notification => (4)
The corresponding value is stored under HKCU:\software\microsoft\office\16.0\<Application>\Security in the VBAwarnings key. A value from 1 to 4 represents the options above. <Application> stands for Word or Excel.
To ensure, for example, that no macros can start in Word, create a new GPO for the desired user organizational unit (OU) and open it in the editor. There, switch to User Configuration > Preferences > Windows Settings > Registry and start the command New > Registry Item from the context menu.
For Action, choose Update, and as Hive, choose HKEY_CURRENT_USER. Enter Software\Microsoft\Office\16.0\Word\Security as the key path, VBAwarnings as the Value Name, REG_DWORD as the Value Type, and 2 as the Value Data.
The procedure for Excel works the same way; you only have to replace "Word" with "Excel" in the registry path.
Protected view for documents from the internet ^
If you open a document downloaded from the internet or saved from an email, Office displays it in a read-only view by default.
However, the user is free to turn off this protection via the Trust Center. In this case, the Office application will write a value for each of the three available options under Security\Protected View.
To restore the default settings, you only need to delete the branch under Protected View. You can also do this at regular intervals via GPP. For this purpose, create a registry item as above, change the Action to Delete, and enter the path:
You can ignore the remaining fields.
Trusted locations ^
If you define certain directories as trustworthy, some security settings will no longer apply to documents stored there. For example, it is possible to circumvent the macro restrictions this way.
Without a central configuration with regular GPOs, users can define such storage locations in the Trust Center as they wish. However, you can also clear these at regular intervals by using GPP.
The procedure is the same as with Protected View, except that there are several registry branches, and you don't want to delete them all.
By default, the containers Location0, Location1, and Location2 already exist under "Security"; therefore, set up items for Location3 to Location6, for example, to remove the first three user-defined directories.
Trustworthy documents ^
Trusted documents comprise another concept in Office to obtain exceptions from security requirements. User can also switch off this feature completely via the Trust Center, which the value 1 then reflects in the registry key DisableTrustedDocuments under Security\Trusted Documents.
Disabling trusted documents via registry entry
The procedure here is identical to the one for VBAwarning, except that the path is Software\Microsoft\Office\16.0\Word\Security\Trusted Documents, and for the name, enter DisableTrustedDocuments with a value of 1.
Since Microsoft 365 Business does not allow centralized management via group policies, you can define important security-related settings via GPP.
This is not a robust solution like with the regular group policies, but by updating the registry keys at relatively short intervals, you can ensure that the desired configuration is always restored.